Cyber Incident Response & Investigation

January 12, 2021 — German prosecutors in the cities of Koblenz and Oldenburg said on Tuesday that they had shut down what was “probably the largest illegal marketplace on the Darknet” called DarkMarket and arrested the man believed to operate it near Germany’s border with Denmark. 

The detained man, believed to be DarkMarket’s operator, is a 34-year-old Australian national. Source: DW

What We Have Learned So Far about the "Sunburst"/Solarwinds Hack

Image: Fortinet

December 21, 2020 — Recently, it was reported that a nation-state threat-actor managed to infiltrate a large number of organizations—including multiple US government agencies. They did this by distributing backdoor software, dubbed SunBurst, by compromising SolarWind’s Orion IT monitoring and management software update system. Based on SolarWind’s data, 33,000 organizations use Orion’s software, and 18,000 were directly impacted by this malicious update. As more and more details have become available, it has become clear that this is one of the most evasive and significant cyberattacks to date. Source: Fortinet

December 18, 2020 — We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections we have built in as a result.

While the full extent of the compromise is still being investigated by the security industry as a whole, in this blog we are sharing insights into the compromised SolarWinds Orion Platform DLL that led to this sophisticated attack. Source: Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) 

Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers

December 10, 2020 – A persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat affects multiple browsers—Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox—exposing the attackers’ intent to reach as many Internet users as possible. Source: Microsoft

12 Elements of a Cyber Attack Response Plan

December 8, 2020 – Every organization and department must take responsibility for its own security requirements, including planning for cyber incident response and recovery. From an accounting and finance perspective, outlining key considerations for acting upon cyberattacks – and doing so with speed and finesse – will better position finance teams to mitigate risks more quickly should an incident occur. Source: CPA Practice Advisor

October 29, 2020 — In mid-October, a variety of detection analytics alerted the Red Canary CIRT to execution, reconnaissance, and lateral movement activity on the network of a medical center. Within minutes, we observed Cobalt Strike and other malicious tools that all pointed toward a troubling conclusion: the hospital was probably a few hours away from a full-blown Ryuk ransomware outbreak. Thanks in no small part to our incident response partners at Kroll, whose Responder team rapidly engaged and began active containment steps as we detected threats, that didn’t happen. Source: Red Canary

Image: DFIR Report

October 8, 2020 — The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to accomplish their objective.

Ryuk has been one of the most proficient ransomware gangs in the past few years, with the FBI claiming $61 million USD having been paid to the group as of February 2020. Earlier in the year, the group grew a little quiet, but that seems to have changed in the past few weeks, with incidents like what occurred at UHS hospitals. Source: The DFIR Report

October 5, 2020 — Visa Payment Fraud Disruption (PFD) analysed malware samples recovered from the independent compromises of two North American merchants. In these incidents, criminals targeted the merchants’ point-of-sale (POS) terminals in an effort to harvest and exfiltrate payment card data. 

According to a security alert published in September 2020, the attacks took place in May and June 2020, respectively. Source: Visa Security Alert

October 2, 2020 — Facebook has detailed how a sophisticated campaign based out of China was able to hijack accounts and buy ads using the credit card details users had on file. The ads hawked everything from diet pills to counterfeit handbags and drained $4 million from victims’ wallets before Facebook caught up to the shenanigans. The company reimbursed users who were affected but didn’t confirm whether or not they were made whole. Source: INPUT

Romania: September 30, 2020 — A joint operation between Estonia, Lithuania and Romania, supported by Europol and Eurojust, led to the dismantling of an organised crime group involved in fraud, phishing and money laundering.

On the action day, officers from the Romanian Police (Poliția Română) searched four houses and arrested three individuals. Further investigations into the scale of the activity are still ongoing. Source: ESPC

AUTHOR: Charlie Maclean Bristol, Training Director, FBCI, FEPS

September 25, 2020 —  Charlie looks at the recent cyber incident involving New Zealand’s Stock Exchange, and marks their response out of 100. Source: BC Training

Poland: September 24, 2020 — Today, the Polish authorities are announcing the arrest of 4 suspected hackers as part of a coordinated strike against cybercrime. Those arrested are believed to be among the most active cybercriminals in the country.  Source: Europol 

Germany: September 18, 2020 — German authorities are investigating the death of a woman in the wake of a failed ransomware attack on a Düsseldorf hospital that disrupted its IT systems and forced the closure of its accident and emergency department. The unnamed patient died in transit to a nearby facility in Wuppertal. Source: Computer Weekly 

September 4, 2020 — A recently unsealed criminal complaint details how a Russian hacker tried to recruit a Russian-speaking Tesla employee for $1 million. The 27-year-old hacker named Egor Igorevich Kriuchkov met his former associate, currently working at Tesla, at a bar in Reno. The two enjoyed several drinks before Kriuchkov made a proposition for the Tesla employee to join his “group” specializing in “special projects.” The hacker offered the Tesla employee $1 million dollars to install malware for executing a ransomware attack against the company. Elon Musk acknowledged the plot, and the FBI apprehended the Russian as he attempted to flee the country. Source: CPO Magazine

Aug 11, 2020 – SANS disclosed a security breach which was the result of a successful phishing campaign. As described in the disclosure found at https://www.sans.org/dataincident2020, the phishing email enticed a single user to install a malicious Office 365 add-in for their account. Source: SANS

Software writer Valerian Chiochiu has pleaded guilty to RICO conspiracy for helping Infraud Organization develop and use FastPOS malware that helped the group steal massive amounts of data. Infraud is now believed to have stolen enough identities, payment cards and other sensitive data to produce $568 million in losses. Source: Engadget

Kuala Lumpur: July 23, 2020 – If you’ve recently been getting paid SMS promos that you didn’t sign up for sent to your phone, this may be the reason why. The Star reports that staff from a few telecommunications companies are now under investigation for allegedly taking bribes to reveal customers’ private data. Source: Lowyat.net

Sourced from BERNAMA

Kuala Lumpur: July 16, 2020 – Police have crippled an online investment scam known as i-Rakyat Trade with the arrest of 10 individuals who preyed on Malaysians during the Movement Control Order (MCO). Source: BERNAMA

Aurangabad: July 14, 2020 – A city-based trader, who lost Rs 10,000 in a telephishing scam on Sunday, got his money back within three hours due to the timely action taken by city’s cybercrime police. Source: Times of India

Within the framework of the Memorandum of Understanding signed by UNODC and the El Salvador National Police for the establishment of the Cybercrime Unit in the Division of Investigation, a number of a series of training activities have been developed to strengthen the capacities of criminal justice professionals in the prevention and fight against cybercrime in El Salvador. Source: UNODC