Weekly Axis Of Easy #259
Last Week’s Quote was “I was not designed to be forced. I will breathe after my own fashion. Let us see who is the strongest.” …was by Henry David Thoreau. No one got it.
This Week’s Quote: “There is no distinctly American criminal class – except Congress.” … by???
THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
In this issue:
- Amazon plots to turn surveillance network into reality TV series
- A cyberattack targeted Finland’s parliament after the US moved to admit the country to NATO
- RAT malware used in Cuba ransomware attacks
- Activated prescriptions are resold in an illegal secondary market
- Extradition of a $3 million romance scammer to Japan
- Messenger’s end-to-end encryption gets an upgrade
- ICANN Transfers policy comment period
- The CISA warns of a vulnerability in Zimbra Suite exploited by hackers
- RCMP claims spyware is similar to wiretapping, but privacy experts disagree
- A report warns ArriveCAN could be violating constitutional rights
- An EU Commissioner defends spying on everyone for the sake of the children
Now that people seem to have gotten used to being watched 24/7 through Ring cameras, let’s make a reality show about it. If it gets viral views on social media, why miss out on profits?
Wanda Sykes is set to host the new series airing September 26th on MGM, titled Ring Nation.
“The series will feature clips such as neighbors saving neighbors, marriage proposals, military reunions and silly animals.”
The skeptics see this as a furthering of a surveillance state and getting people more used to being watched.
The Finnish parliament website was temporarily down on Tuesday August 9, 2022 after a cyberattack that coincided with President Biden’s move to admit the Nordic country to NATO. It was stated on Twitter that the attack occurred at around 2:30 p.m. local time and returning back to normal the next day.
The attack happened the same day Biden signed a measure backing Finland and Sweden’s admittance into NATO, making the U.S. the 23rd NATO country out of 30 member states to approve the two Nordic countries’ admission to the alliance. Sweden and Finland’s membership was prompted by Russia’s invasion of Ukraine in February.
Experts have stated that Russia could potentially use its cyber arsenal against Sweden and Finland. The country is likely to choose launches of small-scale cyberattacks that include website defacement as a way to protest against the expansion.
New findings coming from Palo Alto Networks’ Unit 42 threat intelligence team have discovered threat actors linked with with the Cuba ransomware that have been associated with undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called ROMCOM RATon compromised systems. The team is tracking the double extortion ransomware group under a constellation-themed alias “Tropical Scorpius.”
According to a December 2021 statement by the FBI: “Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomwares, onto victims’ networks.” 40 out of the 60 victims listed on the data leak site are located in the U.S.
COLDDRAW (Cuba ransomware), was first detected in December 2019, reemerging in November 2021 and has been attributed to attacks against 60 powerhouses in five important infrastructure sectors, accumulating around $43.9 million in ransom payments.
In June Trend Micro noted, “In the intervening months, the ransomware operation received substantial upgrades with an aim to “optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate.” Tropical Scorpius is also believed to share connection with Industrial Spy (data extortion marketplace).
Unit observed the latest updates in May 2022, related with the defense evasion tactics used before the deployment of the ransomware to fly under the radar and move laterally across the compromised IT environment.
Therefore, this intrusion makes way for the deployment of a novel backdoor (ROMCOM RAT), which is equipped to start a reverse shell, delete arbitrary files, upload data to a remote server, and harvest a list of running processes.
Kasada threat intelligence observed the use of credential stuffing to attack pharmacies, exploit the distribution of prescribed medication and steal customer accounts. These accounts provide access to active prescriptions, which are later resold illegally in the black market for profit.
Not only is this illegal but also dangerous, putting medications in the hands of people without prescription and enabling substance abuse, while also taking away prescribed medications from those who really need them.
Malicious bots are known to facilitate billions of dollars in online fraud. Partly by automating login processes to test the credentials of stolen users and ATO performance (Account TakeOver). Through credential stuffing, stolen accounts are attacked by making false transactions and robbing stored value. Using bots to commit ATO has been around for a long time, particularly in Retail, Media & Entertainment, and Financial Services. The newest trend has been the pharmacy issue, starting at the beginning of April 2022.
But how are the hackers able to do this?
ATO attacks can be conducted by stuffing stolen passwords and usernames: The attacker can exploit consumer reusability of credentials by stuffing stolen usernames and passwords. In a small percentage of cases, these stolen credentials “work,” allowing an attacker to access legitimate accounts (performing ATO).
Data Extraction: Data linked to a stolen account includes customer information, such as name, birth date and phone number on file, with the attacker extracting the prescriptions and other information associated with the account.
Storefront Integration: The stolen information is integrated with eCommerce marketplaces, not just the dark web. The stolen accounts are put to sale by anon profile and shoppers can choose the pharmacy and medication of their choice, accepting a range of payment methods, including cash transfer and crypto.
Using a Stolen Pharmacy Account: The purchaser is free to use the account to obtain the medication at the specified pharmacy. This can be done through online ordering. They can also visit a pharmacy to pick up the prescription with the information lifted from the account for authorization.
Interpol has launched a new campaign to spread awareness on not becoming money mules, after arresting 15 suspects in connection with a major romance scam conspiracy.
The IFCACC (The international policing organization’s Financial Crime and Anti-Corruption Centre) said this two-week global campaign would highlight the critical role mules play in modern crime, using the hashtag #YourAccountYourCrime on social media to remind people that they are ultimately responsible for keeping their own bank accounts safe, and that moving money on behalf of others could land them in trouble.
According to the FBI, in 2021, romance scams have made fraudsters over $956, making it the third-highest earner for criminals. 58 year old Hikaru Morikawa, arrived at a Kansi airport in August after being arrested in Ghana. According to Interpol, he’s suspected as the mastermind behind a group of romance scammers who posed as women on dating sites in order to trick victims into handing over money. The group is thought to have made around 400 million yen ($3m) from their scams.
Stephen Kavanagh, Interpol executive director of police services stated: “Criminals will go to great lengths to recruit money mules, because they play an essential role in distancing themselves from authorities and escaping detection. Money mule schemes can be disguised as employment, romantic relationships or investments, or simply as helping out a friend.”
A Nebraska woman and her 17-year-old daughter are facing felony and misdemeanor charges, due to allegedly performing an abortion after 20 weeks (which has been illegal in the state for long), as well as concealing a fetus.
According to sources, law enforcement collected evidence for the charges in part by soliciting data from Meta with a warrant that ordered the company to hand over records from the 17-year-old’s Messenger chat histories. The company could not produce the chats through end-to-end encryption, a feature Meta has long promised to turn on for all users by default.
The company has been promising full-scale deployment of the privacy feature since 2016, with CEO Mark Zuckerberg committing in 2019 to implement end-to-end encryptions across all its chat apps. However, they’ve faced technical and political difficulties that have delayed the process though the years.
On the week of August 8, Meta has been expanding the number of chats between certain people that automatically have end-to-end encryptions, meaning those users won’t have to enable the protection. They will “soon” also broaden the number of users who can opt into end-to-end encryption on Instagram Direct Messenger.
Meta has also been testing a “secure storage” feature for end-to-end encrypted chats, so users can back up their messages in case they get a new device or lose one and want to restore their chat history. The company says this feature will be the default for end-to-end encrypted chats on Messenger, with the option to lock the backups with a PIN or a generated code. The feature is designed so Meta won’t be able to access the backups. Users will also be able to opt out of the backups and turn the feature off.
ICANN Transfers policy comment period
The (still too short) extended timeline for public comments on the new ICANN transfers policy has expired and the only person in the domain community really sounding the alarm on it has been George Kirikos.
His finally submission was over 60 pages.
The big red flag is recommendation #19 which enables registrars to deny transfers out based on Terms of Service violations.
ToS violations are somewhat subjective and opens the door to registrars terminating domains on purely ideological ground. In the past, not a huge problem because you could always transfer out if your registrar shut you down because they don’t like your views. If this goes through, it’s a problem, because if they shut you down for subjective, feels-y reasons, they’ll be able to keep your domain locked down.
Particularly Sections E and F.
Kudos to George for his tireless efforts in fighting the good fight.
The CISA warns of a vulnerability in Zimbra Suite exploited by hackers
Having your information listed on a ransomware leak site may invite other gangs to attack you
RCMP claims spyware is similar to wiretapping, but privacy experts disagree
A report warns ArriveCAN could be violating constitutional rights
An EU Commissioner defends spying on everyone for the sake of the children
Previously on #AxisOfEasy
If you missed the previous issues, they can be read online here:
- August 8th, 2022:Meta Is Being Sued For Giving US Hospitals A Data-Tracking Tool That Allegedly Disclosed Patient Information To Facebook
- August 1st, 2022: An Update To Facebook’s Link Schema Aims To Fight Privacy Browsers And Privacy Plugins
- July 25th, 2022: Verified Twitter Vulnerability Exposes Data From 5.4 Million Accounts
- July 18th, 2022: CRTC Chair Ian Scott Confirms Bill C-11 Can Be Used To Pressure Internet Platforms To Manipulate Algorithms
- July 12th, 2022: Apple Debuts Lockdown Mode to Prevent State-Sponsored Spying