Justice Dept. charges Russian hacker behind the Dridex malware

U.S. prosecutors have brought computer hacking and fraud charges against a Russian citizen, Maksim Yakubets, who is accused of developing and distributing Dridex, a notorious banking malware used to allegedly steal more than $100 million from hundreds of banks over a multi-year operation.

Per the unsealed 10-count indictment, Yakubets is accused of leading and overseeing Evil Corp, a Russian-based cybercriminal network that oversaw the creation of Dridex. The malware is often spread by email and infects computers, silently siphoning off banking logins. The malware has also been known to be used as a delivery mechanism for ransomware, as was the case with the April cyberattack on drinks giant Arizona Beverages.

The Russian hacker is also alleged to have used the Zeus malware to successfully steal more than $70 million from victims’ bank accounts. Prosecutors said the Zeus scheme was “one of the most outrageous cybercrimes in history.”

Yakubets’ wanted poster. (Image: FBI/supplied)

Justice Department officials, speaking in Washington DC with their international partners from the U.K.’s National Crime Agency, said Yakubets also provided “direct assistance” to the Russian government in his role working for the FSB (formerly KGB) from 2017 to work on projects involving the theft of confidential documents through cyberattacks.

Prosecutors said Evil Corp was to blame for an “unimaginable” amount of cybercrime during the past decade, with a primary focus on attacking financial organizations in the U.S. and the U.K.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Brian Benczkowski, assistant attorney general in the Justice Department’s criminal division, in remarks.

The State Department announced a $5 million reward for information related to the capture of Yakubets, who remains at large.

In a separate statement, Treasury secretary Steven Mnuchin said the department issued sanctions against Evil Corp for the group’s role in international cyber crime, including two other hackers associated with the group — Igor Turashev and Denis Gusev — as well as seven Russian companies with connections to Evil Corp..

“This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group,” said Mnuchin.

Read more:

LA warns of ‘juice-jacking’ malware, but admits it has no cases

Los Angeles’ district attorney is warning travelers to avoid public USB charging points because “they may contain dangerous malware.”

Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”

But the county’s chief prosecutor’s office told TechCrunch said that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast.When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”

Which begs the question — why?

Security researcher Kevin Beaumont tweeted that he hasn’t seen “any evidence of malware being used in the wild on these things.” In fact, ask around and you’ll find very little out there. Several security researchers have dropped me messages saying they’ve seen proof-of-concepts, but nothing actively malicious.

Juice-jacking is a real threat, but it’s an incredibly complicated and imperfect way to attack someone when there are far easier ways.

The idea, though — that you can plug in your phone and have your secrets stolen — is not entirely farfetched. Over the years there have been numerous efforts to demonstrate that it’s possible. As ZDNet points out in its coverage of the juice-jacking warning, the FBI sent out a nationwide alert about the threat after security researcher Samy Kamkar developed an Ardunio-based implant designed to look like a USB charger to wirelessly sniff the air for leaky key strokes. And just earlier this year, a security researcher developed an iPhone charger cable clone that let a nearby hacker run commands on the vulnerable computer.

LA recommend using an AC power outlet and not a charging station, and to take your cables with you. That’s sound advice, but it’s just one of many things you need to do to keep your devices and data safe.

American Cancer Society’s online store infected with credit card stealing malware

The American Cancer Society’s online store has become the latest victim of credit card stealing malware.

Security researcher Willem de Groot found the malware on the organization’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden, and Newegg.

The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.

de Groot said in a blog post explaining the breach, shared exclusively with TechCrunch, that the code was designed to send collected credit card numbers to a third-party server, operated by the attacker. The code was malformed, leading to it being inserted twice. When the malicious code was decoded, it revealed the web address of the the hacker’s third-party server.

acs magecart

The card skimming malware on the American Cancer Society’s store’s website. (Image: TechCrunch)

Trend Micro said the domain is known to be used by Magecart. The domain is registered in Moscow, but the website itself loads nothing more than a decoy page.

The code was injected into the online store at some point late last week. de Groot informed the organization of the incident as soon as he found the code on Thursday by calling its anti-fraud hotline, but the code was not immediately removed. After we reached out Friday, the code was no longer present.

American Cancer Society spokesperson Kathi Dinicola did not return requests for comment.

It’s not known how many users were affected, but anyone who entered information through the American Cancer Society late last week should contact their payments provider.

Police hijack a botnet and remotely kill 850,000 malware infections

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.

Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.

According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.

The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. Because most of the malware’s infrastructure was located in France, Avast contacted French police. After receiving the go-ahead from prosecutors in July, the police went ahead with the operation to take control of the server and disinfect affected computers.

The French police called the botnet “one of the largest networks” of hijacked computers in the world.

The operation worked by secretly obtaining a snapshot of the malware’s command and control server with cooperation from its web host. The researchers said they had to work carefully as to not be noticed by the malware operators, fearing the malware operators could retaliate.

“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”

With a copy of the malicious command and control server in hand, the researchers built their own replica, which disinfected victim computers instead of causing infections.

“[The police] replaced the malicious [command and control] server with a prepared disinfection server that made connected instances of Retadup self-destruct,” said Avast in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”

In doing so, the company was able to stop the malware from operating and remove the malicious code to over 850,000 infected computers.

Jean-Dominique Nollet, head of the French police’s cyber unit, said the malware operators generated several million euros worth of cryptocurrency.

Remotely shutting down a malware botnet is a rare achievement — but difficult to carry out.

Several years ago the U.S. government revoked Rule 41, which now allows judges to issue search and seizure warrants outside of their jurisdiction. Many saw the move as an effort by the FBI to conduct remote hacking operations without being hindered by the locality of a judge’s jurisdiction. Critics argued it would set a dangerous precedent to hack into countless number of computers on a single warrant from a friendly judge.

Since then the amended rule has been used to dismantle at least one major malware operation, the so-called Joanap botnet, linked to hackers working for the North Korean regime.

US Cyber Command has publicly posted malware linked to a North Korea hacking group

U.S. Cyber Command, the sister division of the National Security Agency focused on offensive hacking and security operations, has released a set of new samples of malware linked to North Korean hackers.

The military unit tweeted Wednesday that it had uploaded the malware to VirusTotal, a widely used database for malware and security research.

It’s not the first time the unit has uploaded malware to the server — it has its own Twitter account to tell followers which malware it uploads. On one hand the disclosure helps security teams fight threats from nation states, but it also gives a rare glimpse inside the nation state-backed hacking groups on which Cyber Command is focused.

The uploaded malware sample is named Electric Fish by the U.S. government. Electric Fish is a tunneling tool designed to exfiltrate data from one system to another over the internet once a backdoor has been placed.

Electric Fish is linked to the APT36 hacking group.

FireEye says APT36 has distinctly different motivations from other North Korean-backed hacking groups like Lazarus, which was blamed for the Sony hack in 2016 and the WannaCry ransomware attack in 2017. APT36 is focused on financial crimes, such as stealing millions of dollars from banks across the world, the cybersecurity firm said.

Electric Fish was first discovered in May, according to Homeland Security’s cybersecurity division CISA, but APT36 has been active for several years.

A recently leaked United Nations report said the North Korean regime has stolen more than $2 billion through dozens of cyberattacks to fund its various weapons programs.

APT36 has amassed more than $100 million in stolen funds since its inception.

Marcus Hutchins, malware researcher and ‘WannaCry hero’, sentenced to supervised release

MILWAUKEE, WI. — Marcus Hutchins, the malware researcher who became known as an “accidental hero” for stopping the WannaCry ransomware attack in 2017, has been sentenced to supervised release on charges of making and selling the Kronos banking malware.

Presiding Judge J. P. Stadmueller described Hutchins, 25, as a “talented” but “youthful offender” in remarks in court Friday.

The judge said Hutchins will face no time in jail.

“It’s going to take the people like [Hutchins] with your skills to come up with solutions because that’s the only way we’re going to eliminate this entire subject of the woefully inadequate security protocols,” said Stadmueller.

The judge said he look into account Hutchins’ age at the time of the offenses, and gave him credit for “turning a corner” in his life before charges were brought.

Stadmueller said his sentence is likely, however, to bar him from re-entering the United States.

In a statement, Hutchins said he made some “bad decisions” as a teenager. “I deeply regret my conduct and the harm that was caused,” he said.

“I have no desire to go back to that life,” he said, and apologized to the victims of the malware he created.

Hutchins, a British citizen who goes by the online handle @MalwareTech, was arrested in Las Vegas by federal marshals in August 2017 while boarding a flight back to the U.K. following the Def Con security security conference. The government alleged in an indictment that he developed Kronos, a malware that steals banking credentials from the browsers of infected computers. The indictment also accused him of developing another malware known as the UPAS Kit. Hutchins was bailed on a $30,000 bond.

Since his indictment, he had been living in Los Angeles.

Hutchins initially denied creating the malware. But after prosecutors filed a superseding indictment, he later pleaded guilty to the two primary counts of creating and selling the malware. Eight remaining charges were dropped following his change in plea.

Prosecutors said Hutchins faced up to 10 years in prison and a maximum $500,000 fine.

In a statement following his guilty plea, he said he regretted his actions and accepted “full responsibility for my mistakes.”

Prosecutors said although Hutchins and an accomplice had generated only a few thousand dollars from selling the malware, Kronos allowed others to financially benefit from using the malware.

Hutchins’ indictment came four months after he was hailed as a hero for registering a domain name that stopped the spread of the WannCry cyberattack, which knocked tens of thousands of computers offline with ransomware in a few hours.

The ransomware attack, later blamed on North Korean hackers, spread across Ukraine, Europe and the U.K., encrypting systems and knocking businesses and government departments offline. The U.K.’s National Health Service NHS was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close. Hutchins, who at the time of the attack worked for Los Angeles-based Kryptos Logic from his home in the south of England, registered the domain in an effort to understand why the ransomware was spreading. It later transpired the domain acts as a “kill switch” and stopped it dead in its tracks.

In the week after, the kill switch became the target of powerful botnets hoping to knock the domain offline and spark another outbreak.

Hutchins told TechCrunch last month that the WannaCry attack was one of the most stressful and exhausting moments in his life.

Since the attack, however, Hutchins received additional acclaim for his malware research on new infections and botnet activities. He has been praised for live-streaming his work so others can learn how to reverse engineer malware. Many in the security community — and further afield — have called on the court to grant Hutchins clemency for his recent concerted efforts to protect users from security threats.

Prosecutors acknowledged Hutchins’ reformed character in a sentencing memo filed this week, saying Hutchins has “since made a good decision to turn his talents toward more positive ends.”

When reached, a Justice Department spokesperson deferred comment to the U.S. Attorney’s Office for the Eastern District of Wisconsin, which did not immediately comment.

TrickBot malware learns how to spam, ensnares 250M email addresses

Old bot, new tricks.

TrickBot, a financially motivated malware in wide circulation, has been observed infecting victims’ computers to steal email passwords and address books to spread malicious emails from their compromised email accounts.

The TrickBot malware was first spotted in 2016 but has since developed new capabilities and techniques to spread and invade computers in an effort to grab passwords and credentials — eventually with an eye on stealing money. It’s highly adaptable and modular, allowing its creators to add in new components. In the past few months it’s adapted for tax season to try to steal tax documents for making fraudulent returns. More recently the malware gained cookie stealing capabilities, allowing attackers to log in as their victims without needing their passwords.

With these new spamming capabilities, the malware — which researchers are calling “TrickBooster” — sends malicious from a victim’s account then removes the sent messages from both the outbox and the sent items folders to avoid detection.

Researchers at cybersecurity firm Deep Instinct, who found the servers running the malware spamming campaign, say they have evidence that the malware has collected more than 250 million email addresses to date. Aside from the massive amounts of Gmail, Yahoo, and Hotmail accounts, the researchers say several U.S. government departments and other foreign governments — like the U.K. and Canada — had emails and credentials collected by the malware.

“Based on the organizations affected it makes a lot of sense to get as widely spread as possible and harvest as many emails as possible,” Guy Caspi, chief executive of Deep Instinct, told TechCrunch. “If I were to land on an end point in the U.S. State department, I would try to spread as much as I can and collect any address or credential possible.”

If a victim’s computer is already infected with TrickBot, it can download the certificate-signed TrickBooster component, which sends lists of the victim’s email addresses and address books back to the main server, then begins its spamming operating from the victim’s computer.

The malware uses a forged certificates to sign the component to help evade detection, said Caspi. Many of the certificates were issued in the name of legitimate businesses with no need to sign code, like heating or plumbing firms, he said.

The researchers first spotted TrickBooster on June 25 and was reported to the issuing certificate authorities a week later which revoked the certificates, making it more difficult for the malware to operate.

After identifying the command and control servers, the researchers obtained and downloaded the 250 million cache of emails. Caspi said the server was unprotected but “hard to access and communicate with” due to connectivity issues.

The researchers described TrickBooster as a “powerful addition to TrickBot’s vast arsenal of tools,” given its ability to move stealthily and evade detection by most antimalware vendors, they said.

What CISOs need to learn from WannaCry

In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the infection. It took them three hours to realize they had inadvertently stopped the attack dead in its tracks. That domain became the now-infamous “kill switch” that instantly stopped the spread of the ransomware.

As long as the kill switch remains online, no computer infected with WannaCry would have its files encrypted.

But the attack was far from over.

In the days following, the researchers were attacked from an angry botnet operator pummeling the domain with junk traffic to try to knock it offline and two of their servers were seized by police in France thinking they were contributing to the spread of the ransomware.

Worse, their exhaustion and lack of sleep threatened to derail the operation. The kill switch was later moved to Cloudflare, which has the technical and infrastructure support to keep it alive.

Hankins described it as the “most stressful thing” he’s ever experienced. “The last thing you need is the idea of the entire NHS on fire,” he told TechCrunch.

Although the kill switch is in good hands, the internet is just one domain failure away from another massive WannaCry outbreak. Just last month two Cloudflare failures threatened to bring the kill switch domain offline. Thankfully, it stayed up without a hitch.

CISOs and CSOs take note: here’s what you need to know.

UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users

The UK’s Information Commissioner is starting off the week with a GDPR bang: this morning, it announced that it has fined British Airways and its parent International Airlines Group (IAG) £183.39 million ($230 million) in connection with a data breach that took place last year that affected a whopping 500,000 customers browsing and booking tickets online. In an investigation, the ICO said that it found “that a variety of information was compromised by poor security arrangements at [BA], including log in, payment card, and travel booking details as well name and address information.”

The fine — 1.5% of BA’s total revenues for the year that ended December 31, 2018 — is the highest-ever that the ICO has levelled at a company over a data breach (previous “record holder” Facebook was fined a mere £500,000 last year by comparison).

And it is significant for another reason: it shows that data breaches can be not just just a public relations liability, destroying consumer trust in the organization, but a financial liability, too. IAG is currently seeing volatile trading in London, with shares down 1.5% at the moment.

In a statement to the market, the two leaders of IAG defended the company and said that its own investigations found that no evidence of fraudulent activity was found on accounts linked to the theft (although as you may know, data from breaches may not always be used in the place where it’s been stolen).

“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, British Airways chairman and chief executive. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

Willie Walsh, International Airlines Group chief executive, added in his own comment that “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

The degree to which companies are going to be held accountable for these kinds of breaches is going to be a lot more transparent going forward: the ICO’s announcement is part of a new directive to disclose the details of its fines and investigations to the public.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham in a statement. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said in a statement this morning that the fine is related to infringements of the General Data Protection Regulation (GDPR), which went into effect last year prior to the breach. More specifically, the incident involved malware on BA.com that diverted user traffic to a fraudulent site, where customer details were subsequently harvested by the malicious hackers.

BA notified the ICO of the incident in September, but the breach was believed to have first started in June. Since then, the ICO said that British Airways “has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light.” But it should be pointed out that even before this breach, there were other examples of the company treating data protection lightly. (Now, it seems BA has learned its lesson the hard way.)

From the statement issued by IAG today, it sounds like BA will choose to try to appeal the fine and overall ruling.

While there are a lot of question marks over how the UK will interface with the rest of Europe over regulatory cases such as this one after it leaves the EU, for now it’s working in concert with the bigger group.

The ICO says it has been “lead supervisory authority on behalf of other EU Member State data protection authorities” in this case, liaising with other regulators in the process. This also means that these authorities where its residents were also affected by the breach will also have a chance to provide input on the ruling before it is completely final.

Google now lets you flag deceptive sites with a new Chrome extensions

Google today launched a new Chrome extension that allows you to flag suspicious sites for inclusion in the company’s Safe Browsing index, which is used by Chrome and a number of third-party browsers.

In addition, Google is also launching a new warning in Chrome that puts up a roadblock before you visit a site that is potentially trying to trick you into giving up your credentials or download malware.

Typically, Safe Browsing automatically crawls the web and looks for suspicious sites. With this new extension, you can flag sites that the system hasn’t detected yet. The overall process is pretty simple and the extension gives you the option to include screenshots, the referrer chain that led you to the site and the DOM content of your browser. You get to choose which one of these to send and the screenshot option is off by default.

The extension also puts up a flag in your browser bar that changes color based on how legitimate it thinks a given site is. Since it turns orange for any site that isn’t a top 5,000 site, though, it’s not exactly as useful a warning as it could be.

As for the new warning in Chrome 75, Google notes that it is meant to keep you from visiting sites that are trying to trick you with deceptive URLs (think “go0gle.com” and “google.com”). Chrome will now throw up a full-screen roadblock to warn you about these sites.

“This new warning works by comparing the URL of the page you’re currently on to URLs of pages you’ve recently visited,” the team explains. “If the URL looks similar, and might cause you to be confused or deceived, we’ll show a warning that helps you get back to safety.”