#AxisOfEasy 246: DEA Law Enforcement Data Breach Under Investigation


Weekly Axis Of Easy #246


Last Week’s Quote was  “Clever tyrants are never punished.” was by Volaire.  Only Jonathon knew!  Congrats!

This Week’s Quote:  “Correction does much, but encouragement does more.”  … by???

THE RULES: No searching up the answer, must be posted to the blog– the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.

 


This is your easyDNS #AxisOfEasy Briefing for the week of May 16th, 2022, wherein our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy. 
 
In this issue:
  • DEA law enforcement data breach under investigation
  • Ransomware attack to close US college after 157 years 
  • Malicious NPM packages are attacking German companies
  • APT34 uses the new Saitama backdoor to target the Jordan Government 
  • New York authorities accuse a British hacker of stealing millions of dollars from banks

Elsewhere online

  • Regional Cybercrime Unit investigates stolen cryptocurrency theft worth £20 million 
  • Hackers drop a post-exploit malware framework onto Microsoft Exchange servers
  • Video platform RuTube denies loss of source code following cyberattack
  • Whyy Canada’s Bill C-11 actually regulates user-generated content
  • Fraudulent WHO safety emails spread Nerbian RAT across Europe
  • Trudeau government gave $3 million to WEF and $1.6 billion to UN in 2021


DEA law enforcement data breach under investigation

The Drug Enforcement Administration (DEA) says the agency is investigating reports that hackers have gained access to a portal allowing access to 16 different law enforcement databases. In its investigation, KrebsOnSecurity has learned the alleged compromise involves a cybercrime and online harassment group that routinely impersonates law enforcement and government officials to harvest private information.

According to KrebsOnSecurity, hackers gained access to “a username and password for an authorized user of esp.usdoj.gov, the Law Enforcement Inquiry and Alerts (LEIA) system used by the DEA.” On its website, the Department of Justice states that LEIA supports the DEA’s El Paso Intelligence Center (EPIC) and external databases, including data classified by the DEA as “law enforcement sensitive” and “mission sensitive.”

Both EPIC and LEIA have access to the DEA’s National Seizure System (NSS), which a DEA team uses to identify property thought to be purchased using proceeds of criminal activity (think luxury cars seized from drug dealers).

“The EPIC System Portal (ESP) gives vetted users access to data analytics, mobile apps, and remote intelligence sharing,” a 2016 White House document reads. According to the document published by the Obama Administration, the Law Enforcement Inquiry and Alerts (LEIA) system facilitates the search of 16 federal law enforcement databases at the same time.
Hackers would be very fortunate to access databases and user accounts within the Department of Justice. EPIC’s data, however, would likely be more valuable to organized crime rings or drug cartels, according to Nicholas Weaver, a doctoral candidate at the University of California, Berkeley, and researcher at the International Computer Science Institute.

“I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” Weaver said. “Especially because as a cartel, you don’t search for yourself you search for your enemies so that even if it’s discovered, there is no loss to you of putting things ONTO the DEA’s radar.”

Read: https://krebsonsecurity.com/2022/05/dea-investigating-breach-of-law-enforcement-data-portal/ 


Ransomware attack to close US college after 157 years

One hundred fifty-seven years after it opened its doors, Lincoln College –a predominantly black college in Illinois, USA –is closing its doors, citing the challenges it faced due to a Coronavirus pandemic and the aftermath of a ransomware attack. Lincoln College has faced many challenges throughout its history, including economic crises, a campus fire, World War II, the Spanish flu epidemic of 1918, the Great Depression, and the 2008 global financial crisis, but this time was different. In December 2021, it became a victim of a ransomware attack.

As Lincoln College President David Gerlach told EdScoop last month, the ransomware attack meant that admissions applications could not be entered into the college’s IT system, preventing the recruitment of students. The college says it lost essential data to the ransomware attack, which rendered all recruitment, retention, and fundraising methods inoperable.
 
Despite Lincoln College’s decision to pay a ransom to its attackers (which was “significantly” below their initial demand of US $100,000, according to Gerlach), the school’s operations were still severely disrupted. Two months after the tragedy, systems were fully restored, revealing the college’s dire condition.
Lincoln College’s financial efforts, which have included a GoFundMe campaign for $20 million, the sale of assets, and staffing changes, have not raised the significant amount of funding needed to remain open.

Read: https://www.bitdefender.com/blog/hotforsecurity/us-college-set-to-permanently-close-after-157-years-following-ransomware-attack 


Malicious NPM packages are attacking German companies

Researchers have discovered malicious packages targeting German media, logistics, and industrial firms to carry out supply chain attacks. According to JFrog researchers, the highly sophisticated malware acts as a back door and grants total control to the attacker.
Most of the rogue packages, which have since been removed, were traced back to four “maintainers,” bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm, which names indicate that hackers were attempting to impersonate legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker.

In some cases, the package names are said to be very specific, raising the possibility that the adversaries were able to learn which libraries were stored in the companies’ internal repositories to stage a dependency confusion attack. For example, Snyk discovered malware targeting an unknown company with a package called “gxm-reference-web-auth-server” in its private registry.

As JFrog noted, the malware contains two components, a dropper, and a JavaScript backdoor, relying on insider information to execute commands and upload files to a command-and-control server.

Read: https://thehackernews.com/2022/05/malicious-npm-packages-target-german.html?&web_view=true 


APT34 uses the new Saitama backdoor to target the Jordan Government

On April 26th, the Threat Intelligence Team at Malwarebytes Labs identified a suspicious email containing a malicious Excel document that dropped a new backdoor named Saitama. APT34, an Iranian threat group, is suspected of the attack.
Emails with the subject “Confirmation Receive Document” were sent to the victim through a Microsoft Outlook account, and the attached Excel file “Confirmation Receive Document.xls.” By signing with the coat of arms of Jordan, the sender claims to be from the government.

Saitama’s backdoor uses the DNS protocol to communicate with its commands and controls. Also, the hacker used compression techniques and long random sleep times to disguise malicious traffic, and it is implemented as a finite-state machine.
The backdoor is put in sleep mode when DNS requests are unsuccessful. The amount of time it will sleep is determined by the previous stage. The backdoor uses DNS requests to receive commands from the C&C servers. The backdoor builds buffers with the commands.

The attackers added a predefined list of commands in Base64 format to the backdoor. Some of the commands contained internal IPs and domain names. Send state allows the actor’s server to receive the results generated by commands. The attackers split the data into different buffers and sent them through other DNS requests.

Several indicators suggest that this campaign has been operated by APT34, including a similar Madoc, similar anti-sandboxing technique, and similar payload.

Read: https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/?web_view=true 


New York authorities accuse a British hacker of stealing millions of dollars from banks

More than $5 million was stolen from investors’ accounts by a British man and his co-conspirators who hacked into email servers and computers belonging to U.S. banks and brokerages. From January 2011 to March 2018, Idris Dayo Mustapha, 32, and others obtained user names and passwords to access online bank and brokerage accounts using phishing and other methods, according to a 10-count complaint published on Tuesday.

According to prosecutors, the Lagos, Nigeria native and his co-conspirators first transferred victims’ funds to their accounts. As part of the scheme, the conspirators would trade unauthorized trades in hacked accounts while making profits in their accounts.

In a statement, U.S. Attorney Breon Peace in Brooklyn said that Mustapha was “a member of a nefarious group that committed multiple cyber-crimes that cost victims millions of dollars.”
Should he be convicted, Mustapha could face up to 20 years in prison for wire fraud, securities fraud, money laundering, and two years for aggravated identity theft.

Read: https://www.reuters.com/world/uk/british-man-charged-new-york-with-hacking-into-bank-computers-stealing-millions-2022-05-10/ 


Elsewhere online:


Regional Cybercrime Unit investigates stolen cryptocurrency theft worth £20 million
Read: https://ffnews.com/newsarticle/nuix-regional-cybercrime-unit-investigates-20-million-in-cryptocurrency-theft/ 

Hackers drop a post-exploit malware framework onto Microsoft Exchange servers
Read: https://www.darkreading.com/attacks-breaches/threat-actor-deploying-sophisticated-post-exploit-framework-on-exchange-servers 

Video platform RuTube denies loss of source code following cyberattack
Read: https://portswigger.net/daily-swig/rutube-hack-russian-video-platform-denies-loss-of-source-code-following-cyber-attack

Whyy Canada’s Bill C-11 actually regulates user-generated content
Read: https://www.michaelgeist.ca/2022/05/the-governments-gaslighting-of-the-online-streaming-act-or-why-bill-c-11-regulates-user-generated-content/  

Fraudulent WHO safety emails spread Nerbian RAT across Europe
Read: https://www.hackread.com/fake-who-covid-safety-emails-nerbian-rat-europe/

 

Trudeau government gave $3 million to WEF and $1.6 billion to UN in 2021
Read: https://tnc.news/2022/05/10/trudeau-government-gave-3-million-to-wef-and-1-6-billion-to-un-in-2021/


Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:



 

 

 

 

One thought on “#AxisOfEasy 246: DEA Law Enforcement Data Breach Under Investigation

  1. This Week’s Quote:  “Correction does much, but encouragement does more.”  … by??

    Is it Goethe?

Leave a Reply

Your email address will not be published. Required fields are marked *