image
ConnectWise, a self-hosted, remote desktop software application that is widely used by Managed Service Providers (MSPs), is warning about an unusually sophisticated phishing attack that can let attackers take remote control over user systems when recipients click the included link. The warning comes just weeks after the company quietly patched a vulnerability that makes it easier for phishers to launch these attacks. A phishing attack targeting MSP customers using ConnectWise. ConnectWise's service is extremely popular among MSPs that manage, protect and service large numbers of computers remotely for client organizations. Their product provides a dynamic software client and hosted server that connects two or more computers together, and provides temporary or persistent remote access to those client systems. When a support technician wants to use ConnectWise to remotely administer a computer, the ConnectWise website generates an executable file that is digitally signed by ConnectWise and downloadable by the client via a hyperlink. When the remote user in need of assistance clicks the link, their computer is then directly connected to the computer of the remote administrator, who can then control the client's computer as if they were seated in front of it. While modern Microsoft Windows operating systems by default will ask users whether they want to run a downloaded executable file, many systems set up for remote administration by MSPs disable that user account control…

Source

image
A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted an important historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to surreptitiously intercept and forward text messages from Android mobile devices. Pushwoosh says it is a U.S. based company that provides code for software developers to profile smartphone app users based on their online activity, allowing them to send tailor-made notifications. But a recent investigation by Reuters raised questions about the company's real location and truthfulness. The Army told Reuters it removed an app containing Pushwoosh in March, citing "security concerns." The Army app was used by soldiers at one of the nation's main combat training bases. Reuters said the CDC likewise recently removed Pushwoosh code from its app over security concerns, after reporters informed the agency Pushwoosh was not based in the Washington D.C. area — as the company had represented — but was instead operated from Novosibirsk, Russia. Pushwoosh's software also was found in apps for "a wide array of international companies, influential nonprofits and government agencies from global consumer goods company Unilever and the Union of European Football…

Source

image
Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called "Zeppelin" in May 2020. He'd been on the job less than six months, and because of the way his predecessor architected things, the company's data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," the agent said. "We've found someone who can crack the encryption." Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder — Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers. In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn't want to tip its hand to Zeppelin's creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed. This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their…

Source

image
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. The Disneyland Team's Web interface, which allows them to interact with malware victims in real time to phish their login credentials using phony bank websites. The Disneyland Team uses common misspellings for top bank brands in its domains. For example, one domain the gang has used since March 2022 is ushank[.]com — which was created to phish U.S. Bank customers. But this group also usually makes use of Punycode to make their phony bank domains look more legit. The U.S. financial services firm Ameriprise uses the domain ameriprise.com; the Disneyland Team's domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ạmeriprisẹ[.]com. Look carefully, and you'll notice small dots beneath the "a" and the second "e". You could be forgiven if you mistook one or both of those dots for a spec of dust on your computer screen or mobile device. This candid view inside the Disneyland Team comes from Alex Holden, founder of the Milwaukee-based cybersecurity consulting firm Hold Security. Holden's analysts gained access to a Web-based control panel the crime group has been using to keep track of victim…

Source

image
Vyacheslav "Tank" Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources. Wanted Ukrainian cybercrime suspect Vyacheslav "Tank" Penchukov (right) was arrested in Geneva, Switzerland. Tank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses. Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan. The U.S. Federal Bureau of Investigation (FBI) declined to comment for this story. But according to multiple sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks ago as he was traveling to meet up with his wife there. Penchukov is from Donetsk, a traditionally Russia-leaning region in Eastern Ukraine that was recently annexed by Russia. In his hometown, Penchukov was a well-known deejay ("DJ Slava Rich") who enjoyed being seen riding around in his high-end BMWs and Porsches. More recently, Penchukov has been investing quite a bit in local businesses. The JabberZeus crew's name is derived from the malware they used, which was configured to send them a Jabber instant…

Source

image
A nonprofit organization is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than a $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state. Federal law bars states from replacing these benefits using federal funds, and a recent rash of skimming incidents nationwide has disproportionately affected those receiving food assistance via state-issued prepaid debit cards. The Massachusetts SNAP benefits card looks more like a library card than a payment card. On Nov. 4, The Massachusetts Law Reform Institute (MLRI) filed a class action lawsuit on behalf of low-income families whose Supplemental Nutrition and Assistance Program (SNAP) benefits were stolen from their accounts. The SNAP program serves over a million people in Massachusetts, and 41 million people nationally. "Over the past few months, thieves have stolen over a million SNAP dollars from thousands of Massachusetts families – putting their nutrition and economic stability at risk," the MLRI said in a statement on the lawsuit. "The criminals attach a skimming device on a POS (point of sale) terminal to capture the household’s account information and PIN. The criminals then use that information to make a fake card and steal the SNAP benefits." In announcing the lawsuit, the MRLI linked to a story KrebsOnSecurity published last month that examined how skimming…

Source

image
Let's face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild. Probably the scariest of the zero-day flaws is CVE-2022-41128, a "critical" weakness in the Windows scripting languages that could be used to foist malicious software on vulnerable users who do nothing more than browse to a hacked or malicious site that exploits the weakness. Microsoft credits Google with reporting the vulnerability, which earned a CVSS score of 8.8. CVE-2022-41073 is a zero-day flaw in the Windows Print Spooler, a Windows component that Microsoft has patched mightily over the past year. Kevin Breen, director of cyber threat research at Immersive Labs, noted that the print spooler has been a popular target for vulnerabilities in the last 12 months, with this marking the 9th patch. The third zero-day Microsoft patched this month is CVE-2022-41125, which is an "elevation of privilege" vulnerability in the Windows Cryptography API: Next Generation (CNG) Key Isolation Service, a service for isolating private keys. Satnam Narang, senior staff…

Source

image
Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer. LinkedIn's new "About This Profile" section — which is visible by clicking the "More" button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified. LinkedIn also said it is adding a warning to some LinkedIn messages that include high-risk content, or that try to entice the user into taking the conversation to another platform (like WeChat). "We may warn you about messages that ask you to take the conversation to another platform because that can be a sign of a scam," the company said in a blog post. "These warnings will also give you the choice to report the content without letting the sender know." In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how…

Source

image
A 25-year-old Finnish man has been charged with extorting a once popular and now-bankrupt online psychotherapy company and its patients. Finnish authorities rarely name suspects in an investigation, but they were willing to make an exception for Julius "Zeekill" Kivimaki, a notorious hacker who — at the tender age of 17 — had been convicted of more than 50,000 cybercrimes, including data breaches, payment fraud, operating botnets, and calling in bomb threats. In late October 2022, Kivimaki was charged (and arrested in absentia, according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. On October 21, 2020, Vastaamo became the target of blackmail when a tormentor identified as "ransom_man" demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online. In a series of posts over the ensuing days on a Finnish-language dark net discussion board, ransom_man said Vastaamo appeared unwilling to negotiate a payment, and that he would start publishing 100 patient profiles every 24 hours "to provide further incentive for the company to continue communicating with us." "We're not asking for much, approximately 450,000 euros which is less than 10 euros per patient and only a small fraction of the around 20 million yearly revenues of this company," ransom_man wrote. When Vastaamo declined to pay, ransom_man shifted to extorting individual…

Source

image
A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on charges that he acted as a core developer for Raccoon, a popular "malware-as-a-service" offering that helped paying customers steal passwords and financial data from millions of cybercrime victims. KrebsOnSecurity has learned that the defendant was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion. Ukrainian national Mark Sokolovsky, seen here in a Porsche Cayenne on Mar. 18 fleeing mandatory military service in Ukraine. This image was taken by Polish border authorities as Sokolovsky's vehicle entered Germany. Image: KrebsOnSecurity.com. The U.S. Attorney for the Western District of Texas unsealed an indictment last week that named Mark Sokolvsky as the core developer for the Raccoon Infostealer business, which was marketed on several Russian-language cybercrime forums beginning in 2019. Raccoon was essentially a Web-based control panel, where — for $200 a month — customers could get the latest version of the Raccoon Infostealer malware, and interact with infected systems in real time. Security experts say the passwords and other data stolen by Raccoon malware were often resold to groups engaged in deploying ransomware. Working with investigators in Italy and The Netherlands, U.S. authorities seized a copy of the server used by Raccoon to help customers manage their botnets. According to the U.S. Justice…

Source