Bitfinex Arrest
Arrests of Ilya “Dutch” Lichtenstein and his wife, Heather Morgan for allegedly laundering $4.5B in BTC stolen from the 2016 Bitfinex hack is a fascinating and at times whacky story of FBI’s excellent investigative capabilities. Only 94K BTC were seized out of the total 120K BTC stolen.
Below are select documents which describe the hunt and the eventual arrest:
- US DoJ – Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency contains detailed investigation timeline including the AlphaBay connection and a BTC wallet decrypted on Ilya’s cloud drive.
- US District Court – Government’s reply in support of review of detention order provides further details of the investigation and an escape plan.
- Heather Morgan Ethereum wallet analysis with a $7M balance and a registered RZK.eth ENS name by CryptoGulper.
- The Rabbit Hole Beneath the Crypto Couple Is Endless by Vice provides a great overview of the above two documents as well as commentary from their friends and coworkers.
21-Month Sentence for Cyberattacks Against School, IT Firm
A UK court has sentenced a former IT tech to 21 months in jail for launching cyberattacks against a school and an IT firm. Adam Georgeson had worked for the school, but was fired after they learned of prior fraud convictions. He launched the attack against the school while employed at an IT firm. After he lost his job at that firm, he launched an attack against its network.
Note
- Good reminder for security teams and IT teams: background checks should be a regular part of hiring anyone who will be given privileged system access. Not a popular topic, but critical. While you’re working with human resources/employment, make sure that when the decision is made to terminate an employee turning off all internal and remote access is part of the process.
- The employee had two prior convictions for fraud which, when discovered, resulted in his termination. It is better to do background checks up front, even though they may slow the onboarding processes, rather than having to deal with a disgruntled employee who may have privileged access. For those already doing background checks, how many of you are revisiting them at some interval? I have seen good people make bad choices; I’ve seen employers help that employee retain their job and recover from those decisions.
- A privileged, insider threat is one of the toughest to detect and respond to. I am familiar with only a few organizations that have dedicated insider threat programs and teams. As usual, consider your threat model and maturity level without focusing on only a single type of threat.
Read more in
- Adam Georgeson: IT technician jailed for revenge cyber-attacks
- Man jailed after pleading guilty to computer misuse
Google’s Project Zero 2021 Metrics
Google’s Project Zero says that vendors took an average of 52 days to fix reported vulnerabilities. Three years ago, the average time to fix was 80 days. The companies with the shortest average time to fixes were Linux, Mozilla, and Google.
Note
- Great to see that vendors are responding faster to vulnerabilities, and great to see open-source software leading the pack. Looks like “bullying” by Google with its hard 90-day disclosure timeline works. But as an end user, you will still have to apply these patches to mitigate vulnerabilities.
- The good news is time to fix has been trending down across the board. However, at Google’s level of data collection, you can’t see the reason for the length of time to fix. In the old days of much longer software life cycles, easy to find/quick to fix bugs happened early and hard to find/long time to fix bugs were expected later in the life cycle. When time to fix is low because input validation errors (and other OWASP top 10 vulnerabilities) are still being built into software, that is not really a good thing.
- This is a great improvement. One wonders what the trend for vulnerabilities introduced via third-party or local coding flaws looks like. As suppliers get a handle on remediation and we’ve got mad skills testing and deploying updates, emphasis on secure coding and assessing included components needs to increase to reduce the likelihood of flaw inclusion in the first place.
- This is a great report that is easy to read and understand; highly recommend taking a couple of minutes to read it. I love the transparency and look for more vendors to share this type of data.
Read more in
- A walk through Project Zero metrics
- Google Project Zero: Vendors are now quicker at fixing zero-days
- Google: Vendors took an average of 52 days to fix reported security vulnerabilities
Adobe Releases Emergency Patches for Commerce and Magento
Adobe has released emergency updates for AdobeCommerce and Magento Open Source to fix a critical law that is being actively exploited. The improper input validation vulnerability could be exploited without authentication to allow arbitrary code execution.
Note
- Patching may already be too late by the time you read this. Treat any unpatched systems as compromised. This vulnerability was discovered and reported to Adobe after it already had been exploited. Exploitation is pretty straightforward. Web application firewalls will likely not protect you. Magento is the gift that keeps on giving for attackers. Also noteworthy that the patch arrived as an actual “patch” file, and needs to be applied manually. If you can: Take Magento out back and put it out of its misery while replacing it with something… anything… else.
- This corrects an improper input validation flaw (CVE-2022-24086) with a CVSS base score of 9.8. Note that this is for the 2.4.3-p1 or 2.3.7-p2 and earlier versions of Adobe Commerce or Magento Open Source. If you’re on Magento 1.x, you still need to update to Magento version 2 to get the fix.
Read more in
- Security update available for Adobe Commerce | APSB22-12
- Patch now: Adobe releases emergency fix for exploited Commerce, Magento zero-day
- Adobe: Zero-Day Magento 2 RCE Bug Under Active Attack
- Emergency Magento update fixes zero-day bug exploited in attacks
CISA Adds 15 More Flaws to Known Exploited Vulnerability Database
The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 more vulnerabilities to its Known Exploited Vulnerability database. The new entries include vulnerabilities in products from Apple, Microsoft, Apache, and Oracle. One of the flaws – a Windows SAM local privilege elevation vulnerability – has a remediation due date of February 24, 2022; the other 14 vulnerabilities need to be remediated by August 10, 2022.
Note
- Each addition to the database includes a remediation date. Some of these flaws date back to 2017; they are included because they are still being exploited. Don’t forget to capture the due dates as you’re digesting the new flaws.
- Kudos to CISA for developing the Known Exploited Vulnerability Database. All companies should ensure that they have the Known Exploited Vulnerability Database included as part of their vulnerability management program.
- One hopes that actual remediation will be measured in days, rather than weeks to months.
Read more in
- CISA Adds 15 Known Exploited Vulnerabilities to Catalog
- US govt: Here are another 15 security bugs under attack right now
- Microsoft, Oracle, Apache and Apple vulnerabilities added to CISA catalog
Missouri Journalist Won’t be Charged with Hacking
The journalist who found and responsibly disclosed a vulnerability in a state government website will not face hacking charges. Josh Renaud viewed the site’s publicly available HTML code and found that it exposed sensitive information of school employees.
Note
- Viewing the source of a web page and discovering a flaw cannot be characterized as hacking nor committing an illegal act. The journalist is to be commended for responsibly reporting what they found. And while nobody likes being told they have a flaw in their code (particularly me), I would rather learn via a disclosure process than by reading an incident response or data loss report.
Read more in
- Missouri governor rebuffed: Journalist won’t be prosecuted for viewing HTML
- Missouri prosecutor won’t charge reporter governor accused of ‘hacking’
- Missouri will not charge reporter that governor accused of hacking
Spanish Police Arrest Alleged SIM Swappers
Spanish police have arrested eight people in connection with a SIM-swapping scheme. The suspects allegedly impersonated bank officials to gather customer information, which they used to obtain duplicate SIM cards from phone stores and then steal funds from targeted accounts.
Note
- And this is why SMS as a validator is dangerous. In this scenario, your coverage drops when the duplicate SIM is activated but depending on timing, you don’t notice the interruption, and by then it’s all over. Beyond ensuring all the security for your mobile carrier is in place to prevent unauthorized porting/etc., configure SMS or phone calls for account validation only as a last resort.
- The carriers have made SIM swapping harder, but as this item points out it is still possible. While SMS messaging does not reduce risk to zero, it is far better than staying at reusable passwords. As Microsoft’s report pointed out, 99.9% of successful phishing attacks would have failed if just SMS messaging was in use. Use authenticator apps and biometrics wherever possible but don’t stay with reusable passwords if those are not options.
Read more in
- Police in Spain dismantle a SIM-swapping ring that drained bank accounts
- Spanish Police Arrest 8 Over SIM Swapping Fraud
- Spanish Police Arrest SIM Swappers Who Stole Money from Victims Bank Accounts
Moxa MXview Vulnerabilities
Researchers at Claroty have found five vulnerabilities in Moxa MXview web-based network management system. Several of the flaws could be chained together to allow remote unauthenticated users to execute code. Users are urged to upgrade to MXview version 3.2.4 or later.
Note
- The fixes were made last September and the ICS Advisory (ICSA-21-278-03) was released October 5, 2021. The primary mitigation is to update to version 3.2.4; additionally, use strong passwords rotated regularly and restrict access to the system, particularly port 8883 to known authorized systems. Make sure that you’re properly segmenting these systems away from business systems.
Read more in
- Critical Security Flaws Reported in Moxa MXview Network Management Software
- Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa
- Securing Network Management Systems (Part 2): Moxa MXview
- ICS Advisory (ICSA-21-278-03) Moxa MXview Network Management Software
State Dept. Orders Staff to Destroy IT Equipment at Embassy in Ukraine
The US State Department has ordered staff at the US embassy in Kyiv, Ukraine, to destroy IT equipment there. The State Department is temporarily relocating its Ukrainian embassy from Kyiv to Lviv. Many embassy staff members have been withdrawn from Ukraine altogether.
Note
- Should the escalating tensions in that region turn into an outright conflict there will be a cyber dimension to that conflict. That cyber dimension won’t be restricted by borders or regions so I recommend you check your supply chain to see how dependent you are on any providers based in Ukraine and how you can continue your operations in the event they become unavailable. I also recommend you heighten your cybersecurity preparedness to prevent your organisation from becoming a collateral victim by following the guidelines issued by the UK government’s NCSC at www.ncsc.gov.uk: UK organisations encouraged to take action in response to current situation in and around Ukraine.
- When abandoning, exchanging, or otherwise surrendering equipment, making sure it is fully purged of data is a critical step. Don’t forget copiers, printers, phones, and anything else that has data storage. Additionally, destruction of equipment may be necessary to prevent an adversary from obtaining unwanted technical advantages or insight.
Read more in
- State Department orders destruction of IT equipment at Kyiv embassy
- US Embassy in Kyiv destroying documents as drawdown underway
Colorado‘s New Election Security Rules
Colorado’s Secretary of State has announced new, temporary rules for voting systems security. “The rules include measures restricting physical and electronic access to the voting system and outline the enforcement mechanisms necessary to ensure election security compliance.” the rules address password and user account security; acceptable use policy; hard drive imaging; trusted build procedures; seal requirements; access to secures areas and voting systems; and access to election management systems.
Note
- Two Colorado counties have had serious violations of maintaining the integrity of election systems and data. These violations pointed out that politically motivated insider malicious behavior is a bigger threat than external hacking. The temporary rules seems like they should have been in place before and as a part of an overall review would likely become permanent.
- Much publicity has focused on validating those wishing to cast a ballot; these measures will increase the integrity and security of the systems used to count and process ballots once cast. These measures are appropriate for any system processing sensitive data where integrity is a core requirement. While password complexity is called for, it’s time to phase out passwords in favor of replay and phishing resistant authenticators.
- As practitioners, we often forget that for the security of systems of public trust, there are two important qualities: actual security and the perception of security. Here’s hoping this commendable move by Colorado brings both!
