Daily Brief

Sandu Boris Diaconu, a Moldovan national, was sentenced to 42 months in prison for running E-Root, a marketplace for hacked computer access. After serving his sentence, Diaconu will be under supervised release for three additional years. Diaconu pled guilty to conspiracy to commit access device and computer fraud, and possessing unauthorized access devices. Arrested in the UK in May 2021, Diaconu was extradited to the US in October 2023 under various fraud charges. The DOJ reported that E-Root listed over 350,000 credentials for sale, affecting multiple industries and global victims. The credentials sold were used for ransomware attacks, fraudulent wire transfers, and tax fraud. E-Root used an encrypted payment system Perfect Money to conceal transactions and also offered illicit cryptocurrency exchange services. The marketplace presented itself as a legitimate e-commerce site with customer services but facilitated criminal activities through the sale of RDP and SSH access to compromised servers.

A former New Jersey telecom manager admitted to conducting unauthorized SIM swaps, pleading guilty to conspiracy charges. Insider abuse facilitated cybercriminals' access to hijack customer accounts to bypass two-factor authentication through SMS. Jonathan Katz, the former manager, abused his position to override security measures for $1,000 per illicit SIM swap. Five victims across multiple states suffered account takeovers, impacting their email, social media, and cryptocurrency wallets. Preventive measures against arbitrary number porting by telecoms were circumvented using Katz's privileged telecom store access. Katz received Bitcoin payments for the swaps, plus a cut of the profits obtained by exploiting the victims' accounts. The crime could lead to a maximum of five years imprisonment and a fine of $250,000 or double the financial gain/loss. Sentencing for Jonathan Katz is scheduled for July 16, 2024.

StopCrypt ransomware, also known as STOP Djvu, has evolved with a new multi-stage process that utilizes shellcodes, making it harder to detect by security tools. Unlike major ransomware gangs targeting big companies, STOP focuses on consumers, seeking smaller ransoms ranging from $400 to $1,000 through widespread distribution. The malware is predominantly spread through malvertising and dubious websites offering adware bundles, which also install password-stealing trojans alongside the ransomware. The latest variant involves a complex execution mechanism, beginning with loading a deceptive DLL and implementing time-delaying loops to evade time-based security defenses. StopCrypt employs dynamic API calls and process hollowing to discretely execute its payload in memory without being noticed. It ensures persistence by modifying ACLs, denying users the ability to remove key malware files, and creates a scheduled task to perpetuate the attack. Encrypted files are appended with the ".msjd" extension, among hundreds of other STOP ransomware extensions, and a ransom note "_readme.txt" is generated within affected directories.

The London Mayor's Office for Policing and Crime (MOPAC) was found to have exposed sensitive data from complaints against the Metropolitan Police Service due to a webform error. The Information Commissioner’s Office (ICO) deemed the incident "completely avoidable," affecting roughly 400 people who had submitted highly personal information. The breach occurred when an employee mistakenly gave public access to complaint forms that should have been restricted to four colleagues. MOPAC has contacted the affected individuals and taken "remedial steps" such as increased awareness and training to prevent future incidents. The ICO has issued further recommendations to MOPAC surrounding information governance and UK GDPR compliance. MOPAC has expressed regret for the breach and has improved training and data security monitoring in response to the ICO's findings. The exposure of such sensitive information risks undermining public confidence in the criminal justice system, though there is no evidence the data was accessed by unauthorized parties.

Cybersecurity researchers have identified vulnerabilities in third-party ChatGPT plugins that could facilitate unauthorized access to user data. Salt Labs highlighted flaws within the ChatGPT ecosystem and OpenAI's ChatGPT that enable the installation of malicious plugins and hijacking of accounts on third-party sites such as GitHub. OpenAI is set to discontinue the installation of new plugins and creation of new conversations with existing plugins after March 19, 2024. The discovered OAuth workflow exploit permits attackers to trick users into installing arbitrary plugins, potentially leading to data interception and exfiltration. Salt Labs found zero-click account takeover vulnerabilities in PluginLab, providing an attack vector to control an organization's GitHub account. No evidence currently indicates that user data has been compromised through these vulnerabilities. Moreover, security researchers have detailed a novel side-channel attack exploiting token-length to extract sensitive information from encrypted AI assistant communications. The research underscores the complex balance required between security, usability, and performance in the development of AI applications.

Google announces enhanced Safe Browsing for Chrome, offering real-time URL checks to prevent users from visiting malicious sites. The new protection mode on Chrome desktop and iOS will compare sites against Google's updated list of known unsafe sites in real-time, aiming to block 25% more phishing attempts. Previously, Chrome relied on a locally-stored list of unsafe sites, updated every 30-60 minutes; now it will leverage a more dynamic, server-side check without disclosing users' browsing history. Phishing domains often have short lifespans, with 60% existing for less than 10 minutes, necessitating more agile and frequent updates to URL blacklists. To perform checks, Chrome will send truncated, encrypted URL hashes to a privacy server that anonymizes user data before querying Google's Safe Browsing server. The privacy server, an Oblivious HTTP (OHTTP) relay, prevents any single party from seeing both the user's IP address and the URL hash prefixes, preserving user privacy. Google has confirmed that the privacy server's role is to prevent the Safe Browsing server from accessing users' IP addresses and associating URL checks with individual browsing histories.

Chinese internet users searching for Notepad++ and VNote are being targeted by trojanized versions of these applications, distributed through misleading ads on search engines like Baidu. The fake sites serving the infected software resemble legitimate product pages but include inconsistencies in website addresses and mismatched download offers. The malicious Windows installer from the fake Notepad-site points to an official repository, while the Linux and macOS downloads lead to hosted packages on a suspicious server. The altered installers are designed to download an advanced backdoor similar to Geacon, capable of carrying out multiple malicious activities, including file operations and establishing SSH connections. HTTPS protocol is utilized for communication between the infected systems and the command-and-control servers, allowing discreet data transmission. The malvertising campaign that is spreading these malicious installers is linked to other instances of cyber threats, where software masquerading as popular productivity tools was used to deliver malware.

US Senator Ron Wyden expresses concern over Chinese-manufactured electronic safe locks being a national security risk. Wyden's letter to the National Counterintelligence and Security Center (NCSC) raises alarms about potential espionage via backdoor codes in safe locks used by American businesses. Government agencies can access manufacturer reset codes, which could also be exploited by foreign adversaries to steal intellectual property. The Department of Defense is aware of the threat posed by these reset codes but has not informed the public to prevent the disclosure of this vulnerability. Wyden accuses federal agencies of silently protecting their interests while leaving American businesses vulnerable to foreign espionage. The senator urges the NCSC to educate businesses on using locks that meet US government security standards, which presumably do not include such backdoors. SECURAM Systems, a major seller of these electronic safe locks in the US, is obliged to obey Chinese law, including potential surveillance cooperation with the Chinese government.

A new advanced StopCrypt ransomware variant utilizes a multi-stage process and shellcodes to avoid detection. Unlike major ransomware targeting businesses, STOP prefers numerous lower-value consumer ransoms, largely distributed through shady websites. Distribution methods include malvertising and packaging with seemingly free adware bundles that also install other malware like password stealers. This new version, initially installing a benign-looking file and looping delays, proceeds to a sophisticated process hollowing technique for stealth. The ransomware achieves persistence, alters ACLs to prevent file deletions, and encrypts files appending ".msjd" or other extensions, demanding a ransom payment. Although STOP ransomware focuses on consumer targets without data theft, the evolution into a difficult-to-detect strain risks widespread individual damage.

Restoro and Reimage, two Cyprus-based tech support businesses, settled with the FTC for $26 million after being accused of running a Windows antivirus scam. The FTC claimed these firms strong-armed consumers into paying for unnecessary cleanup services and software by using scare tactics. FTC's undercover agents purchased services from the companies, revealing that the firms falsely claimed the agents' PCs needed extensive additional repairs. The scam particularly targeted older individuals, deceiving them into free performance checks that led to fabricated issues and high fees for remote services. The FTC charges included violations of deceptive representation under the FTC Act and deceptive calls under the Telemarketing Sales Rule. Although Restoro and Reimage have not admitted to any wrongdoing, they have ceased new transactions and renewals, according to a supposed FAQ on their websites, which are currently not accessible. The FTC's undercover investigation involved purchasing and testing the suspect services, verifying these allegations of fraud firsthand.

SIM swappers are now targeting eSIMs to port victims' phone numbers to devices under their control. eSIMs (Embedded Subscriber Identity Modules) are digital, can be reprogrammed remotely, and are becoming prevalent in modern smartphones and wearables. Cybersecurity firm F.A.C.C.T. observed over a hundred attempts at one financial organization to gain access to personal accounts through eSIM hijacking. Attackers gain control of a user's service provider account, generate a QR code for a new eSIM, and scan it to transfer the victim's phone number to their device. Once attackers hijack the phone number, they can receive access codes and two-factor authentication tokens, allowing them to access bank accounts and other secure services. Cybercriminals also exploit the hijacked number for scams in messenger apps by impersonating the victim. Traditional SIM swapping involved social engineering or insider assistance but is now shifting towards exploiting newer technologies like eSIMs. Experts recommend strong, unique passwords and two-factor authentication for service provider accounts, and suggest using physical keys or authenticator apps for critical accounts.

Mikhail Vasiliev, a Canadian-Russian dual national and key figure within the LockBit ransomware group, has been sentenced to nearly four years in prison by a Canadian court. Vasiliev has been ordered to pay restitution exceeding CA$860,000 to some victims and faces extradition to the United States for additional charges. He pleaded guilty to cyber-extortion, mischief, and weapons charges related to attacks on Canadian businesses. The LockBit ransomware group has extorted over $120 million since 2020, targeting over 2,000 victims. Despite takedowns of LockBit's infrastructure earlier this year, the group remains active, with new victim listings appearing shortly after the law enforcement actions. Few LockBit members have been apprehended; Vasiliev is one of just three individuals named, with only one other arrested. Law enforcement found evidence at Vasiliev's home linking him to LockBit's operations, including a target list and communications with the group's leader. Vasiliev's transition to cybercrime was purportedly influenced by the isolation during the pandemic, according to his defense lawyer.

Hackers have updated their techniques to execute SIM swap attacks using eSIM technology. eSIMs are digital SIM cards embedded in mobile devices, offering the same functionalities as traditional SIMs but with the ability to be reprogrammed remotely. Cybersecurity firm F.A.C.C.T. reports numerous attempts by fraudsters to take over online service accounts, particularly targeting a financial organization. Attackers gain control of a user's service provider account to port the victim's phone number to a device with an eSIM, thereafter gaining access to the victim's calls and messages. Once in possession of the phone number, criminals can intercept access codes and two-factor authentication tokens, compromising bank accounts and other sensitive services. Fraudsters can also access and manipulate the victim's messaging accounts, further spreading scams and requesting money from contacts. Security experts advise using complex passwords, enabling two-factor authentication for provider accounts, and considering additional protective measures like physical security keys for critical accounts like e-banking and crypto wallets.

Google has upgraded its Safe Browsing service, providing real-time online threat protection while maintaining user privacy. The enhanced service prevents Chrome users from leaking browsing history to Google, addressing privacy concerns. Standard Safe Browsing now offers more comprehensive, real-time data checks, similar to the previously more private Enhanced version. The system uses hash-based checks and Oblivious HTTP (OHTTP) protocol to anonymously verify site safety without revealing user identity. Fastly's privacy servers play a role in stripping identifiable information before forwarding data to Google's Safe Browsing server. This update is significant due to the increasing number of unsafe sites which appear and disappear within minutes, surpassing the effectiveness of static lists. Password Checkup feature on iOS will also warn about weak and reused passwords, enhancing user security further.

Tech support companies Restoro and Reimage agree to pay $26 million to settle FTC charges of deceptive marketing and scare tactics. The two firms misled customers with false computer threat alerts to sell unnecessary repair services, exploiting particularly older consumers. The Federal Trade Commission (FTC) found that online ads and pop-ups from these companies fraudulently impersonated Microsoft system warnings. FTC investigations revealed the companies' diagnostics software claimed non-existent issues, prompting unnecessary purchases of repair plans. Despite claims of serious computer issues, telemarketers would then upsell more expensive repair plans after remote access to consumers' computers. The proposed FTC order, awaiting court approval, prohibits the companies from continuing their deceptive marketing and scare tactics. The FTC's recent actions also include banning Avast from selling browsing data and imposing restrictions on other companies for misleading practices.