Security week 9

Stay safe. We bring you our regular weekly overview of security news.

US Authorities have recovered most of the ransom paid after the attack on Colonial Pipeline

This is the first case of seizure of funds paid during a ransomware attack. The US Department of Justice managed to recover 63.7 Bitcoins out of a total of 75, which were paid as ransom in the attack on the Colonial Pipeline facility, which operates a pipeline to the east coast of the US. FBI investigators monitored transfers of funds across multiple Bitcoin addresses until they gained access to one account’s private key, which acts as a password for that account. It is not clear how the FBI managed to obtain the private key, which enabled them to recover a significant part of the funds. The US is serious about fighting cybercrime, and the Department has recently launched a Task Force aimed at ransomware and digital extortion activity.

Operation Ironside

The FBI, Europol and the Australian Federal Police (AFP), in collaboration with law enforcement agencies from several countries, have reached a high amount of criminals using modern technology. An application was built that pretended to have end-to-end encrypted communication and gradually spread among criminal groups. The operation resulted in the arrest of over 800 suspects, search of 700 homes and seize 8 tons of cocaine. You can watch a short video from AFP or a Europol press conference about the whole operation.

Nobelium’s new attack on Microsoft

The Russian state-sponsored Nobelium Group (ATP 29) has received some customers’ subscription information. The Nobelium group is believed to be responsible for the attack on the SolarWinds supply chain. Thanks to the use of combinations of brute-force attack and so-called “password spray”, they managed to gain access to one of the corporate computers, which contained basic information about a smaller number of customers.

ATMs hackable by waving a phone

The vulnerability of the NFS system in combination with other vulnerabilities in the software allow the hacking of ATMs and point-of-sale terminals. Researcher Josep Rodrigez of IOActive has built an Android application that mimics wireless credit card communication. He successfully managed to collect credit card data, cause the system to crash, change the value of the transaction without being noticed, or even display a ransomware message. Combined with other mistakes, he was able to force the ATM to issue money.

A member of the FIN7 hacking group has been sentenced

A “high-level” member of the FIN7 group, Andrii Kolpakov, has been sentenced to a seven-year term and a $ 2.5 million fine. They used phishing emails in combination with malware (Carbanak malware). The US Department of Justice estimates the damage caused in the US alone at more than $ 1 billion.

Ransomware sttack on eye clinic chain affects 500,000

Wolfe Eye Clinic, which operates diagnostic and surgical centers in 40 Iowa communities, has become the target of a ransomware attack. In collaboration with a company specializing in IT and digital forensic analysis, they found out that data on 500,000 clients could have been compromised. The data includes information on names, email addresses, Social Security numbers, and, possibly, medical records.

The American city of Tulsa has been the victim of a ransomware attack

The nearly half-million city of Tulsa has fallen victim to the Conti ransomware gang. More than 18,000 city files (containing also personal data) – mostly police citations and internal department files – were shared on the dark web. Several online services and websites have been disconnected and are in the process of being restored. Residents were told to prepare for weeks, if not months, of city websites being down. They also said residents need to monitor all financial accounts and credit reports.

Critical software – Definition and explanatory materials

The National Institute of Standards and Technology (NIST) has published definitions, supporting materials, and examples of critical software.