Sign in
A newsletter briefing on cybersecurity news and policy.
A newsletter briefing on cybersecurity news and policy.
Good morning! Scroll down to the bottom of this newsletter for a video depicting our feline overlords.
Below: U.S. regulators fine a cryptocurrency exchange over compliance issues including ransomware and dark web payments, and a judge says a former NSA employee should be detained before he goes on trial for trying to sell Russia classified documents. First:
In a string of recent incidents, members of notorious ransomware gangs have leaked sensitive information. The incidents pose a major question for hacking groups: Who can you trust if you can’t trust your colleagues?
Take the case of the ransomware gang REvil in 2019. At the time, the group had hacked hundreds of dental offices and more than a dozen local governments in Texas. But when security researchers at cybersecurity firm McAfee (now known as Trellix) wrote about a REvil-affiliated hacker discussing their earnings, the researchers got an anonymous email from an insider annoyed at the group’s management.
The insider ultimately shared information on the group’s tactics, procedures and operations, Trellix head of threat intelligence and principal engineer John Fokker wrote in a blog post last month. He said the firm shared the data with law enforcement, which was “ecstatic” and said that the information was helpful for their investigations of REvil.
It’s not shocking that someone willing to engage in criminal hacking activity might also be willing to turn on his compatriots if it might bring some advantage. The REvil insider is far from the only hacker who has posted or shared sensitive information on their colleagues out of apparent spite or resignation.
Last year, an apparently upset affiliate of the Conti ransomware gang — which months earlier hacked Ireland’s health-care system — leaked an internal training manual given to the group’s affiliates.
And after the group quickly supported Russia’s invasion of Ukraine, an anonymous Twitter account leaked a trove of internal chats from within the group, giving outside observers unprecedented access into the inner workings of the group.
Apparent insiders have also shared internal tools used by the Lockbit and Babuk ransomware gangs.
The leaks come amid a confluence of factors, experts say. Some of the large ransomware groups quickly made lots of money and didn’t treat their affiliates or contractors well, Recorded Future senior security architect Allan Liska told me. Ransomware groups have also made unpopular statements about geopolitical events and face pressure from U.S. and other law enforcement agencies, Liska said.
“You have all of these things happening all at once,” Liska said. “So it can be really dangerous to be a ransomware operator.”
Ransomware gangs also don’t have experienced managers, Liska said. “They’re not like senior executives or seasoned operators or things like that,” he said. “These are people in their 20s and 30s that are running them and clearly have no concept of how to manage a large organization like this. Everyone [thinks] it’s easy to be a manager. It really isn’t.”
Ransomware groups are also vulnerable to infiltration, Emsisoft threat analyst Brett Callow said. “I’d be surprised if law enforcement hadn’t infiltrated a number of groups,” he said. “I’d be equally surprised if cybersecurity researchers hadn’t.”
Ransomware hackers can also give away key information without knowing it. This year, prosecutors announced charges against Venezuela-based cardiologist Moises Luis Zagala Gonzalez for allegedly distributing ransomware tools. Prosecutors were able to confirm that he was a previously anonymous cybercriminal after discovering that the email accounts and payment services he used were linked to his real-life contact information.
In another case, researchers found an Iranian ransomware hacker’s name listed as the creator of a ransom note.
Some ransomware operators think that they’re untouchable and don’t have to take precautions to keep themselves completely anonymous, Liska said.
“Maybe there is something we can do in terms of arrests or things like that, but absolutely they can be exposed,” Liska said. “And I think that does have some value to it.”
Virtual cryptocurrency exchange Bittrex will pay around $29 million to settle allegations that it broke U.S. money laundering and sanctions laws, CyberScoop’s Tonya Riley reports. U.S. officials said the enforcement actions against the exchange, which is based in Bellevue, Wash., are a warning to cryptocurrency firms that don’t have strong compliance programs.
“An investigation by Treasury’s Office of Foreign Assets Control and Financial Crimes Enforcement Network, or FinCEN, found that Bittrex repeatedly failed to identify thousands of prohibited transactions, including direct transactions with dark web marketplaces such as AlphaBay, Agora and Silk Road,” Tonya writes. “The company also failed to detect and investigate transactions connected to ransomware attacks against individuals and small businesses in the U.S.”
Magistrate Judge S. Kato Crews said Jareh Dalke is a flight risk because of the charges he’s facing and apparent sympathies for Russia, the Associated Press’s Colleen Slevin reports. Dalke, a former National Security Agency information systems security designer, has been charged with six counts of trying to send classified defense documents to Russia. An undercover FBI agent was actually communicating with him, though.
Prosecutors say they don’t know if Dalke, who pleaded not guilty, took or memorized additional documents. They also argued that he’d be motivated to sell more secret documents if he were released.
The Oct. 19 workshop comes ahead of the expected launch of the program next spring, CyberScoop’s Suzanne Smalley reports. The White House released a brief description of the program in a Tuesday fact sheet.
“The White House hopes the program will reward companies that invest in cybersecurity while also helping consumers find safer products,” Smalley writes. It’s using the Environmental Protection Agency and Department of Energy’s Energy Star program as a model, a senior administration official told CyberScoop. The official told the outlet that the ratings could be based on the frequency of updates for software vulnerabilities or whether devices require passwords before connecting to the internet.
Tour Amazon’s dream home, where every appliance is also a spy (Geoffrey A. Fowler)
Hacks in Australia spur call for review of data retention laws (Bloomberg News)
Young people using TikTok is no problem, GCHQ chief says (The Guardian)
Greek spyware inquiry ends in stalemate (Politico Europe)
Solana-based decentralized finance platform Mango hit by potential $100 million exploit (CoinDesk)
this cat is gonna take my job https://t.co/8UsnTiImzQ
Thanks for reading. See you tomorrow.
