Cybercrime

Finnish Data Theft and Extortion

The Finnish psychotherapy clinic Vastaamo was the victim of a data breach and theft. The criminals tried extorting money from the clinic. When that failed, they started extorting money from the patients:

Neither the company nor Finnish investigators have released many details about the nature of the breach, but reports say the attackers initially sought a payment of about 450,000 euros to protect about 40,000 patient records. The company reportedly did not pay up. Given the scale of the attack and the sensitive nature of the stolen data, the case has become a national story in Finland. Globally, attacks on health care organizations have escalated as cybercriminals look for higher-value targets.

[…]

Vastaamo said customers and employees had “personally been victims of extortion” in the case. Reports say that on Oct. 21 and Oct. 22, the cybercriminals began posting batches of about 100 patient records on the dark web and allowing people to pay about 500 euros to have their information taken down.

On That Dusseldorf Hospital Ransomware Attack and the Resultant Death

Wired has a detailed story about the ransomware attack on a Dusseldorf hospital, the one that resulted in an ambulance being redirected to a more distant hospital and the patient dying. The police wanted to prosecute the ransomware attackers for negligent homicide, but the details were more complicated:

After a detailed investigation involving consultations with medical professionals, an autopsy, and a minute-by-minute breakdown of events, Hartmann believes that the severity of the victim’s medical diagnosis at the time she was picked up was such that she would have died regardless of which hospital she had been admitted to. “The delay was of no relevance to the final outcome,” Hartmann says. “The medical condition was the sole cause of the death, and this is entirely independent from the cyberattack.” He likens it to hitting a dead body while driving: while you might be breaking the speed limit, you’re not responsible for the death.

So while this might not be an example of death by cyberattack, the article correctly notes that it’s only a matter of time:

But it’s only a matter of time, Hartmann believes, before ransomware does directly cause a death. “Where the patient is suffering from a slightly less severe condition, the attack could certainly be a decisive factor,” he says. “This is because the inability to receive treatment can have severe implications for those who require emergency services.” Success at bringing a charge might set an important precedent for future cases, thereby deepening the toolkit of prosecutors beyond the typical cybercrime statutes.

“The main hurdle will be one of proof,” Urban says. “Legal causation will be there as soon as the prosecution can prove that the person died earlier, even if it’s only a few hours, because of the hack, but this is never easy to prove.” With the Düsseldorf attack, it was not possible to establish that the victim could have survived much longer, but in general it’s “absolutely possible” that hackers could be found guilty of manslaughter, Urban argues.

And where causation is established, Hartmann points out that exposure for criminal prosecution stretches beyond the hackers. Instead, anyone who can be shown to have contributed to the hack may also be prosecuted, he says. In the Düsseldorf case, for example, his team was preparing to consider the culpability of the hospital’s IT staff. Could they have better defended the hospital by monitoring the network more closely, for instance?

How the FIN7 Cybercrime Gang Operates

How the FIN7 Cybercrime Gang Operates

The Grugq has written an excellent essay on how the Russian cybercriminal gang FIN7 operates. An excerpt:

The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were.

Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement:

Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.

How does FIN7 actualize this vision? This is CrimeOps:

  • Repeatable business process
  • CrimeBosses manage workers, projects, data and money.
  • CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more
  • Frontline workers don’t need to innovate (because the process is repeatable)

Sidebar photo of Bruce Schneier by Joe MacInnis.

North Korea ATM Hack

North Korea ATM Hack

The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide:

This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme­ — referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”

The level of detail is impressive, as seems to be common in CISA’s alerts and analysis reports.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Kingpin of Evil Corp lived large. Now there’s a $5 million bounty on his head

Screenshot of Justice Department website shows four pictures of same alleged criminal.

Enlarge / Screenshot of Justice Department website shows four pictures of same alleged criminal.

Federal prosecutors have indicted the kingpin of Evil Corp, the name used by a cybercrime gang that used the notorious Dridex malware to drain more than $70 million from bank accounts in the US, UK, and other countries.

Maksim V. Yakubets, a 32-year-old Russian national who used the handle “Aqua,” led one of the world’s most advanced transnational cybercrime syndicates in the world, prosecutors said on Thursday. The crime group’s alleged deployment of Dridex was one of the most widespread malware campaigns ever. The UK’s National Crime Agency said the syndicate used the name Evil Corp.

Dridex was configured to target the customers of almost 300 different organizations in more than 40 countries by automating the theft of online banking credentials and other confidential information from infected computers. Over time, Dridex creators updated the malware to install ransomware. Previously known as Bugat and Cridex, Dridex used zeroday exploits and malicious attachments in emails to infect targets. The malware was designed to bypass antivirus and other security defenses.

Yakubets and another alleged Dridex operator, 38-year-old Igor Turashev, also from Russia, allegedly used the captured banking credentials to order electronic money transfers from compromised accounts. Prosecutors said the men funneled the stolen funds into the accounts of money mules who would move the funds into other accounts or convert them to cash and smuggle it overseas. Yubets was the leader of the crime group, prosecutors said. Turashev allegedly handled a host of roles, including system administration, management of an internal control panel, and oversight of a botnet that controlled infected computers.

Confiscated images and videos released by UK authorities show alleged members of Evil Corp living large. One photo shows Yakubets and his bride celebrating their 2017 wedding with a lavish chandelier above them. Other images and videos show off expensive sports cars.

Yakubets also stands accused of providing “direct assistance” to the Federal Security Service of the Russian Federation, the KGB successor that’s better known as the FSB.

“In addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian government,” officials with the US Treasury Department said. “As of 2017, Yakubets was working for the Russian FSB, one of Russia’s leading intelligence organizations that was previously sanctioned pursuant to E.O. 13694, as amended, on December 28, 2016.”

Stantinko botnet’s monetization strategy shifts to cryptomining

IT Security Consulting

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

it security consulting

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu.

A solution for every business need

We offer a wide range of services within this category. Please contact us today to further explore the areas in which you can improve your IAM systems.

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227