The hottest infosec news for August 2024
Hello everyone! We are summing up the month with our traditional digest of the most interesting news. August brought passions about the Zuckerbrins: Durov, Musk and Zuckerberg all made headlines. In Russia, they are preparing a project on fees from companies for foreign software, and in the US they want to equate cybercriminals with terrorists.
August brought records: a US data broker leaked 2.7 billion records on Americans, and 2024 is on track to be a record year for ransomware payments. Also last month, the WWH Club forum, together with its owner from MMM and the Dispossessor group, went under the knife of the FBI. Read about this and other news and information security curiosities of the last summer month below!
Passion for the Zuckerbrins: Durov, Musk and Zuckerberg in the news headlines
The night of August 25 brought sudden news: Pavel Durov was detained at the Paris airport and taken into custody. He was taken straight off the steps of his private jet. A warrant was issued for Durov, a French citizen since 2021, and French media immediately reported that he would definitely be arrested.
The French authorities accused Durov of complicity in drug trafficking, crimes against children, terrorism, money laundering and fraud due to the lack of moderation on Telegram. The French prosecutor's office soon issued a press release on the arrest of Pavel Durov. He is being investigated under 12 articles. Including refusal to cooperate and dissemination of everything possible on Telegram. Separately, it is worth noting “Illegal provision of cryptographic means beyond what is necessary to ensure confidentiality.” The wording is wonderful.
In the following days, the plot around Durov's arrest continued to unfold. As WSJ wrote, in 2018, he met with Macron for lunch, and the latter offered citizenship and, at the same time, to move Telegram's headquarters to Paris. Durov refused. But he eventually received citizenship.
And a year before this meeting, French intelligence, together with the UAE special services (!), hacked Durov's iPhone. The French were unhappy that Telegram was being used by terrorists from the Islamic State. Telegram had been ignoring subpoenas and court orders requiring interaction with the authorities for years.
In other words, Durov's adventures in France clearly did not begin yesterday, and his behind-the-scenes relations with the French and the Emirates have been complicated all these years. Apparently, Durov took too long to answer Macron's calls this time. And in the end, it was the turn of people with cool heads to make him an offer he couldn't refuse. For now, we can only speculate why Durov, who had been avoiding European security officials for a long time, went to France. And whether he was flying to a deal that took a wrong turn.
Durov's arrest has given rise to numerous speculations about what might await Telegram and whether Durov will give encryption keys or other privileges for access to chats and their owners to French — and other — intelligence. The story has also encouraged those wishing to give Telegram a hard time around the world, and news of numerous claims against the messenger and possible blocking began to surface in India, Indonesia, South Korea and other countries.
And numerous lovers of freedom and democracy suddenly got out of their shells and began to praise France for its unprecedented actions against Durov. After all, now the good secret services will take the encryption keys from the bad ones, and everything will be fine!
In the end, Pavel Durov was released on bail of €5 million. He is banned from leaving France and must report to the police twice a week. The absurd charges are based on previously announced articles, including refusal to cooperate, illegal provision of cryptographic means, and complicity in the distribution of drugs and other seditious matters. So the saga continues.
Meanwhile, for fans of OSINT, the screenshot is a clear example of why you shouldn't take Instagram girls with you on business trips. They will document everything online. Everything. Including visits to the Azerbaijani cybersecurity center before flying to France. With the caption “Visited the Ministry of Cybersecurity.”
Durov's companion's Instagram posts with geotags led to some publications accusing her not only of letting the police know Durov's arrival time in France, but also of making claims that the lady had an agent card from Mossad in her pocket. Major Vavilova has arrived as ordered, I wish her health.
Against the backdrop of the Durov arrest, Mark Zuckerberg abruptly rethought his previous decisions in terms of interaction with the authorities and surrendered the entire diplomatic state to the Democratic Party of America. In August, Zuckerberg admitted the obvious-incredible: Facebook closely cooperated with the US authorities to censor content. Thus, during the pandemic, any information about Covid that did not fit into the official agenda was censored.
And before the 2020 presidential election, Facebook fought against disinformation from… ubiquitous Russian hackers. Links to the investigation into Biden's son were actively blocked and downgraded in search results. As Zuckerberg reported, it has since become clear that this was not Russian disinformation, but the everyday adventures of the celestials from the US government circles. Mark is now terribly remorseful and firmly convinced that there is no need to interfere in elections and succumb to pressure from any administration. And in general, it is worth checking content for disinformation and illegality before blocking it and downgrading it in search results.
In general, either the company's PR department is working on a standard theme with corporate apologies, or they are preparing in advance for Trump's possible return to the White House. Zuckerbrin will not allow this scoundrel to put pressure on Facebook. Trump himself, in his usual manner, has already threatened the platform's creator with life imprisonment for interfering in the upcoming elections.
In August, Brazil set the trend in blocking all seditious things: the country's supreme court took out decision to immediately suspend eX-Twitter. For failing to cooperate with authorities to remove illegal content and refusing to appoint an official representative. The latter was previously threatened with imprisonment for failing to censor content.
The discontent is related to disinformation on the platform, namely the presence of content on it that “threatens Brazilian democracy.” As usual, no matter the complexity of the political system, be it a Latin American garbage dump or a global hegemon, democracy is when democrats win. And non-democrats are censored.
Musk's companies' assets in the country were also frozen, including those unrelated to the social network, such as Starlink. Musk eventually announced that access to X via Starlink was blocked, apparently to unfreeze funds. But he also revealed the demands of the Brazilian authorities and began publishing lists of accounts that the ruling party was seeking to block. As expected, it included public and political figures, as well as relatives of politicians and journalists.
A separate know-how of the Brazilian justice system is the fines for those who decide to bypass the access ban, say, using a VPN. Any person or company faces sanctions of 50 thousand reals. Per day. This is about 800 thousand rubles. At the same time, there are 22 million X users in Brazil, and this is the most downloaded application in the country. In general, expect the new product soon in every home. 800 thousand in fines – and Tbilisi threads will be sent to the dustbin of the history of the Runet. This is the price of salvation.
National Public Data leaks data on Americans
In April, a US data broker called National Public Data, which does similar security checks, suffered a massive leak: 2.7 billion records on Americans. The database was then put up for sale for $3.5 million, and in August, the attackers announced plans to leak it.
And soon the base surfaced on the latest iteration of Breached in the public domain. The scale of the leak could well be comparable to the 2013 Yahoo hack, which affected all three billion user accounts on the platform. At that time, it cost Yahoo $150 million in lawsuits. The data broker that allowed this leak, apparently, should also mentally prepare itself.
The 2.7 billion records contain names, addresses, and social security numbers. The latter is especially noteworthy, as they are the source of much information in the US, so there is serious potential for fraud. Some of the records also contain data on relatives, and some contain information on people going back 30+ years — everything the data broker was able to collect for sale. The leak potentially affects almost every American, but some of the verified data in the database is not broken, so it is either outdated or inaccurate in places. The company did not respond to questions about the leak, but it has no time for that now — several class action lawsuits have already been filed against it, and a leak of this scale threatens not a fine of 60 thousand rubles, but millions of dollars.
Soon, curious details of this massive leak emerged. A sister company with access to the same databases had it publicly available on its website, on its home page. lay archive with source codes, passwords to the admin panel and backend.
The archive was on the site until August 19, when journalists reported on it. And the passwords match those that had previously leaked from the accounts of the NPD founder. He himself reported that the archive had been removed from the sister site, it would soon be shut down, and in general it was an old site with a non-working code, and due to the ongoing investigation he cannot provide more details. But all this does not sound very convincing. So, behind the leak of data on 2.7 billion records and, according to preliminary estimates, on 272 million people, there may be such a slight information security misunderstanding.
Law on foreign software in Russia and on cyberterrorists in the USA
Last month, information appeared that already in September in the State Duma will present a bill on a special fee from businesses for foreign software. According to the plans, businesses will pay for licenses for it to special ruble accounts, and if copyright holders refuse such generosity, the money will go to a fund to support Russian IT.
The measure, as usual, is unpopular, but is aimed at stimulating the transition to Russian software. It will not affect small and medium businesses, as well as budget organizations. Some market participants are not happy with the planned innovations and are not shy about expressing concern, citing the difficulties and costs of developing their own software. At the same time, every fifth company that owns critical infrastructure reported a year ago that it will not have time to switch to domestic software by 2025.
With an eye on the new fees, some will probably decide to reconsider their passion for the remnants of the unipolar world in the form of Western software that is alien to us. Especially considering that more and more platforms continue to close access to Russians in the wake of fresh sanctions – Notion and Coda recently announced their departure from the country.
There is also an interesting bill in the works in the US. The Senate Intelligence Committee offers equate ransomware attacks with terrorism. The attackers would then become “hostile foreign cybercriminals” and the countries that harbor them would become “state sponsors of ransomware.”
Supporters of the law believe that it will send an important signal about the intention to fight cybercrime. At the same time, some experts doubt that it will be of any use: countries already subject to sanctions are unlikely to notice the new ones, and the criminals hiding under them will not change their behavior. And the big uncles involved in real politics, labeled “state-sponsor” [кибер]“Terrorism” will not be thrown around – a fight is a fight, but behind-the-scenes negotiations are more important.
So whether the law will be a turning point in the war on cybercrime or will simply give comrade Wazawaka and company the opportunity to flex their status as international cyberterrorists is hard to say.
On the way to new records: the state of affairs on the ransomware scene
In August, two interesting reports about the first half of the year in the ransomware world were published. So, 2024 is expected to become a record-breaker for ransomware payments: in the first half of the year, attackers were paid more than $459 million. Despite the fact that the number of companies willing to pay ransoms following encryption has decreased by almost a third, median payments and the number of attacks are growing. And attackers are more often attacking large businesses and critical infrastructure, ready to pay a large jackpot.
At the same time, compared to the same period last year, the growth in total payouts is small – only 2%. Cryptocurrency thefts showed much more impressive growth: the amount almost doubled – from $ 857 million to $ 1.58 billion. The average theft amount also almost doubled, reaching $ 10.6 million. The increased Bitcoin rate is partly responsible for this; for the same reason, crypto thieves are returning to their roots – attacks on centralized platforms, where Bitcoin trading is more popular. More about the records of 2024 Here.
An analysis of the first half of 2024 in the ransomvari world also shows a steady increase in activity despite the successes of law enforcement agencies. And more than half of the incidents were attributed to six groups.
With BlackCat gone and LockBit facing serious problems, Play, Akira, and 8Base have strengthened their positions. BlackBasta and Medusa have also made it into the top 6, while newcomers include RansomHub and DragonForce. The manufacturing sector suffered the most, accounting for 16.4% of attacks, followed by healthcare and construction, with 9.6% and 9.4% of attacks, respectively.
As expected, the absolute leader in the number of incidents among countries is the United States — 52% of attacks were in the States, with 917 recorded incidents. Canada is next, with only 109 attacks. So the United States continues to be the main sponsor of the CIS run-combat scene with dreams of yachts and a luxurious life. Read more about the trends of the first half of the year in report.
WWH Club and Dispossessor go under the FBI knife
In August, the notorious darknet forum WWH Club was intercepted FBI, its owner was arrested in Florida. Another of our compatriots, Pavel Kublitsky. Another administrator was named as Alexander Khodyrev from Kazakhstan. It is not clear from the case whether he was detained.
WWH Club was a hub for all sorts of cybercriminal activities and had 170,000 users. According to the lawsuit, the FBI gained access to the site's admin panel and database. And they sorted it out with Google translate, since the admin panel was in Russian. Kublitsky and Khodyrev showed up in the US in December 2022, applied for asylum, but lived in luxury, throwing money around.
Meanwhile, the case file reveals Kublitsky's postal address. And thanks to him, it became clear that the comrade was from Omsk, several cases had been opened against him by the bailiffs, and he was one of the leaders of MMM-2011, was in charge Omsk branch. As usual, habit is second nature. From one large-scale fraudulent operation to another and in the footsteps of its ideological leader – behind bars.
Last month, the FBI also intercepted another ransomware operation – this time under the knife went Dispossessor group. Fans of damn good coffee on the stub joke: the attackers' servers were “repossessed”. That is, seized.
The operation has been active since August 2023, led by a certain Brain, and has claimed at least 43 victims. Remarkably, its website regularly posts surfaced data from hacks by other groups, such as Cl0p, Hunters International and 8base – apparently, Dispossessor was actively dragging disgruntled partners from other RaaS operations to itself, and the data they stole was reused for blackmail. In July, the group also began using the leaked LockBit 3.0 builder, sharply increasing the scale of attacks.
However, now Dispossessor's servers in the US, UK and Germany have been intercepted, and the group's partners are forced to find a new front for their cybercriminal activities.
August curiosities from the world of information security
The month was rich in curious cases from the world of information security. Thus, in the USA, a hacker found an original way to avoid paying child support: he hacked the registration system and forged his own death certificate. Using a stolen doctor's account, the attacker created a fictitious case, entered the data for the certificate and certified it with the doctor's digital signature. The documents were filled out correctly, so that in many government databases the attacker was marked as deceased.
As a result, the comrade avoided repayment of alimony debts and further payments. This was not the end of his hacker career, and he continued to hack networks, moonlighting as an initial access broker. Alas, the multi-move was eventually revealed, and the hero of the story was sentenced to almost 7 years in prison and a $195,000 fine. Which includes missed alimony payments. The Ostap Bender of the cybercrime world missed an important step in staging his own death – an escape to distant warm lands.
Last month, the University of California's security team decided to conduct anti-phishing training for students and staff. After that, the campus has begun a nightmare: according to the letter, one of the colleagues returned from South Africa with Ebola. For more information, it was suggested to follow the link. Classic.
The university did not appreciate such an original campaign to combat phishing. So the information security department had to apologize for causing panic and undermining trust not only in official reports, but also in beautiful, distant South Africa, where there have been no cases of Ebola since 1996. In doing so, the university's security team simply used a real phishing email received a few weeks earlier as a template. But as usual, what is allowed to a cybercriminal is not allowed to a security guard.
And finally, the last month of summer brought another instructive lesson history about an attempt to extort an employer. A 57-year-old developer from the USA logged into his company's network under the admin panel and set scheduled tasks to change the passwords of the admin, domain administrators and users. Last November, at the right moment, he sent out letters to the company saying “Your network has been hacked.”
The attacker demanded a ransom of $700,000 in bitcoins and threatened to shut down 40 servers a day until it was paid. He also prudently set tasks for this. Alas, the prank failed. And on the friend's laptop they found an access history to a hidden virtual machine, from which he googled the details of his plan, right down to “Command line to change the administrator password.”
In August, the would-be blackmailer was caught and charged with extortion, equipment damage and electronic fraud. What happens when you read about the successes of ransomvarschiks and believe in yourself too much.
