Jeff Peters

Weekly Cyber Risk Roundup: Instagram Bug May Affect Millions and FDA Recalls Vulnerable Pacemakers

Instagram was among the week’s top trending cybercrime targets due to both the company confirming a bug that may have leaked some users’ personal information and a malicious actor claiming that he is selling the personal data of six million Instagram users.

On August 28, Instagram’s most popular user, Selena Gomez, had her account hacked and used to spread nude photographs from 2015 of her ex-boyfriend Justin Bieber. Two days later, Instagram warned that a bug in the Instagram API had been used to steal some high-profile users’ personal information — which may have contributed to the Gomez account takeover.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”

However, that same day a malicious actor claiming to have scraped the personal data of six million Instagram users contacted Ars Technica and told the outlet that he or she was selling the data in a searchable website for $10 per query. The actor claimed to have learned of the vulnerability used to scrape the data in an IRC discussion — suggesting that the bug confirmed by Instagram may have a wider scope of impact than initially thought. An Instagram representative said company officials are aware of the claim and are investigating it. Researchers said the 10,000-record sample provider by the actor appears to be legitimate. Until Instagram clarifies the extent of the bug and the subsequent breach of personal information, Instagram users should assume that their associated email addresses and phone numbers may in the hands of malicious actors.

Other trending cybercrime events from the week include:

Numerous ransomware announcements: NHS Lanarkshire hospitals were disrupted by a Bitpaymer ransomware infection that resulted in the staff bank and telephone systems going offline, as well as the rescheduling of appointments. An employee of the German state parliament of Saxony-Anhalt opened a malicious attachment in a spear phishing email, leading to a ransomware infection that media said “crippled” the state parliament’s network. Dorchester School District 2 in South Carolina announced it paid $2,900 via its insurance coverage after 25 of the 65 servers for the district’s computer network were infected with ransomware. Medical Oncology Hematology Consultants, PA in Delaware said that a ransomware infection affected 19,203 patients. The Indiana accounting firm Whitinger & Company notified clients of a data breach and ransomware attack.

Insiders lead to lawsuits, data breaches: Allstate Insurance has filed a lawsuit against Ameriprise Financial accusing the company of attempting to steal confidential information by encouraging Allstate agents to create contact lists and download client data to use in soliciting clients once they quit and get hired at Ameriprise. Tewksbury Hospital in Massachusetts discovered unauthorized employee access to patients’ medical records that dated back to 2003 and is attempting to notify affected individuals that their information was compromised.

Organizations expose data: Researchers discovered an insecure backup device belonging to the London-based Bell Lomax Agency that exposed thousands of documents related to the company and its literary clients. MacKeeper researchers said anyone could access the documents, which included the Agency’s Quickbooks accounting files, archive email boxes, financial data, expenses, administrative details, royalties, and client details for 2014-2015. Major League Lacrosse is notifying all players that their information was accidentally available online due a link on its website that pointed to a spreadsheet containing data on every player in the league.

Other notable incidents: There have been multiple attacks against South Korean cryptocurrency exchanges, financial technology companies, and startups that use blockchain technology. CeX is notifying two million registered website customers that their information may have been accessed by an unauthorized third party. MacEwan University said that it was the victim of an $11.8 million wire transfer fraud after a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. Swedish web hosting company Loopia said that hackers accessed parts of its customer database, including customer contact information and encrypted passwords. Zazzle is warning customers that their accounts may have been compromised due to brute-force attacks and is prompting customers to choose new passwords. Oklahoma City’s Tower Hotel is the latest in a growing number of hotels to announce being impacted by the breach of the Sabre Hospitality Solutions SynXis Central Reservations system. The hacking group OurMine used a domain spoofing attack to redirect visitors of WikiLeaks website to a page created by the group.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The FDA has approved a firmware update for certain Abbott (formerly St. Jude’s) pacemakers to address cybersecurity vulnerabilities — essentially ordering a recall to correct the issues present in 465,000 implanted RF-enabled cardiac pacemakers.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in safety communication. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

The firmware update follows a series of high-profile news stories regarding St. Jude dating back to 2016 when the healthcare cybersecurity company MedSec teamed up with the short selling firm Muddy Waters to disclose — and ultimately profit from — several remotely executable flaws in St. Jude pacemakers and defibrillators. A lawsuit, government alerts, and a January 2017 patch that many claimed fell short followed (the timeline is summarized well in this article from CSO Online).

The firmware update requires an in-person patient visit with a health care provider and takes approximately 3 minutes to complete. After installing the update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The FDA asks affected patients to consult with their physicians about any risks associated with receiving the firmware update, which has “a very low risk of an update malfunction.”

In 2016, the FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.

Weekly Cyber Risk Roundup: Another Ethereum Heist and FBI Warns Against Kaspersky Lab

Cryptocurrency theft was the week’s top trending cybercrime story as malicious actors were able to capitalize yet again on an upcoming Ethereum initial coin offering (ICO) to steal approximately $500,000 worth of Ether — this time from investors in the cryptocurrency platform Enigma.

Enigma said that malicious actors managed to compromise the enigma.co domain, its Slack channel, and certain email lists. The actors then posted messages via the compromised channels claiming that the platform was offering a “pre-sale” of tokens ahead of next month’s official ICO.

Enigma CEO Guy Zyskind said the attack “joins a long list of other similar attacks plaguing the crypto-community.” For example, just last month there were three different multi-million dollar Ethereum heists: $34 million was stolen due to a bug in the code of the Parity Ethereum client and $10 million and $8.4 million were stolen during the ICOs of Coindash and Veritaseum.

“We want to make sure that no one in our community that was a victim to this well-coordinated phishing attack is financially hurt,” Zyskind said in a blog post. “We will restore funds to everyone that lost money in this recent scam attempt after our token sale concludes.”

With four large Ethereum thefts over just the past month, it is clear that malicious actors have found a new — and relatively simple — way to capitalize on the excitement of Ethereum investors. Similar attacks will likely occur in the future as malicious actors play copycat and attempt to capitalize on other ICOs for a quick payday.

Other trending cybercrime events from the week include:

Hacktivist and political leaks: Web hosting provider DreamHost had its services disrupted by a DDoS attack on Wednesday. It’s unclear who orchestrated the attack, but DreamHost was recently involved in several politically-charged news stories. The Anonymous-affiliated group AnonOps leaked the private cell phone numbers and email addresses of 22 Republican congressmen in an effort to get individuals to urge their members of Congress to condemn President Trump’s recent statements surrounding Charlottesville and push for his impeachment. The hacking group known as “Fancy Bear” released information related to doping in FIFA, including email exchanges between FIFA and representatives of anti-doping agencies, files showing the number of players using illegal substances, and therapeutic use exemption data, which gives athletes medical permission to take banned substances.

Healthcare-related breaches: A hacker claiming to represent Anonymous said he gained access to a database of NHS patient data managed by SwiftQueue and downloaded over 11 million records, but SwiftQueue said that its database only contains records for 1.2 million individuals and that its initial investigation suggests only 32,501 “lines of administrative data” have been accessed. MJHS Home Care is notifying patients that an employee email account was compromised due to a phishing incident and that patient information may have been exposed. The Institute for Women’s Health in Texas is notifying patients of the discovery of a keylogger on its network. Salina Family Healthcare Center is notifying patients that their personal information may have been compromised due to a June 18 ransomware infection. St. Mark’s Surgical Center is notifying patients of a April 13 ransomware infection that may have compromised their personal information.

Carbon Black says bug affected 10 customers: Cybersecurity company Carbon Black said that 10 of its customers were potentially impacted by a corner-case bug that may have resulted in some miscategorized files being uploaded to a third-party, cloud-based scanner. The bug was introduced in Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later, the company said, and required a series of other conditions in order to be triggered.

Other notable incidents: A database that appears to be associated with the online group hotel room booking service Groupize was found exposed on the Internet. The researchers who discovered the exposed database said it contained many hotel documents, including service agreements, earnings, and details about commissions, which allowed them to see “exactly how the discount hotel business model works in detail.” The City of Oceanside, California, has suspended its online utility bill payment system over concerns that the system may have been breached after multiple users reported that they received unauthorized charges on their payment cards. The hacking group OurMine hijacked the Twitter and Facebook accounts of Sony’s PlayStation Network (PSN) and claims to have a stolen PSN database; however, media outlets reported that there does not appear to be any evidence as of yet supporting the claims of a breached PSN database.

Cyber Risk Trends From the Past Week

In July, the U.S. government removed the Russia-based Kaspersky Lab from two lists of approved government vendors, and recently it was revealed the the FBI has been warning private organizations to stop using Kaspersky products as well.

The FBI has been briefing private companies on the threat since the beginning of the year, citing intelligence that claims to show the company is an unacceptable threat to national security, officials told CyberScoop. The FBI has prioritized briefing organizations in the energy sector and those that use ICS and SCADA systems, as well as large tech companies.

The officials claim that Kaspersky has deep and active relationships with Russian intelligence and have highlighted multiple specific accusations of wrongdoing, sources told CyberScoop.

Kaspersky denied the allegations, with a representative saying that the company is “caught in the middle of a geopolitical fight” and “has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”

CyberScoop reported that organizations using ICS and SCADA systems have been relatively cooperative and that some have already moved forward and signed deals with Kaspersky competitors. However, those in the tech space don’t have the same sense of urgency and have been less receptive to the FBI’s recommendations.

In addition, Reuters reported that a defense spending policy bill from the Senate Armed Services Committee was recently amended to prohibit the U.S. Defense Department from using Kaspersky software platforms because the company “might be vulnerable to Russian government influence.”

Weekly Cyber Risk Roundup: Charlottesville Sparks Hacktivism and Controversy

The politics surrounding the “Unite the Right” rally and its counter-protests in Charlottesville spilled over into the cyber world this week as hacktivists took action against websites and a debate emerged around the ethics of hosting white nationalist websites as well as doxing individuals who attended the rally.

Under the hashtag #OpDomesticTerrorism, hacktivists have urged DDoS attacks against white nationalist websites and posted leaks of some of those websites’ alleged members. In addition, the hacking group known as “New World Hackers” said it carried out a DDoS attack against the Charlottesville city website to “deliver our own version of justice to the KKK and government.”

Other individuals began to search through the many images of the “Unite the Right” rally in order to publicly identify those who attended the event. The man behind the Twitter account “Yes, You’re Racist” called on users to help identify the “nazis marching in #Charlottesville” so he could “make them famous.” However, not all the doxing attempts were accurate. For example, an assistant professor at the University of Arkansas was wrongly identified and said he eventually had to call the police due to numerous threats being made against him and his wife as well as their home addresses being posted online. The man behind the Twitter account said he’s received death threats over the doxing as well.

Technology companies were also brought into the debate. GoDaddy, Google, Cloudflare, Zoho, Sendgrid, and Discord all cut services to the Neo-Nazi website The Daily Stormer, USA Today reported. However, those actions led to a rebuke from the Electronic Frontier Foundation for private companies “decid[ing] who gets to speak and who doesn’t.”

Other trending cybercrime events from the week include:

HBO troubles continue: The hacking group OurMine temporarily hijacked several HBO social media accounts. In addition, the group of hackers that breached HBO in late July has continued to leak stolen episodes and other documents. Authorities also said that four current and former employees at Prime Focus Technologies, which handles Star India’s data, have been arrested on suspicion of leaking a Star India copy of the August 7 episode of Game of Thrones. Finally, a third-party vendor accidentally posted the August 20 episode of Game of Thrones on the HBO Nordic and HBO España platforms, and that episode was quickly pirated.

DDoS attacks make headlines: DDoS attacks against Blizzard disrupted services for several popular games, including Overwatch and World of Warcraft. The website of Ukraine’s national postal service Ukrposhta was the target of a two-day long DDoS attack that caused slowdowns and interruptions for the website and its services.

More ransomware infections: LG Electronics said that the self-service kiosks at some of its service centers were infected with ransomware, causing some access problems. The ransomware appears to have been identical to the WannaCry ransomware that made headlines in May, officials from the Korea Internet & Security Agency said. Pacific Alliance Medical Center said that a June 14 ransomware infection may have compromised the protected health information of patients.

Data inadvertently exposed: Voting machine supplier Election Systems & Software exposed the personal information of more than 1.8 million Illinois residents due to an insecure Amazon Web Services device. ES&S said the exposed server did not include “any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems.” The Texas Association of School Boards notified some school district employees that a server containing their names and Social Security numbers “inadvertently became visible on the Internet.”

Other notable incidents: Surgical Dermatology Group in Alabama is notifying patients that their personal and healthcare information may have been compromised due to a breach at its cloud hosting and server management provider, TekLinks, Inc. City of Hope said that it is notifying patients that their medical information may have been compromised following an email phishing incident that led to four employee email accounts being compromised. OSHA has suspended access to its new Injury Tracking Application (ITA) after it was notified by the Department of Homeland Security of a potential breach of user information. The Scottish Parliament said it was the target of a brute force cyber-attack and members of parliament and staff with parliamentary email addresses were warned to make sure their passwords were as secure as possible. A former Columbia Sportswear information technology manager was charged with one count of computer fraud for allegedly accessing the company’s computer systems for more than two years after leaving the company.

Cyber Risk Trends From the Past Week

One of the week’s most notable advisories involved the software vendor NetSarang and a backdoor dubbed “ShadowPad” that was shipped out with a July version of the company’s products.

“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” NetSarang said in a statement. “The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

The issue was first discovered by a financial institution partner of Kaspersky Lab — which described the backdoor as “one of the largest known supply-chain attacks” — after discovering suspicious DNS requests originating on a system involved in the processing of financial transactions. Those requests were later discovered to be the result of a malicious module hidden inside a recent version of NetSarang software.

“If the attackers considered the system to be ‘interesting,’ the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer,” Kaspersky wrote. “After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code.”

That malicious module has been activated at least once in Hong Kong, but it is possible that other organizations have been infected, the researchers said. NetSarang said that the affected builds are Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. Organizations using those builds should cease using the software until an update can be applied.

Weekly Cyber Risk Roundup: More HBO Leaks and UK Talks New Data Protections

HBO was once again the week’s top trending target as the actors behind the company’s breach continued to leak data stolen from the company, including emails that showed HBO attempted to negotiate a $250,000 “bounty payment” in response to the theft.

A source told Reuters that the negotiation email was sent as a stall tactic and that HBO never intended to pay the attackers, who reportedly demanded $6 million in ransom.

“You have the advantage of having surprised us,” HBO’s email read, according to Variety. “In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”

The actors behind the attack claim to have stolen 1.5 terabytes worth of data. In late July, the group leaked several episodes of unaired HBO shows as well as leaked a script for an unaired episode of Game of Thrones. Last Tuesday the group leaked an additional 3.4 GB of data.

As The Guardian reported, that leak included more Game of Thrones scripts, internal HBO documents, and a month’s worth of emails from HBO’s vice president for film programming. Among the documents were technical data detailing HBO’s internal network and administrator passwords, a spreadsheet of legal claims against the TV network, job offer letters to several top executives, slides discussing future technology plans, and a document that appears to list the contact information of Game of Thrones actors.

The group also claimed that HBO was its seventeenth target and that HBO was only the third company to have not paid the ransom demanded by the group. An HBO spokesperson previously said that the company’s ongoing investigation “has not given us a reason to believe that our e-mail system as a whole has been compromised.”

Other trending cybercrime events from the week include:

Actors target Ireland’s grid: Ireland’s EirGrid said that the country’s electric grid was targeted by state-sponsored actors that managed to gain access to a Vodafone network used by the company and then compromised routers used by EirGrid in Wales and Northern Ireland. The breach of the Vodafone network allowed the hackers to create a type of wiretap known as Generic Routing Encapsulation (GRE) to tunnel into EirGrid’s Vodafone router, the Independent reported.

Millions of Venezuelans lose cell service: Venezuelan government websites were the target of a massive cyber-attack allegedly carried out by a group known as “The Binary Guardians,” and as a result seven million mobile phone users were left without service, government officials said. The attacks affected the Movilnet’s GSM platform, officials said, leaving seven million of the thirteen million mobile phone users without service.

New data breaches: Parkbytext is notifying its users that their information may have been compromised due to malware during a service outage. The personal information of 100,000 Dutch drivers was leaked due a flaw in the LeaseWise software created by software company CarWise ICT and used by 52 Dutch car leasing companies. UCLA officials said that a Summer Sessions and International Education Office server was potentially breached in a May 18 cyber-attack and that the personal information of 32,000 students may have been compromised.

Agencies warn of phishing scams: A new phishing scam is impersonating tax software providers in an attempt to steal credentials from tax professionals, the IRS warned. Scammers are impersonating officials from the National Institutes of Health and telling consumers that they’ve been selected to receive a $14,000 grant in an attempt to get victims to pay a fee via gift cards or their bank account numbers, the FTC warned.

Arrests and sentences: Two Israeli men were arrested and indicted in Israel on charges believed to be related to operating the DDoS-for-hire service known as vDOS. A former employer of Allen & Hoshall has been sentenced to 18 months in prison for repeatedly accessing the company’s servers over a two-year period in order to obtain proprietary information. An Australian man has been sentenced to an 18-month suspended sentence for his role in operating an illegal network that allowed the selling of unauthorized access to Foxtel service to more than 8,000 people.

Other notable incidents: Pernod Ricard SA, producer of Absolut vodka and Chivas Regal Scotch whisky, was the target of a cyber-attack, and some employees at the company’s London office had to turn in their computers to be inspected for infections, sources told Bloomberg. Four different anonymous Bloomberg chat rooms were shut down after a user from the investment firm Janus Henderson sent an unmasked list of all the previous day’s 866 participants in the metal and mining chat room to people in the chat room.

Cyber Risk Trends From the Past Week

The UK Department for Digital, Culture, Media & Sport (DCMS) released a statement of intent on a new data protection bill last week.

The goal of future data protection acts is to “ensure that we help to prepare the UK for the future after we have left the EU,” wrote DCMS Minister for Digital Matt Hancock.

“The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation,” Hancock wrote. “Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.”

In short, any changes to UK law will be designed around existing international frameworks such as GDPR, which already includes provisions such as individuals being able to exercise their “right to be forgotten” and request that their personal information be deleted, as well as the potential for much larger penalties for organizations that suffer data breaches. As the BBC reported, the current maximum fine for breaking existing data breach protection laws is £500,000, and that will be increased up to £17 million or 4% of global turnover.

As Daradjeet Jagpal noted, the UK government intends to apply for some exemptions from the GDPR, such as allowing organizations other than police to process personal data on criminal convictions and offences, as well as allowing automated data processing — with the caveat that individuals will have the right to challenge any resulting decisions and request human intervention.

Numerous surveys this year have noted that a significant percentage of organizations remain unprepared for the upcoming implementation of GDPR, which is set to go into effect on May 25, 2018. For example, Veritas reported that only nine percent of UK organizations that believe they are prepared for the GDPR are likely in actual compliance. Organizations should remain aware of any potential changes in data protection laws such as GDPR and work to ensure that they will be in compliance with those changes before they become the law of the land.

Weekly Cyber Risk Roundup: HBO Hackers Promise More Leaks and Dark Web Vendors Reuse Passwords

HBO was among the week’s top trending cybercrime targets as malicious actors claimed to have stolen 1.5 terabytes of company data and subsequently leaked upcoming episodes of “Ballers,” “Room 104,” “Insecure,” and the unaired comedy “Barry,” which is scheduled to air in 2018. The hackers also leaked the script for Sunday night’s episode of Game of Thrones before it aired, as well as the apparent personal information and account details of a senior HBO executive.

In a separate incident, Sunday night’s episode of Game of Thrones was leaked several days early and spread via torrent sites due to an incident at distribution partner Star India, which published the episode early on its official website before removing it shortly thereafter.

The actors behind the HBO breach initially teased that more leaks were “coming soon.” Later, someone claiming to represent the group told The Hollywood Reporter that additional leaks would occur on Sunday; however, the contact then said the leaks would be delayed “because of some new buyers.”

“Some of HBO’s top competitors are negotiating with us for buying the dump,” the contact wrote in an email. “The deal are near to close. Poor HBO never rise again.”

As THR pointed out, it’s unlikely HBO’s direct rivals would purchase the stolen data. Variety reported that the hackers appeared to have accessed thousands of internal documents, employee data, and possibly internal corporate email. CEO Richard Plepler notified employees that the incident “resulted in some stolen proprietary information, including some of our programming.” However, CNN reported that HBO does not believe the company’s email system as a whole was compromised, despite THR’s contact alleging that they still have “full access to their webmails.”

Other trending cybercrime events from the week include:

Airlines issue warnings: Virgin America notified employees and contractors that their information may have been compromised due to a network intrusion first detected on March 13, 2017. The unauthorized access may have compromised the login credentials of approximately 3,120 employees and contractors, as well as the personal information of 110 employees. Malicious actors have leaked data allegedly tied to Spirit Airlines Free Spirit accounts after a failed extortion attempt against the airline. Spirit said that the actor attempted to extort the company using previously compromised email addresses and passwords from other data breaches. Canadian airline WestJet announced that the profile data of some WestJet Rewards members has been disclosed online by an unauthorized third party. WestJet did not indicate what data was leaked or how many customers were affected.

#LeakTheAnalyst operation targeting researchers: A hacking group going by the name “31337 Hackers” leaked data belonging to a security researcher working for FireEye’s breach investigation unit Mandiant, and the group also may have gained access to the researcher’s Hotmail, OneDrive, and LinkedIn accounts. The data appears to be stolen from the researcher’s personal computer, and there is “no evidence that FireEye or Mandiant systems were compromised,” FireEye said. The group said the leak is part of a larger operation that is targeting security researchers, dubbed “#LeakTheAnalyst.”

New data breaches: Health insurer Anthem said that 18,500 customers’ personal and medical information may have been compromised by an employee at LaunchPoint. The Daniel Drake Center for Post-Acute Care is notifying 4,721 patients that their information may have been compromised due to an employee accessing their medical records without authorization. Kaleida Health is notifying patients that their information may have been compromised due a phishing incident that allowed an unauthorized third party to gain access to a small number of Kaleida Health email accounts. Kids Pass said that the personal information of users could have been compromised by changing the URL of the activation code sent to new users in order to view other account holders’ data. An attacker managed to trick an employee at A9t9 into handing over the company’s Google developer account credentials and then pushed out a malicious version of the Copyfish Chrome extension.

More ransomware: An unnamed Canadian company paid $425,000 after a ransomware attack encrypted its production databases and backups. The intruders gained access due to spear phishing messages that were sent to six senior company officials. Northwest Rheumatology of Tucson is notifying patients that their information may have been compromised following a ransomware attack that occurred on April 10, 2017.

Arrests and sentences: The security researcher known as “Malwaretech,” who is best known for helping to stop the spread of the WannaCry malware, was arrested for allegedly creating and distributing the Kronos banking Trojan. A Seattle man has been arrested on charges of extorting multiple media companies with threats of DDoS attacks. A Russian citizen was sentenced to 46 months in prison for his role in infecting tens of thousands of computers with the Ebury malware.

Cyber Risk Trends From the Past Week

Law enforcement continues to target activity on the dark web following the recent takedown of AlphaBay and Hansa Market, two of the three largest cybercriminal marketplaces on the dark web.

Those takedowns left Dream Market as the new king of the dark web; however, there has been speculation by its users that Dream Market may have been compromised by law enforcement as well — or at least that 16 vendor accounts on the site may have been compromised.

One of those 16 alleged vendors said that Dutch law enforcement had seized his or her vendor account and changed all of its information on the same night that Hansa Market was taken offline.

“I can clearly say that (at least) my account was seized by dutch LE,” the user wrote. “I think they came on it through my sillyness using same password on hansamarket. … I don’t think dreammarket itself is compromised, I only think the LE is trying to fuck the rest out of this community by using log-in informations from other markets.”

As Naked Security reported, there has been no confirmation from the Dutch police about the alleged takeover of Dream Market accounts, but it makes sense that authorities would exploit password reuse and lack of two-factor authentication by cybercriminals in order to further their reach into active dark web markets.

A recent survey (PDF) found that 81% of those in the U.S. reuse passwords across multiple online accounts — and this now includes dark web vendors too, if the Dream Market news is any indication. This reuse occurs despite the fact that password reuse and credential-stuffing attacks lead to numerous cases of account takeovers, data breaches, and other cybersecurity incidents each week.

It may be impossible to stop users from reusing passwords, but, as Troy Hunt noted, NIST recommends that organizations become proactive and block passwords that have been previously tied to data breaches in order to improve security. That’s why he’s released a list of 320 million previously compromised passwords for organizations to download for free and use to protect their systems.

“Use this data to do good things,” Hunt wrote. “Take it as an opportunity to not just reduce the risk to the service you’re involved in running, but also to help make people aware of the broader risks they face due to their password management practices.”

Weekly Cyber Risk Roundup: UniCredit Breach and Two Swedish Officials Resign

The Italian bank UniCredit was among the week’s top trending cybercrime targets after the bank announced it had been the victim of two separate data breaches affecting approximately 400,000 customers who had taken out personal loans.

The first breach occurred between September and October 2016, and the second breach occurred between June and July 2017, UniCredit wrote it its press release. The breaches occurred “due to unauthorized access through an Italian third party provider” and resulted in personal information and international bank account numbers being compromised.

Bloomberg, which described the incident as “one of the biggest breaches of European banking security this year,” reported that both breaches were only discovered this past week.

Daniele Tonella, the CEO of UniCredit Business Integrated Solutions, said that while conducting checks the IT department discovered that some users from an external commercial partner were accessing client data. Tonella said the bank quickly moved to block the access and has since upgraded the system.

UniCredit said that it is investing €2.3 billion in upgrading and strengthening its IT systems as part of its “Transform 19” plan.

Other trending cybercrime events from the week include:

Payment card and bitcoin thefts announced: The Galt House Hotel is notifying patients that it discovered malware on its point-of-sale systems and that customers who used their cards at the hotel between December 21, 2016 and April 11, 2017 may have had their information compromised. Newcastle University is warning that a fake website is using its brand and duping students into handing over their payment card information and other personal details in order to sign up for fake courses. Police arrested a man who claims to have used malware to steal between $40 million and $50 million worth of bitcoin. According to court documents, the man said he wrote software that simulates the code used to create bitcoin wallets and then distributed that software via certain internet forums. The software would steal bitcoin keys by replacing other people’s wallets with the attacker’s wallets during transactions.

New ransomware announcements: The Groundlings Theatre said that an email containing a fake invoice led to a ransomware infection that encrypted 54,000 files. The company said it paid the £300 ransom demand to recover the files and that it should take about four weeks to fully recover all of them. Plastic Surgery Associates of South Dakota is notifying patients that their information may have been compromised due to a ransomware infection on February 12, 2017. The Women’s Health Care Group of PA said that malicious actors exploited a security vulnerability to gain access to its systems as far back as January 2017 and that led to a ransomware infection and the potential compromise of patient information.

More accidental disclosures: Sutton Council in the UK published an unredacted spreadsheet on its website that listed the names and payments issued to hundreds of individuals who received over £500 in benefits such as disability, adoption, fostering allowances, day care respite, and special needs education. BlueCross BlueShield of Tennessee said that 657 employers’ group benefit administrators were sent information meant for other companies due to a computer glitch. As a result, 2,100 individuals had their personal information compromised, including member names, dates of birth, plan type and coverage dates, and member identification numbers.

Other notable incidents: A dark web user is selling 40 million voter records from 9 different states and has hinted that he may possess records for an additional 20 to 25 states. More than 5.5 million Social Security numbers were stolen in the previously reported March 2017 data breach of America’s Job Link Alliance-TS. The University of Vermont Medical Center is notifying 2,300 patients that their information may have been compromised due to a phishing incident that led to an unauthorized third party gaining access to an employee email account. A North American casino had its Internet-connected fish tank compromised, and the attacker used that access to move laterally to other places in the network. The supermarket chain Loblaws said that a “small number of user accounts” were affected by “unauthorized online activity” and is asking users to reset passwords.

Cyber Risk Trends From the Past Week

Two Swedish officials have resigned following criticism over a large data breach that may have compromised classified information as well as the sensitive personal data of citizens.

According to The New York Times, the breach was due to a lack of adequate safeguards being adopted when the Swedish government entered into an outsourcing agreement with IBM Sweden to manage vehicle registration and driver’s license databases back in April 2015. The nearly $100 million agreement lacked certain safeguards, the Times reported, which allowed unauthorized personnel at IBM subsidiaries in Eastern Europe to access large amounts of sensitive data such as details about Sweden’s infrastructure and the identities of people working undercover for the Swedish police and the Swedish security service.

Last Thursday, Swedish Prime Minister Stefan Löfven announced the resignation of Anders Ygeman, the Minister of Home Affairs, and Anna Johansson, the Minister of Infrastructure. Politico reported that Defense Minister Peter Hultqvist will not resign, despite demands from the opposition that he do so.

News of the leak first began to spread earlier this month after the Transport Agency’s former director general Maria Agren, who had been fired in January, was fined 70,000 Swedish krona ($10,700) for mishandling confidential information, The Sydney Morning Herald reported. Anders Thornberg, the head of Sweden’s security service, said that that while inadequately protected information must be considered breached, the data may not have been compromised due to that inadequate protection. However, Thornberg also said that the incident was “very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.”

The Times reported that results from a preliminary investigation revealed at least three unauthorized people in the Czech Republic had full access to the sensitive databases.

Leaked Exploits Have Fueled Cybercrime So Far in 2017, Says New Report

Leaked exploits and increased cybercrime-as-a-service offerings — along with the expanding digital footprints of organizations — helped to fuel cybercrime in the first half of 2017, according to a mid-year threat intelligence report from SurfWatch Labs.

The global outbreaks of WannaCry and NotPetya have dominated headlines so far this year. Although vastly different from the record-setting, Marai-powered DDoS attacks that disrupted services in the second half of 2016, the report noted that those events share a similar root cause: leaked exploits and source code.

Download the report: “Leaked Exploits Fuel Cybercrime: State-Sponsored Exploits and Cybercriminal Services Empower Malicious Actors.”

“A year ago, our mid-year report showed the interconnectedness of cybercrime through extensive supply chain hacks and compromised IoT devices,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Find one weak link and maximize it for all it’s worth was the name of the game then … and that still happens today with even more evidence of how the criminal ecosystem maximizes efforts through shared resources, skills for hire and, sometimes, outright theft.”

CF_Types — SurfWatch Labs collected data on close to 4,000 different industry targets in the first half of 2017 across a variety of categories. The main categories – data breaches, cyber-attacks, illegal trading, vulnerabilities, advisories, and legal actions – are shown in the chart above, with larger circles indicating more threat intelligence activity for that target.

The leaked exploits and data from the NSA and CIA have received the most attention, but there was a wide range of other malware and source code leaks that could have consequences for organizations moving forward, such as:

the sale of the Kraken source code used in MongoDB and ElasticSearch extortion attacks;
the release of the Nuclear Bot (NukeBot) banking Trojan’s source code;
the creation of the Android BankBot Trojan from a commercial Trojan’s leaked source code;
and reports that claimed various malicious actors used tools leaked from surveillance company HackingTeam or created by Israeli cyber arms dealer the NSO Group in targeted attacks.

Just last week researchers reported that attackers were using modifying versions of NukeBot to target banks in France and the U.S.

“Much like leaked personal data, once those vulnerabilities, exploits, and tools are exposed, they forever remain in the cybercriminal public domain,” SurfWatch Labs’ report noted. “[Events such as WannaCry and NotPetya] reaffirmed that the most dangerous data breaches often involve the theft of such tools and exploits – and the impact of that type of information being leaked can spread further, wider, and be more long-lasting than perhaps any other type of cyber incident.”

SurfWatch Labs collected cyber threat data from thousands of open and dark web sources and then categorized, normalized and measured it for impact based on our CyberFact information model.

Some notable takeaways from the mid-year threat intelligence report include:

WannaCry ransomware was the most talked about malware out of nearly 1,200 tags, accounting for 8.6% of all malware tags, followed by the Industroyer malware at 4.8%.
Crimeware trade was the most prevalent tag related to cybercrime practices as malicious actors continued to buy, sell, and trade tools on dark web markets and cybercriminal forums, as well as develop more cybercrime-as-a-service options.
The percentage of extortion-related activity observed in 2017 has more than doubled from 2015 levels and increased by more than 40% when compared to 2016 levels. More industry targets were publicly tied to ransomware and extortion over just the first half of 2017 than in all of either 2014, 2015, or 2016.
Cybercriminals expanded upon successful business email compromise (BEC) scams to implement more attacks. For example, more than 200 organizations reported W-2 data breaches due to phishing messages in the first half of 2017 – a rise from the 175 reported in 2016.
The percent of government cybercrime-related threat data collected by SurfWatch Labs more than doubled from the previous two periods (from 13% to nearly 27%), and government was the top trending overall sector for the time frame (followed by IT at 25% and consumer goods at 17%).
The CIA was the top trending cybercrime target of the period due a nearly weekly series of data dumps from WikiLeaks (followed by Microsoft, the NSA, Twitter, and England’s National Health Service).

“As we’ve repeatedly seen over the past few years, a major breach is rarely isolated, and information stolen or leaked from one organization can be leveraged to attack numerous other organizations,” Meyer said. “Whether it is personal information, credentials, intellectual property, or vulnerabilities and exploits, actors will build off of that hard work and the previous success of other actors by incorporating that information into new campaigns.”

Read the full, complimentary report: http://info.surfwatchlabs.com/cyber-threat-trends-report-1h-2017

Weekly Cyber Risk Roundup: Three Ethereum Heists and NotPetya Fallout Continues

The cryptocurrency Ethereum made numerous headlines this past week due to three separate multi-million dollar thefts: one due to a bug in the code of the Parity Ethereum client, one caused by a website hack that redirected funds meant for the Initial Coin Offering (ICO) of Coindash, and one tied to a hacker managing to steal VERI tokens during the ICO of Veritaseum.

The largest theft involved a bug found in the multi-signature wallet code used as part of Parity Wallet software, which led to 3 wallets being exploited and reports of more than 150,000 ETH (approximately $34 million) being stolen. As Parity noted, a total of 596 multi-sig wallets were vulnerable, but the vast majority of the funds in those wallets were commandeered by a group known as the White Hat Group in order to prevent the theft of an additional 377,000 ETH (approximately $85 million).

That theft followed an announcement from Coindash that an actor had managed to gain access to its official website during the company’s ICO and changed the text on the site to an ether wallet address likely controlled by the attacker — resulting in investors sending $10 million worth of Ether to the fraudulent address. The company’s developers said that “all CoinDash investors will get their tokens”; however, Coin Desk reported that individuals who made transactions after the website was shut down will not be compensated.

Finally, Veritaseum confirmed that a malicious actor stole $8.4 million worth of VERI tokens from the platform’s ICO on July 23. The attackers immediately resold the tokens during the “very sophisticated” attack. Not much was disclosed about the attack, but “there is at least one corporate partner that may have dropped the ball and be liable,” the company’s founder said.

Other trending cybercrime events from the week include:

More information exposed due to errors: Dow Jones & Company confirmed that at least 2.2 million customers had their data exposed due to an Amazon Web Services S3 bucket that was configured to allow any AWS “Authenticated Users” to download the data. In addition, the leak contained the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations. Security researchers discovered an insecure database owned by the data services company DM Print that had 31,000 records, including administrative credentials for the database. With that information, anyone could access highly sensitive health information such as names, date of births, NIN numbers, addresses, investment data, and more. Travel company Flight Centre said that the personal information and customer passports “relating to some leisure customers in Australia was accidentally made available to a small number of potential third party suppliers for a short period of time.”

Insider breaches: An employee at Bupa copied and removed insurance information relating to 108,000 international insurance plans affecting 547,000 customers. The company said the data included names, dates of birth, nationalities, and some contact and administrative information. Detroit Medical Center is notifying 1,529 patients of a breach at a contracted staffing agency where an employee provided their information to unauthorized individuals. The breach occurred between March 2015 and May 2016. The Nova Scotia Health Authority said that 337 patients had their personal health information accessed inappropriately in two separate incidents involving six employees.

More energy sector warnings: The UK’s National Cyber Security Centre (NCSC) warned that state-sponsored actors are targeting the country’s energy sector and that “a number of Industrial Control System engineering and services organisations” have likely been compromised. The warnings followed similar alerts from U.S. agencies about hackers successfully targeting U.S. energy companies. While other sectors have been targeted, the focus of the attacks are engineering, industrial control, and water sector companies, the NCSC said.

Other notable incidents: Domain name registrar Gandi said that an unauthorized connection that occurred at one of the technical providers it uses to manage a number of geographic TLDs led to 751 domains having their traffic forwarded to a malicious site exploiting security flaws in several browsers. There were 22 breach incidents in the Veterans Administration’s monthly reports to Congress between May 2016 and June 7, 2017, and only one of those breaches received any media coverage at the time, according to data obtained via a Freedom of Information Act request by databreaches.net. A dark web vendor going by the name “dnu2k” is selling data tied to dadeschools.net, k12.wi.us, and other “freshly hacked emails.” The latest dump of CIA documents from WikiLeaks involves contractor Raytheon Blackbird Technologies providing “Proof-of-Concept ideas and assessments for malware attack vectors” to the agency.

Cyber Risk Trends From the Past Week

The picture of the damage cause by the NotPetya global outbreak in late June continues to crystallize as more companies reveal the details and fallout of their infections.

For starters, FedEx said that some of the damage caused by the NotPetya attack may be permanent, particularly when it comes to TNT Express B.V., which FedEx acquired in May 2016. Some of TNTs customers were “still experiencing widespread service and invoicing delays” nearly three weeks after the NotPetya infection, according to SEC documents filed by FedEx.

“We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus,” FedEx wrote in its filing. That filing listed more a dozen types of costs and damages potentially resulting from the incident — ranging from operational disruption to remediation to permanent customer loss to litigation.

In addition, the France-based Compagnie de Saint Gobain SA said that a preliminary assessment of the NotPetya infection estimated the incident would cost the company approximately 1% of first half sales. That equates to approximately €200 million as a result of the attack, The Street reported.

Earlier this month, The Guardian reported that Reckitt Benckiser, a British consumer goods company, may lose around €100 million due to NotPetya. In addition, Mondelez, the maker of Oreo cookies, said that the attack had disrupted shipping and invoicing during the last four days of the second quarter and that in a few markets the company had “permanently lost some of that revenue due to holiday feature timing.”

NotPetya may not have generated nearly as much extortion money as other ransomware — if that was even its intention to begin with — however, the global attack has proven quite impactful for numerous organizations so far. The second half of 2017 will likely see the total costs of the attack become more clear as other organizations reveal more details about how NotPetya affected their operations — and how the fallout from the attack has impacted the year’s financial projections.

AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals

On Thursday morning, the Department of Justice, Europol, and Dutch authorities announced a coordinated law enforcement takedown of AlphaBay and Hansa Market, two of the three largest dark web marketplaces used to buy and sell illicit goods and services.

AlphaBay has been offline since July 5, the same day that founder Alexander Cazes was arrested in Bangkok and a week before his apparent suicide. With the dark web’s most popular marketplace suddenly unavailable, many users turned to Hansa, a market that touted its security-focused approach. Unfortunately for those users, Dutch law enforcement had seized control of Hansa on June 20 following the arrest of two administrators in Germany, and law enforcement has been covertly monitoring the market’s activity over the past month.

The dark web markets AlphaBay and Hansa Market were both taken down in a coordinated law enforcement effort that was announced Thursday morning.

As Europol noted, this joint effort against the two markets helped to “magnify the disruptive impact” of the operation.

“It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform,” Europol wrote in its press release. “In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay.”

Database trade is the top trending cybercrime practice associated with Hansa Market over the past year, according to SurfWatch Labs’ data.

With both AlphaBay and Hansa Market now out of the picture, Dream Market is the reigning leader, according to SurfWatch Labs’ threat intelligence data.

How Cazes was Caught and AlphaBay Taken Down

Cazes, who was also known as “Alpha02” or “Admin” on the market, founded AlphaBay in 2014 and ran the site along with a team of eight to 10 individuals, according the unsealed indictment. Over the two-and-a-half-year period the site was operational, AlphaBay grew to become the largest dark web market in history and collected tens of millions of dollars in commissions.

When AlphaBay was shuttered in early July, it had approximately 370,000 listings for sale across various categories such as fraud, drugs, counterfeit items, software and malware, and more.

However, Cazes made numerous mistakes while running AlphaBay that other malicious actors will be paying close attention to, said SurfWatch Labs chief security strategist Adam Meyer.

“As I read the indictment detailing the AlphaBay takedown in particular, I see a list of mistakes being disclosed by the operators of the market that will certainly be scrutinized by criminal elements in order to ensure they are not repeated in future efforts,” Meyer said. “In similar ways that malware instances are shared, tweaked and reused, those who operate illegal marketplaces — or have the desire to due to its profitability — are certainly taking detailed notes for future efforts.”

As the court documents noted:

Cazes’ personal email, “Pimp_Alex_91@hotmail.com,” was included in the header of an AlphaBay welcome email that was sent to new users in December 2014. The email was also included in the header of AlphaBay password recovery emails sent in late 2014.
Law enforcement then discovered the email address belonged to a Canadian-born man named Alexandre Cazes with a birthdate of October 19, 1991.
A December 2008 post on the online tech forum “http://www.commentcamarche.com” was subsequently found in which a user going by the name “Alpha02” posted information in French on how to properly remove a virus from a digital photo. That post included both the name “Alexandre Cazes” and the email “Pimp_Alex_91@hotmail.com.”
The email addresses was also tied to a PayPal account registered in Cazes’ name.
When Cazes was arrested, law enforcement discovered his laptop open and in an unencrypted state, as well as logged into the server that hosted the AlphaBay site. While searching the computer they found several open text files with passwords for the AlphaBay site and servers, which allowed law enforcement to seize all the information and cryptocurrency on those servers.

At the time of his arrest, a financial statement on Cazes’ computer put his net worth at $23,033,975. Cazes attempted to justify his wealth through a front company called EBX Technologies, but the indictment noted that the company’s website “is barely functional” and that the company’s bank records show “little to no business income or banking activity.”

What’s Next for the Dark Web?

Dark web market takedowns are significant, Meyer said, but they’re also a part of the now-established cycle of popular markets being disrupted by law enforcement or exit scams only to have new markets rise in their absence.

“While the law enforcement take down of AlphaBay and Hansa are certainly heavily impactful to underground merchants, rest assured new marketplaces will be established and new protocols will be implemented,” Meyer said.

It was just a little over a year ago that the then-number-two most popular market, Nucleus Market, suddenly went offline in an apparent exit scam, helping to bolster both AlphaBay’s and Hansa’s user base. With those two markets now gone, Dream Market has become the temporary king, but that will likely change in the coming months as new markets and new operators step in to fill the void — until the cycle repeats again.

Weekly Cyber Risk Roundup: Big Telecom Leaks and AlphaBay Goes Offline

Massive database leaks were once again among the week’s top trending cybercrime targets, including incidents involving U.S. Verizon customers, France’s Orange S.A, and India’s Reliance Jio Infocomm.

The Verizon leak was caused by a third-party engineer at NICE Systems and affected as many as 14 million U.S. customers. The engineer appears to have created a publicly available Amazon Web Services S3 bucket that logged customer call data for unknown purposes. As a result, personal information, account information, and Verizon account PIN codes were potentially exposed. A Verizon spokesperson acknowledged the breach, but said only 6 million customers had their data exposed by the incident.

In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A., also a NICE Systems partner. However, the researchers said it “appears this internal Orange data is less sensitive.”

In addition, Reliance Jio Infocomm, an Indian telecom company with over 100 million subscribers, is investigating a potential incident after local news sites reported that names, telephone numbers and email addresses of Jio users were visible on a site called “Magicapk.” However, an initial investigation showed that Jio’s apps and websites were secure, ET Telecom reported. Last week the police brought in a suspect who was in possession of partial details of Jio subscribers, including their names, email IDs, alternate mobile phone numbers, and the dates of activation of SIM cards. That data may have been taken from a Jio retailer, since they have access to that type of subscriber data, the deputy commissioner of police for Navi Mumbai said.

Other trending cybercrime events from the week include:

More payment card breaches: A breach of Avanti Markets internal networks allowed malicious actors to push malware to self-checkout devices used in corporate break rooms, and as a result payment card information may have been compromised. Avanti said that it believes the malware was only active between July 2 and July 4 of this year. B&B Theatres, which operates 50 locations across seven states, discovered a point-of-sale breach that appears to date back two years. A recent alert estimated the window of exposure of the breach to be between April 2015 and April 2017. Real Estate Business Services (REBS) notified 1,033 California Association of Realtors members that their personal and payment card information may have been stolen when the online store they use was compromised with malware. The infection occurred between March 13 and May 15.

Medical information exposed: The County Commissioners Association of Pennsylvania (CAAP) said that the details of approximately 1,800 child welfare cases were exposed online by third-party vendor Avanco International. University of Iowa Health Care is notifying 5,292 patients that a limited set of their protected health information was “inadvertently saved in unencrypted files that were posted online through an application development site” and exposed for nearly two years. A former employee of the St. Charles Health System is accused of the unauthorized access and viewing of thousands of patient records.

More ransomware infections: Community Care of St. Catharines and Thorold in Ontario had its systems infected by NW4 ransomware, which demanded a $3,000 ransom payment. A Community Care spokesperson said that it backs up its data regularly so there was no need to pay the extortion. However, it still took nearly a week for Community Care to restore full access to its computers, and some data that was not captured in the most recent backup was lost. The dental office of Dr. Douglas Boucher, DDS, and Dr. Andrea Yaley, DDS, is notifying patients of a ransomware attack that may have compromised their patient information. The office said that its computer systems were believed to have been hacked around May 19, 2017, and on June 2 it received a ransomware notice. Records were restored from a backup; however, the office said the hacker did access its email system and may have accessed its patient dental health records.

Other notable incidents: A hacker going by the name Dhostpwned was able to use a PHP shell to compromise the dark web hosting provider Deep Hosting and said he obtained “the majority” of files and SQL databases on the server. An employee at the Australian Tax Office (ATO) published an ATO guide on how to hack mobile phones that included instructions on how to bypass passwords and obtain data even if the phone battery is depleted and it does not have a sim card. A Russian-born cybercriminal living in Los Angeles was sentenced to 110 months in prison for running a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.

Cyber Risk Trends From the Past Week

The dark web marketplace AlphaBay has been taken down in a law enforcement raid and one of the alleged leaders of the site has been found dead in his Thai prison cell in an apparent suicide.

(See “AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals” for more information.)

As SurfWatch Labs has noted in the past, AlphaBay was by far the largest and most popular dark web marketplace before it suddenly went dark earlier this month, leading concerned users to speculate if its owners had either been arrested or performed an exit scam. It is not uncommon for dark web markets to disappear without notice. However, AlphaBay had built up a reputation for reliability and become the undisputed king of the dark web marketplaces over the past two years.

Alexandre Cazes, the man who committed suicide in his jail cell, is alleged to be the operator of AlphaBay known as “Alpha02.” U.S. authorities issued a warrant for Cazes arrest on June 30, and he was arrested in Bangkok on July 5, the Bangkok Post reported, the same day the dark web market suddenly went offline. Arrangements were being made for his return to the United States to face charges when Cazes reportedly used a towel to hang himself.

Wired reported that conservative estimates put AlphaBay’s daily transactions between $600,000 and $800,000 a day. With the site suddenly gone, a significant percentage of the cybercriminal ecosystem is now in search of a new home. That influx of traffic forced the dark web market Hansa to close its doors to new businesses due to “technical issues.” Users of Dream Market also reported issues accessing the site following AlphaBay’s takedown.

The next few months will certainly be an interesting time on the dark web as those users look for a new place to buy, sell, and trade their goods and services — and as the story and fallout around the takedown begin to take shape.