Plus: A SpaceX supplier ransom, critical vulnerabilities in dozens of Android phones, and more.

What’s more controversial than a popular surveillance camera maker that has an uncomfortably cozy relationship with American police? When ransomware hackers claim to have breached that company—Amazon-owned camera maker Ring—stolen its data, and Ring responds by denying the breach.

But we’ll get to that.

Five years ago, police in the Netherlands caught members of Russia’s GRU military intelligence red-handed as they tried to hack the Organization for the Prohibition of Chemical Weapons in The Hague. The team had parked a rental car outside the organization’s building and hid a Wi-Fi snooping antenna in its trunk. Within the GRU group was Evgenii Serebriakov, who was caught with further Wi-Fi hacking tools in his backpack.

Since then, surprisingly, Serebriakov has only risen in status. This week, Western intelligence sources told WIRED that Serebriakov is now the new leader of one of the world’s most aggressive hacking units. Serebriakov took over Sandworm, which is responsible for some of the worst cyberattacks in history, in the spring of 2022. His elevation to the senior role, experts say, shows how small the pool of skilled nation-state hackers is likely to be and demonstrates Serebriakov’s value to Russia.

Nowhere on the internet is free from threats—and that includes LinkedIn. This week we looked at how spies, scammers, and hackers from Iran, North Korea, Russia, and China are using the professional network to scout and approach intelligence targets. In addition, LinkedIn is plagued with thousands of suspicious accounts; it removed hundreds from WIRED’s profile when we reported them.

The Western clampdown on TikTok is continuing—this week the UK joined the US, Belgium, Canada, and the European Union in banning the social media app from being used on government devices. But in the US, Senator Mark Warner is trying to pass legislation, in the guise of the bipartisan Restrict Act, that will allow officials to ban apps and services from six “hostile” nations: China, Russia, North Korea, Iran, Cuba, and Venezuela. We sat down with Warner and asked about the plans.

A WIRED analysis of “cybercrime” cases across the US shows how vague and wide-ranging the term can be. Without a clear and universal definition of cybercrime, human rights and civil liberties issues may expand globally. Speaking of criminals, scammers are getting better at using voice deepfakes to con people. And ransomware gangs are sinking to a new deplorable low. As more and more companies and organizations refuse to pay ransoms, criminal gangs are increasingly using extortion as leverage: they are now releasing photos stolen from cancer patients and sensitive student records. 

But wait, there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

ALPHV, a prolific group of hackers who extort companies with ransomware and leak their stolen data, said earlier this week that it had breached security camera maker Ring and threatened to dump the company’s data online if it doesn’t pay. “There’s always an option to let us leak your data …” the hackers wrote in a message to Ring on their leak site. Ring has so far responded with a denial, telling Vice’s Motherboard, “We currently have no indications of a ransomware event,” but it says it’s aware of a third-party vendor that has experienced one. That vendor, Ring says, doesn’t have access to any customer records. 

Meanwhile, ALPHV, which has previously used its BlackCat ransomware to target companies like Bandai Namco, Swissport, and hospital firm Lehigh Valley Health Network, stands by its claim to have breached Ring itself, not a third-party vendor. A member of the malware research group VX-Underground shared with WIRED screenshots of a conversation with an ALPHV representative who says that it’s still in “negotiations” with Ring.

Amid the ongoing ransomware epidemic, it’s no surprise that Ring isn’t alone in facing extortion problems. So too is Maximum Industries, a supplier of rocket parts for Elon Musk’s SpaceX. The hackers, a well-known ransomware gang known as LockBit, taunted Musk on their website, threatening to sell the stolen information to the highest bidder if Maximum doesn’t pay by their March 20 deadline. “I would say we were lucky if Space-X contractors were more talkative. But I think this material will find its buyer as soon as possible,” the hackers wrote. “Elon Musk we will help you sell your drawings to other manufacturers.”

Google’s Project Zero, its security research team devoted to finding unknown vulnerabilities in widely used tech products, warned Thursday that it had discovered severe hackable flaws in Samsung chips used in dozens of Android devices. In total, the researchers found 18 distinct vulnerabilities in Samsung’s Exynos modems for smartphones, but they say that four of them are particularly critical and would allow a hacker to “remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” Project Zero only rarely publishes information on unpatched vulnerabilities. But it says that it gave Samsung 90 days to fix the flaws, and it hasn’t yet. A bit of public shaming, perhaps, might spur Samsung to move faster to protect Google’s users from an insidious form of attack.

Since 2017, the cryptocurrency “mixer” service ChipMixer quietly grew into a powerhouse of cryptocurrency money laundering, taking in users’ coins, mixing them with others and then sending them back to obscure the money’s trail across blockchains. In the process, the Department of Justice says it laundered $3 billion worth of criminal funds, including ransomware payments, North Korean hackers’ stolen loot, and even profits from the sale of child sexual exploitation materials. Now, in a bust carried out by multiple European law enforcement agencies and coordinated by Europol as well as the FBI and DHS, ChipMixer has been taken offline and its infrastructure seized. The site’s alleged creator, 49-year-old Vietnamese national Minh Quốc Nguyễn, remains out of reach: He’s been charged with money laundering only in absentia. 

But the most intriguing result of the case may have more to do with the meltdown of the now notorious cryptocurrency exchange FTX: A portion of FTX’s funds that were stolen in the midst of its bankruptcy proceedings in November were funneled into ChipMixer. Seizing the servers of that mixing service may well foil the FTX thieves’ attempt to evade tracing and help solve one of the central mysteries of that high-profile heist.

Only in the cryptocurrency world, where thefts of more than half a billion dollars now occur multiple times a year, does the stealing of $200 million merit the lowest spot on a news roundup. Early this week, the distributed trading protocol Euler Finance lost nearly $200 million in cryptocurrency to hackers who found a vulnerability in its code. At first, Euler, the company behind that protocol, offered to let the hackers keep $20 million if they returned the rest of the funds. But after that offer was ignored—in fact, the hackers have sent the funds to the Tornado Cash mixing service in the hopes of covering their tracks—the firm has announced a $1 million bounty on the hackers’ heads.

Security News This Week: Ring Is in a Standoff With Hackers

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.

Thursday, March 16, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

We’re written a ton about Cisco Talos’ support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.

**The one big thing**

We have new research out on a never-before-seen threat actor called YoroTrooper that’s carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.

**Why do I care?**

While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.

**So now what?**

YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it’s really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group’s actions.

**Top security headlines of the week**

The APLHV ransomware cartel claims to have **successfully stolen data belonging to Amazon’s Ring smart home company.** The ransomware gang’s dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had “no indications that Ring has experienced a ransomware event.” ALPHV, which is known for the BlackCat malware, usually encrypts targets’ data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera’s user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)

Sensitive information from D.C. Health Link — the online health insurance marketplace for Washington, D.C. — is **reportedly for sale on the dark web,** potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach” that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)

Microsoft **released its monthly security update Tuesday,** disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)

**Can’t get enough Talos?**

*   Talos Takes Ep. #130: There’s not actually more spam during tax season, just different spam
*   Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
*   YoroTrooper cyberspies target CIS energy orgs, EU embassies
*   YoroTrooper Espionage Campaigns Target CIS, EU Countries
*   Updated Prometei botnet evades defenses, mines Monero

**Upcoming events where you can find Talos**

**WiCyS (March 16 - 18)**

Denver, CO

**RSA (April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

Hornetsecurity research highlights that more than 1 in 4 companies have fallen victim to ransomware attacks, with 14.1% losing data and 6.6% paying a ransom.

**LONDON****,** **March 15, 2023** **/PRNewswire/ --** Global cybersecurity provider Hornetsecurity has today announced the launch of VM Backup V9 – the newest version of its award-winning virtual machine (VM) backup, replication and recovery solution.

This latest iteration offers ransomware protection leveraging immutable cloud storage on Wasabi and Amazon S3, with Microsoft Azure soon to follow. This new key feature enables customers to protect their backup data from ransomware by making their data tamper-proof for a defined period.

A recent Hornetsecurity study revealed that 15% of ransomware attacks specifically targeted backups, highlighting the essential need for immutable backups , which forms a key part of the V9 update.

Hornetsecurity CEO, Daniel Hofmann, said: "Data breaches and ransomware cost businesses millions of dollars every year. It's vital that organisations take preventative measures and are protected with the latest technology. We're excited to launch VM Backup V9, which provides reassurance to our customers and partners that their virtual machine data backups are protected against ransomware attacks. It also addresses the latest compliance regulations in data security and data protection."

**Ransomware protection**

Immutable Cloud Storage gives users ongoing access to their data without the need to pay a ransom if targeted by ransomware. This newest feature ensures that backup data becomes tamper-proof, as it cannot be modified or deleted by any user, including administrators and root users.

**Easy installation and newly overhauled backup repository**

VM Backup V9 has an easy-to-use, intuitive interface that gives individuals full control, allowing them to monitor and manage all Hyper-V and VMware VMs from a single console.

V9 can now handle larger infrastructure setups. Its overhauled backup repository optimises disk space, ensuring more robust long-term storage. In addition, background operations can now run in parallel with other ongoing backup and restore processes.

Hornetsecurity provides outstanding support 24 hours a day, 7 days a week, with a guaranteed call response time of less than 30 seconds.

**Learn more about Hornetsecurity's VM Backup V9** here.

**About Hornetsecurity**

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Hornetsecurity Launches VM Backup V9

Russia, North Korea, Iran, and China have been caught using fake profiles to gather information. But the platform’s tools to weed them out only go so far.

There is nothing immediately suspicious about Camille Lons’ LinkedIn page. The politics and security researcher’s profile photo is of her giving a talk. Her professional network is made up of almost 400 people; she has a detailed career history and biography. Lons has also shared a link to a recent podcast appearance—“always enjoying these conversations”—and liked posts from diplomats across the Middle East.

So when Lons got in touch with freelance journalist Anahita Saymidinova last fall, her offer of work appeared genuine. They swapped messages on LinkedIn before Lons asked to share more details of a project she was working on via email. “I just shoot an email to your inbox,” she wrote.

What Saymidinova didn’t know at the time was that the person messaging her wasn’t Lons at all. Saymidinova, who does work for Iran International, a Persian-language news outlet that has been harassed and threatened by Iranian government officials, was being targeted by a state-backed actor. The account was an imposter that researchers have since linked to Iranian hacking group Charming Kitten. (The real Camille Lons is a politics and security researcher, and a LinkedIn profile with verified contact details has existed since 2014. The real Lons did not respond to WIRED’s requests for comment.)

When the fake account emailed Saymidinova, her suspicions were raised by a PDF that said the US State Department had provided $500,000 to fund a research project. “When I saw the budget, it was so unrealistic,” Saymidinova says.

But the attackers were persistent and asked the journalist to join a Zoom call to discuss the proposal further, as well as sending some links to review. Saymidinova, now on high alert, says she told an Iran International IT staff member about the approach and stopped replying. “It was very clear that they wanted to hack my computer,” she says. Amin Sabeti, the founder of Certfa Lab, a security organization that researches threats from Iran, analyzed the fake profile’s behavior and correspondence with Saymidinova and says the incident closely mimics other approaches on LinkedIn from Charming Kitten.

The Lons incident, which has not been previously reported, is at the murkiest end of LinkedIn’s problem with fake accounts. Sophisticated state-backed groups from Iran, North Korea, Russia, and China regularly leverage LinkedIn to connect with targets in an attempt to steal information through phishing scams or by using malware. The episode highlights LinkedIn’s ongoing battle against “inauthentic behavior,” which includes everything from irritating spam to shady espionage. 

Missing Links

LinkedIn is an immensely valuable tool for research, networking, and finding work. But the amount of personal information people share on LinkedIn—from location and languages spoken to work history and professional connections—makes it ideal for state-sponsored espionage and weird marketing schemes. False accounts are often used to hawk cryptocurrency, trick people into reshipping schemes, and steal identities.  

Sabeti, who’s been analyzing Charming Kitten profiles on LinkedIn since 2019, says the group has a clear strategy for the platform. “Before they initiate conversation, they know who they are contacting, they know the full details,” Sabeti says. In one instance, the attackers got as far as hosting a Zoom call with someone they were targeting and used static pictures of the scientist they were impersonating.

The fake Lons LinkedIn profile, which was created in May 2022, listed the real Lons’ correct work and education histories and used the same image from her real Twitter and LinkedIn accounts. Much of the biography text on the fake page had been copied from profiles of the real Lons as well. Sabeti says the group ultimately wants to gain access to people’s Gmail or Twitter accounts to gather private information. “They can collect intelligence,” Sabeti says. “And then they use it for other targets.” 

The UK government said in May 2022 that “foreign spies and other malicious actors” had approached 10,000 people on LinkedIn or Facebook over 12 months. One person acting on behalf of China, according to court documents, found that the algorithm of one “professional networking website” was “relentless” in suggesting potential new targets to approach. Often these approaches start on LinkedIn but move to WhatsApp or email, where it may be easier to send phishing links or malware.

In one previously unreported example, a fake account connected to North Korea’s Lazarus hacking group, pretended to be a recruiter at Meta. They started by asking the target how their weekend was before inviting them to complete a programming challenge to continue the hiring process, says Peter Kalnai, the senior malware researcher at security firm ESET who discovered the account. But the programming challenge was a scam designed to deploy malware to the target’s computer, Kalnai says. The LinkedIn messages sent by the scammers didn’t contain many grammatical errors or other typos, he says, which made the attack more difficult to catch. “Those communications were convincing. No red flags in the messages.”

It’s likely that scam and spam accounts are much more common on LinkedIn than those connected to any nation or government-backed groups. In September last year, security reporter Brian Krebs found a flood of fake chief information security officers on the platform and thousands of false accounts linked to legitimate companies. Following the reporting, Apple and Amazon’s profile pages were purged of hundreds of thousands of fake accounts. But due to LinkedIn’s privacy settings, which make certain profiles inaccessible to users who don’t share connections, it’s difficult to gauge the scope of the problem across the platform. 

The picture gets clearer at an individual company level. An analysis of WIRED’s company profile in January showed 577 people listing WIRED as their current employer—a figure well above the actual number of staff. Several of the accounts appeared to use profile images generated by AI, and 88 profiles claimed to be based in India. (WIRED does not have an India office, although its parent company, Condé Nast, does.) One account, listed as WIRED’s “co-owner,” used the name of a senior member of WIRED’s editorial staff and was advertising a suspicious financial scheme. 

In late February, soon after we told LinkedIn about suspicious accounts linked to WIRED, approximately 250 accounts were removed from WIRED’s page. The total employee count dropped to 225, with 15 people based in India—more in line with the real number of employees. The purpose of these removed accounts remains a mystery.

“If people were using fake accounts to impersonate WIRED journalists, that would be a major issue. In the disinformation space, we have seen propagandists pretend to be journalists to gain credibility with their target audiences,” says Josh Goldstein, a research fellow with the CyberAI Project at Georgetown University’s Center for Security and Emerging Technology. “But the accounts you shared with me don’t seem to be of that type.” 

Without more information, Goldstein says, it’s impossible to know what the fake accounts linked to WIRED may have been up to. Oscar Rodriguez, LinkedIn’s vice president in charge of trust, privacy, and equity, says the company does not go into detail about why it removes specific accounts. But he says many of the accounts linked to WIRED were dormant. 

Fighting Fakes

In October 2022, LinkedIn introduced several features meant to clamp down on fake and scam profiles. These included tools to detect AI-generated profile photos and filters that flag messages as potential scams. LinkedIn also rolled out an “About” section for individual profiles that shows when an account was created and whether the account has been verified with a work phone number or email address. 

In its most recent transparency report, covering January to June 2022, LinkedIn said that 95.3 percent of the fake accounts it discovered were blocked by “automated defenses,” including 16.4 million that were blocked at the time of registration. LinkedIn’s Rodriguez says the company has identified a number of signs it looks for when hunting fake accounts. For instance, commenting or leaving messages with super-human speed—a potential sign of automation—might cue LinkedIn to ask the account to provide a state-issued ID and make the account inaccessible to other users.

Similarly, when an account is being created, a mismatch between its IP address and listed location wouldn’t automatically be a trigger—someone could be traveling or using a VPN—but it might be a “yellow flag,” Rodriguez says. If the account shares other characteristics with previously removed accounts from a particular region or set of devices, he adds, that might be a clearer signal that the account is fraudulent.

“For the very small percent of accounts that managed to interact with members, we retrace our steps to understand the common characteristics across the different accounts,” Rodriguez says. The information is then used to “cluster” groups of accounts that may be fraudulent. Sabeti says LinkedIn is “very proactive” when human rights or security organizations report suspicious accounts. “It’s good in comparison with the other tech companies,” he says.

In some cases, LinkedIn’s new defenses appear to be working. In December, WIRED created two fake profiles using AI text generators. “Robert Tolbert,” a mechanical engineering professor at Oxford University, had an AI-generated profile photo and a resume written by ChatGPT, complete with fake journal articles. The day after the account was created, LinkedIn asked for ID verification. A second fake profile attempt—a “software developer” with Silicon Valley credentials and no photo—also received a request for an ID the following day. Rodriguez declined to comment on why these accounts were flagged, but both accounts were inaccessible on LinkedIn after they received the request for ID.

But detecting fake accounts is tricky—and scammers and spies are always trying to stay ahead of systems designed to catch them. Accounts that slip past initial filters but haven’t started messaging other people—like many of the scam accounts claiming to be WIRED staff—seem to be particularly hard to catch. Rodriguez says dormant accounts are generally removed through user reports or when LinkedIn discovers a fraudulent cluster. 

Today, WIRED’s page is a fairly accurate snapshot of its current staff. The fake Camille Lons profile was removed after we began reporting this story—Rodriguez did not say why. But in a process similar to the Lons impersonators, we conducted one additional experiment to try to slip past LinkedIn’s filters. 

With his permission, we created an exact duplicate of the profile for Andrew Couts, the editor of this story, only swapping out his photo for an alternative. The only contact information we provided when creating the account was a free ProtonMail account. Before we deleted the account, Fake Couts floated around on LinkedIn for more than two months, accepting connections, sending and receiving messages, browsing job listings, and promoting the occasional WIRED story. Then, one day, Fake Couts received a message from a marketer with an offer that seems too good to be true: a custom-built “professional WordPress website at no cost.”

A Spy Wants to Connect With You on LinkedIn

By Deeba Ahmed
The cybercrime group has given a deadline of March 20th, 2023 for their demands, which as expected, is a ransom.
This is a post from HackRead.com Read the original post: LockBit Ransomware Claims Data Breach at SpaceX Contractor

****The infamous LockBit ransomware claims to have stolen 3,000 “drawings certified by SpaceX engineers,” which they plan to sell “to other manufacturers” through an auction in a week unless they receive a ransom payment.****

The **LockBit** Ransomware Group Claims Data Breach at SpaceX Contractor ransomware group has recently made headlines by claiming to have stolen sensitive data belonging to SpaceX, a leading American aerospace manufacturer, and space transportation company owned by Elon Musk.

The news comes at the same time as the ALPHV ransomware group’s claim of **hacking into Amazon’s Ring** and stealing sensitive data, raising serious privacy concerns.

As seen by Hackread.com, the group targeted Texas-based Maximum Industries, one of **SpaceX’s third-party contractors**, and stole valuable data related to the company’s operations and projects.

LockBit hackers claim to have stolen 3,000 “drawings certified by SpaceX engineers,” which they plan to sell “to other manufacturers” through an auction in a week unless they receive a ransom payment. However, none of the claims regarding the stolen data could be confirmed.

Maximum Industries offers traditional and non-traditional machining processes and specializes in laser cutting and CNC machining services. While the exact details of how the contractor was compromised are not yet clear, it is likely that the ransomware group used phishing emails, and **social engineering**, or relied on an insider to gain access to the company’s systems.

Launched in 2019, the **LockBit ransomware group** is known for its sophisticated attack methods and aggressive demands for payment. The group typically targets large corporations and organizations, encrypts their data, and demands a hefty ransom in exchange for the decryption key.

If the victim refuses to pay, LockBit threatens to publish their stolen data online or sell it on the dark web. To date, LockBit has targeted more than 1,000 organizations.

The apparent theft of valuable data from a high-profile company like SpaceX highlights the growing threat of ransomware attacks and the need for organizations to take proactive measures to protect their sensitive information.

In recent years, ransomware attacks have become more frequent and sophisticated, causing billions of dollars in losses to companies worldwide. In addition to financial damage, these attacks can also have severe consequences for an organization’s reputation and customer trust.

To prevent ransomware attacks, organizations must implement robust security measures, including regular data backups, **multi-factor authentication**, and employee training on how to identify and respond to phishing attempts.

It is also essential to work with trusted third-party vendors who follow best practices in data security and regularly perform security audits.

1.  **Bangkok Airways hit by Lockbit ransomware**
2.  **Accenture claims to fight off LockBit ransomware**
3.  **LockBit ransomware hits French Ministry of Justice**

LockBit Ransomware Claims Data Breach at SpaceX Contractor

By Deeba Ahmed
ALPHV ransomware group threatens to leak sensitive data allegedly stolen from amazon's ring security cameras unless demands are met.
This is a post from HackRead.com Read the original post: ALPHV ransomware gang claims it has hacked Amazon’s Ring

****Amazon has no evidence of having been hit by a ransomware attack; however, the company is investigating a third-party vendor over the data breach.****

ALPHV, a ransomware group known for using the BlackCat malware, has claimed responsibility for the attack on Amazon’s popular security camera company, Ring, and is now threatening to leak their data.

The ALPHV ransomware group is involved in a series of ransomware attacks using BlackCat malware and operates a ransomware-as-a-service platform. Here’s the message ALPHV posted on their website with Ring’s logo:

> “There’s always an option to let us leak your data.”

The group has also created a searchable database of its victims who deny paying the ransom, which can be accessed by its affiliated groups.

This is what the ALPHV ransomware gang has to say about the alleged hack

In its tweet, VX-Underground, online malware source code collectors, confirmed on 13th March that ALPHV is responsible for the attack on Ring. However, the company did not confirm if the hackers compromised any data, so there are currently no recommendations for Ring users on how to address the situation.

For your information, Ring doorbell and security camera devices support E2EE (end-to-end) encryption in a majority of the regions where it is available. This means neither any government entity, hackers, nor even its parent company Amazon can access the uploaded footage.

However, it is possible for the attackers to exfiltrate corporate/customer data instead of the video. According to a Ring spokesperson, the company has no evidence of having been hit by a ransomware attack; however, they are investigating a third-party vendor over the data breach.

1.  Amazon Ring flaw could expose camera recordings
2.  ThroughTek flaw exposed millions of IoT cams to spying
3.  Hacked ring cams used in livestreaming swatting attacks

ALPHV ransomware gang claims it has hacked Amazon’s Ring

AT&T, PayPal, and Microsoft top the list of domains that victims visit following a link in a phishing email, as firms fight to prevent fraud and credential harvesting.

Credential-seeking cyberattackers garnered the most phishing success by impersonating the brands of telecommunications firms, financial institutions, and popular technology companies in 2022.

That's according to an analysis of data collected by Internet services provider Cloudflare, which found that Individuals most often clicked on links in emails that appeared to come from AT&T and Verizon, PayPal and Wells Fargo, or Microsoft and Facebook. The rankings did not align with popularity — the Internal Revenue Service ranked No. 6 — but rather with the size of the brand's user base and the relative opportunity to turn compromise into cash, says Matthew Prince, CEO and co-founder of Cloudflare.

"We're seeing up and down the brand list, from the largest and most risky down to the smallest, that phishing is not going away as a problem," Prince says. "Email still continues to be the No. 1 entry point for an attacker \[and\] phishing still continues to be the No. 1 threat for almost all of our customers."

In addition, attackers are increasingly using phishing in an attempt to steal credentials from privileged employees and gain access to corporate networks, he says.

Cloudflare is not the only organization to see phishing as a threat, of course. In 2022, more than 300,000 complaints of phishing attacks flooded the FBI's Internet Crime Complaint Center (IC3), slightly down from the peak in 2021 of nearly 324,000 complaints, but a 162% increase from three years ago. The numbers do not include business email compromise (BEC) and investment scams, the most damaging types of attacks, both of which typically have a targeted phishing component.

The phishing problem can be more problematic on mobile devices, since attackers are harder to spot in most mobile mail clients. In 2022, mobile phishing encounter rates — a measure of the number of phishing attempts the average user receives — increased roughly 10% for enterprise devices and more than 20% for personal devices, according to mobile-device management firm Lookout. Overall, half of mobile users faced a phishing attack at some point in 2022, the company stated in its recent "State of Mobile Phishing in 2023" report.

**An Often-Ignored Threat**

Most users have become inured to the fake emails using known brands to attempt to harvest credentials as the first step in an account compromise. Yet the deluge of disguised emails do have the occasional success, which makes the effort worth the attackers' time and mean that they remain the most common cause of data breaches.

Cloudflare used data from its domain name service (DNS) resolver to find the known phishing URLs that were most often visited by users, with visits to common hosting sites, such as Google and GoDaddy, removed from the data if the site could not be confirmed to be fraudulent.

It's not an indication of a successful phishing attack, but the top-50 list does show which emails overcome the recipient's initial skepticism, Cloudflare's Prince says.

"There are plenty of phishing scams where you might get something and say — 'Is this legitimate?' — so you might click on that link," he says. "It's at least the start down a journey of success; it doesn't mean that somebody necessarily entered their credentials, or even, if they entered information, that they entered accurate information."

Last August, Cloudflare detected a sophisticated phishing attack against the company, the same attack that compromised customer-data platform Twilio and more than 100 other companies, dubbed "Oktapus" for its targeting of the identity firm Okta.

Most recently, a phishing email sent to a Reddit employee led to a cloned gateway for the company and allowed an attacker to gain access to the social media site's internal network for a few hours.

**The Long Tail of Phish**

The top-50 list represents typical targets of credential stealing campaigns, and while there is a significant difference in volume between the start and the end of the list, smaller companies and the much lower volume of phishing directed against their brands result in a very long tailed distribution, Prince says.

Attackers tend to see phishing directed against brands in the top 50 as a way to steal money, packages, or valuable information from accounts, while the long-tail phishing tends to focus on gaining access for further compromise, Prince says. The first 10 companies on the list are AT&T, PayPal, Microsoft, DHL, Facebook, the IRS, Oath Holdings/Verizon, Mitsubishi UFJ NICOS, Adobe, and Amazon. The final five companies on the list are Banco Itaú Unibanco, Steam, Swisscom, LexisNexis, and Orange S.A.

"In most of these cases, when it's in the top-50 list, it's about how an attacker can gain access to an account to, in relatively short order, do something that generates cash for the attacker," he says. "I think that when we look at some of the more targeted attacks, those \[that\] are much more about compromising systems, they then can be used more indirectly to launch some sort of attack."

Brand Names in Finance, Telecom, Tech Lead Successful Phishing Lures

Directory Traversal vulnerability in iThemes BackupBuddy plugin 8.5.8.0 - 8.7.4.1 versions.

We recently discovered a security vulnerability in our BackupBuddy plugin. The vulnerability could allow a breach of your WordPress site, so we are asking all customers to **confirm your sites are running version 8.7.5 or higher of the BackupBuddy plugin.**

**BackupBuddy**

Plugin

BackupBuddy

Vulnerability

Directory Traversal Vulnerability

Patched in Version

8.7.5

Severity Score

High

**Who This Vulnerability Impacts**

This vulnerability only impacts sites **running BackupBuddy versions 8.5.8.0 through 8.7.4.1.**

**We have indications that this vulnerability is being _actively exploited_ in the wild.** We were notified of suspicious activity related to a BackupBuddy installation on September 2nd, 2022. The earliest exploits we have discovered appear to have started on August 27th, 2022.

*   Once we identified the exploit, we released a patch on September 2, 2022, to resolve the exploit in BackupBuddy version 8.7.5.
*   **We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of your current BackupBuddy licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.**
*   We also pushed auto-updates for all iThemes Sync users who have BackupBuddy installed.

**What Information Can Hackers Get Access To?**

This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.

**Indicators of Compromise**

To detect if your site was attacked, look for the following indicators of compromise. Search your server’s access logs for any text that contains local-destination-id and /etc/passwd or wp-config.php with an HTTP 2xx Response. (If you need help with this, please reach out to our support team by creating a support ticket on the iThemes Help Desk.)

**What You Should Do: Recommended Next Steps****1\. Update BackupBuddy to version 8.7.5 immediately.**

**Please update to BackupBuddy 8.7.5. immediately to fix this exploit.** Even if you aren’t running one of the vulnerable versions of BackupBuddy, we still recommend updating to BackupBuddy 8.7.5 as a best practice for running the latest versions of all your plugins and themes.

Running BackupBuddy on multiple WordPress sites? Use iThemes Sync to quickly update all your sites to BackupBuddy 8.7.5.

**2\. Follow the steps in the previous section to search for a compromise.**

If you have determined that your site may have been compromised, we recommend performing the following steps.

1.  **Reset your database password.** You may have to reach out to your hosting provider to help you with this.
2.  **Change your WordPress salts.** iThemes Security can do this for you automatically via Tools > Change WordPress Salts. You can update them manually following our guide on how to change your WordPress salts and keys.
3.  **Rotate other secrets in wp-config.php**. You may have stored API keys for services like Amazon S3 in your wp-config.php file. If so, these should be reset and updated.

If your server has an exposed phpMyAdmin installation, or your WordPress server connects to a publicly accessible database server, we recommend restoring to a backup from a date prior to the earliest logged access attempt. If this isn’t possible, engage a Hack Repair service to help you manually clean your WordPress website. At a minimum, you should search for and remove any suspicious administrator users on your website and reset the passwords for all other administrator users.

**If you manage your own server**

1.  **Consider rotating SSH passwords for all users.** An attacker could brute force the hashed password in the file and possibly continue to gain further unauthorized access to your server.
2.  **Consider updating your web user’s SSH keys.** An attacker could read the private SSH key file and the associated known hosts that the web user might have accessed previously.

Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. **Please share this post with your friends to help get the word out and make WordPress safer for everyone**!

**Questions?**

Our support team is standing by if you have questions or need help. Please open a ticket through the iThemes Help Desk.

CVE-2022-31474: WordPress Vulnerability Report, Special Edition – September 6, 2022: BackupBuddy

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Plus: A data breach exposes Washington, Ring camera footage has a new problem, and the George Santos scandal slips into the world of cybercrime.

In a statement released a day before the investigation’s release, Jayd Henricks, the group’s president, said, “It isn't about straight or gay priests and seminarians. It’s about behavior that harms everyone involved, at some level and in some way, and is a witness against the ministry of the church.”

No national US data privacy laws prohibit the sale of this kind of data.

On Wednesday, the District of Columbia’s health insurance exchange confirmed that it was working with law enforcement to investigate an alleged leak after a database containing personal information of about 170,000 individuals was offered for sale on a hacker forum popular with cybercriminals. The reported breach in DC Health Link, as the exchange is known, could expose sensitive personal data of lawmakers, their employees, and their families. Thousands of the exchange’s participants work in the US House and Senate, and a sample of the stolen data set reviewed by CyberScoop indicates that the victims of the breach also range from lobbyists to coffee shop employees. 

According to a letter to the head of the DC Health Benefit Exchange Authority from House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries, the FBI has apparently purchased some of the stolen data from the dark web. While the FBI had not yet determined the extent of the breach, according to the letter, “the size and scope of impacted House customers could be extraordinary.”

A report by Politico published March 7 details how Ring, Amazon’s home-surveillance company, handed law enforcement videos captured by an Ohio man’s 20 Ring cameras against his will. In December, the Hamilton Police Department sought a warrant for camera footage—including from inside the man’s house—while investigating his neighbor. According to the report, after he willingly providing video to the police that showed the street outside his home, police used the courts to access more footage against his will.

While law enforcement often seeks warrants for digital data, those warrants typically pertain to the subject of a particular investigation. However, as networked home surveillance cameras have become increasingly popular, sometimes blanketing city blocks, law enforcement is increasingly turning to individuals who are completely unaffiliated with a case to provide data. According to Politico, the lack of legal controls on what police can ask for opens the door for a bystander’s indoor home footage to be lawfully acquired by police.

Following Politico's story, Gizmodo reported that a customer service agent for Ring told a concerned customer that the Politico story was a “hoax” perpetrated by a competitor. In response, an Amazon spokesperson told Gizmodo that the company does not in fact think the story was a hoax and the statement was the result of a misunderstanding on the part of the customer support agent. “We will ensure the agent receives the appropriate coaching,” the spokesperson said.

A former roommate of noted fabulist George Santos told federal authorities that the US congressman from Long Island, New York, had orchestrated a credit card skimming operation in Seattle in 2017. In a declaration submitted to authorities and obtained by Politico, the Brazilian man—convicted of credit card fraud and deported from the US—told the FBI, “Santos taught me how to skim card information and how to clone cards. He gave me all the materials and taught me how to put skimming devices and cameras on ATM machines.” 

According to the declaration, Gustavo Ribeiro Trelha met Santos in 2016 when he rented a room from him in his Florida apartment. There Santos reportedly taught Trelha how to use credit card cloning equipment and eventually flew him to Seattle to begin stealing financial information. “My deal with Santos was 50 percent for him, 50 percent for me,” Trelha wrote.

Tag

#amazon