The North Korean cyberespionage group has targeted Mashinostroyeniya, a rocket design based in Reutov, Moscow. The hackers group, code-named ScarCruft and Lazarus installed covert digital backdoors into the system at NPO Mashinostroyeniya and was located by Reuters’ James Pearson and Christopher Bing.
However, it has not been made clear as to what data was acquired in the breach. In the following month, the digital break-in Pyongyang introduced several new developments in its banned ballistic missile program, while is not clear if this was in any regards to the breach.
Moreover, no official confirmation has been provided of the espionage by NPO Mashinostroyeniya officials.
The company, commonly known as NPO Mash, specialized in developing hypersonic missiles, satellite technologies and new-generation ballistic armaments. The company was prominent in the Cold War as a premier satellite maker for Russia's space program and as a provider of cruise missiles.
According to experts, the hackers garnered interest in the company after it underlined its mission to develop an Intercontinental Ballistic Missile (ICBM), capable of bringing catastrophe to the mainland United States.
Apparently, the hackers acquired access to the company’s documents and leaked them between 2021, and May 2022. Following this, the IT engineers detected the cybercrime activities, the news agency reported.
According to Tom Hegel, a security researcher with U.S. cybersecurity firm SentinelOne, following the hack, the hackers gained access to the company’s IT environment, which enabled them to read email traffic, jump between networks, and extract data. "These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims," Hegel said.
Digging further into the findings, Hegel’s team of security analysts discovered that one of the NPO Mash IT employees unintentionally exposed his company's internal communications while attempting to investigate the North Korean attack by uploading evidence to a secret portal used by cybersecurity researchers worldwide.
Experts speculate that the data stolen by the hacker group is of great importance, however, it will take a lot more information, effort and expertise for them to actually develop a missile.
"That's movie stuff[…]Getting plans won't help you much in building these things, there is a lot more to it than some drawings," Hegel further added.
The prediction accuracy decreased to 93% when Zoom was used to train the sound classification algorithm, still exceedingly good and a record for that medium.
Such an attack has a significantly adverse impact on the users’ data security since it is capable of exposing users' passwords, conversations, messages, and other sensitive information to nefarious outsiders.
When compared to the other side attacks that need specific circumstances and are susceptible to data rate and distance restrictions, these acoustic attacks are easier to operate because of the popularity of devices that are now equipped with high-end microphones.
This makes sound-based side-channel attacks achievable and far more hazardous than previously thought, especially given the rapid advances in machine learning.
The attack is initiated in order to acquire keystrokes on the victim’s keyboard, since the data is required for the prediction algorithm to work. This can be done via a nearby microphone or by accessing the microphone on the target's phone, which may have been compromised by malware.
Additionally, keystrokes can also be recorded via Zoom call, in which, rogue meeting attendee compares the messages entered by the target with the auditory recording of that person.
The researchers acquired training data by pressing 36 keys on a modern MacBook Pro, 25 times each, further recording the sounds produced on each press.
The spectrogram images were used to train the image classifier "CoAtNet," and it took some trials and errors with the epoch, learning rate, and data splitting parameters to get the best prediction accuracy outcomes.
The same laptop, whose keyboard has been present in all Apple laptops over the past two years, an iPhone 13 mini positioned 17 cm from the target, and Zoom were utilized in the researchers' tests.
The CoatNet classifier gained 95% accuracy in the smartphone recordings and 93% from the content captured via Zoom. Skype, on the other, produced comparatively lower accuracy, i.e. 91.7%.
In order to protect oneself from side-channel attacks, users are advised to try “altering typing styles,” or generating passwords with randomized keys.
Another safety measure includes utilizing software in order to generate keystroke sounds, white noise, or software-based keystroke audio filters.
Moreover, since the attack model proved highly efficient even against a very silent keyboard, installing sound dampeners to mechanical keyboards or shifting to membrane-based keyboards is unlikely to help in any way.
Finally, using password managers to avoid manually entering sensitive information and using biometric authentication whenever possible also serve as mitigating factors.
The firm disclosed the incident on its blog on May 10, alleging that it took place on May 8 where hackers acquired access to SharePoint and the Dragos contract management system by compromising a new sales employee's personal email address before the employee's start date. The hacker then impersonated the employee to complete the first steps of Dragos' employee-onboarding procedure using the stolen personal information from the hack.
After infiltrating Dragos’ SharePoint cloud platform, the hackers apparently downloaded “general use data” and access 25 intel reports, generally only made available to the customers.
“Dragos' swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure[…]No Dragos systems were breached, including anything related to the Dragos Platform,” the company noted.
Due to role-based access control (RBAC) regulations, the threat actors were unable to access several Dragos systems during the 16 hours they had access to the employee's account, including its messaging, IT helpdesk, finance, request for proposal (RFP), employee recognition, and marketing systems.
Eleven hours into the attack, after failing to break into the company's internal network, they sent an email of extortion to Dragos executives. Because the message was sent after business hours, it was read five hours later.
Five minutes into reading the extortion message, Dragos disabled the compromised user account, terminated all open sessions, and prevented the hackers' infrastructure from accessing company resources.
The cybercriminal group also attempted to extort the firm by threatening to make the issue public in emails sent to CEOs, senior employees, and family members of Dragos who have public contacts.
One of the IP addresses specified in the IOCs is 144.202.42[.]216, earlier discovered hosting SystemBC malware and Cobalt Strike, both frequently used by ransomware gangs for remote access to compromised systems.
"While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable," Dragos said.
The company often boasts of its potential for identifying rioters involved in the January 6 attack on the Capitol, saving children from being abused or exploited, and assisting in the exoneration of those who have been falsely accused of crimes. Yet, critics cite two examples in Detroit and New Orleans where incorrect face recognition identifications led to unjustified arrests.
Last month, the company CEO, Hoan Ton-That admitted in an interview with the BBC that Clearview utilized photos without users’ knowledge. This made it possible for the organization's enormous database, which is promoted to law enforcement on its website as a tool "to bring justice to victims."
Privacy advocates and digital platforms have long criticized the technology for its intrusive aspects, with major social media giants like Facebook sending cease-and-desist letters to Clearview in 2020, accusing the company of violating their users’ privacy.
"Clearview AI's actions invade people's privacy which is why we banned their founder from our services and sent them a legal demand to stop accessing any data, photos, or videos from our services," says a Meta spokesperson in an email Insider, following the revelation.
The spokesperson continues by informing Insider that Meta, since then, has made “significant investments in technology and devotes substantial team resources to combating unauthorized scraping on Facebook products.”
When unauthorized scraping is discovered, the company may take action “such as sending cease and desist letters, disabling accounts, filing lawsuits, or requesting assistance from hosting providers to protect user data,” the spokesperson said.
In spite of internal policies, biometric face prints are made and cross-referenced in the database once a photo has been scraped by Clearview AI, permanently linking the individuals to their social media profiles and other identifying information. Individuals in the photos have little recourse to try to remove themselves from the photos.
Searching Clearview’s database is one of the many methods where police agencies can make use of social media content to aid in investigations, like making requests directly to the platform for user data. Although the use of Clearview AI or other facial recognition technologies by law enforcement is not monitored in most states and is not subject to federal regulation, some critics argue that it should even be banned.
The accused were discovered selling data on more than 140 distinct groups of individuals, including military personnel, bank clients, energy sector consumers, NEET students, government employees, gas agencies, high net worth individuals, and demat account holders.
Another category of victims include Bengaluru women’s consumer data, data of people who have applied for loans and insurance, credit card and debit card holders (of AXIS, HSBC and other banks), WhatsApp users, Facebook users, employees of IT companies and frequent flyers.
"When an individual calls the toll-free numbers of JustDial and asks for any sector or category related confidential data of individuals, their query is listed and sent to that category of the service provider. Then these fraudsters call those clients/ fraudsters and send them samples. If the client agrees to purchase, they make payment and provide the data. This data is further used for committing crime," stated the commissioner.
The accused gang apparently operated via registered and unregistered organizations: Data Mart, Infotech, Global Data Arts and MS Digital Grow.
The accused were found to have access to 2.5 lakh defense personnel's sensitive data, including their ranks, email addresses, places of posting, etc. The thieves gained access to the data of 35,000 Delhi government employees, 12 million WhatsApp users, 17 lakh Facebook users, and 11 million customers of six banks. Also, the defendants had access to information on 98 lakh applicants for credit cards.
Main suspect Kumar in Noida, Nitish Bhushan had created a call center and obtained credit card records from Muskan Hassan, another defendant. The other suspects, Pooja Pal and Susheel Thomar were reportedly operating as tele-callers at Bhushan’s call center. While, Atul Pratap Singh's business, "Inspiree Digital," gathered credit cardholder data and profitably marketed it. Atul's workplace had employed Muskan as a telemarketer before she started her own business, "MS Digital Grow." She served as a middleman, selling data. She organized the data that Atul had provided and sold it to Bhushan.
Sandeep Pal founded Global Data Arts and sold private consumer information to fraudsters engaging in online crimes through Justdial services and social media platforms. The seventh defendant, Zia Ur Rehman, shared the database with Atul and Bhushan and offered bulk message services for advertising.
Product reviewers and tech journalists are even left with a sense of perplexity on what security camera, or security product must they recommend to potential users, knowing for a fact that the backend could or could not be secure.
According to Michael Hicks, senior editor at Android Central “When I review a product, I try to be as nitpicky as possible. Not because I want to give a bad review, but because it's my job to go past the idealized press releases and spec sheets to see the cracks beneath the surface.”
While it is possible to cite certain problems pertaining to a security camera, like the video quality or an unreliable AI detection. However, there is always the possibility of some undiscovered breach, even with the some of the best cameras around, that are tested and appreciated.
Hicks says, this is not something most tech journalists are qualified to detect. With a smartphone, one can examine most software and security for themselves, and users too have almost complete control to block or enable apps from tracking them. The entire data security for a security camera is managed remotely, therefore we can only trust the company to protect ones data safely.
The issue is that, if ever, we really can trust a security business to provide an honest assessment of its cybersecurity.
Companies like LastPass or Eufy, whether they specialize in hardware or software, frequently conceal any ongoing breaches for months until they become public, at which point they play down their seriousness with technical jargons and mitigating factors.
According to a report Vice published this past week regarding a third-party associated with Ring being infected by BlackCat ransomware, Ring employees have been instructed to “anything about this,” and that they are unsure yet what user data is at risk if Amazon does not pay.
Prior to this incident, security researcher Paul Moore found that Eufy cameras were sending users' images and facial recognition data to the cloud without them knowing or consent, that one could stream anyone's private camera feeds from a web browser, and that Eufy's AES 128 encryption was easily cracked due to the use of simple keys.
In response, Eufy patched some issues and edited its privacy guidelines to provide fewer protections for its users.
The bottom line is: even the renowned security firms with encryption that seems impenetrable can make choices that expose your personal information or home feeds, or they can recruit someone who unethically abuses their position of authority. And even if someone blows the whistle or a security expert notices the error, there is absolutely no guarantee that you will learn about it after that corporation learns about it.
In an environment like this, casually reviewing any company's security camera on the basis of its merits and recommending online readers seems like an irresponsible take. Michael Hicks in his article wrote “It's my job to do so, and I will write about the Blink Indoor and Blink Mini once it's clear how its parent company handles the Ring ransomware attack.”
However, in doing so, Michael Hicks adds he will have to include certain big disclaimers that he “just don't know what Blink's (or any company's) weakest link is.” There is a possibility that it could be a dishonest employee, an unreliable third-party team, shoddy encryption, or something else.
In the meantime, he advises individuals to use security cams with local storage in order to avoid storing their private footages and information on company servers. However, there is no guarantee of security, considering the fact that firms like Eufy was well received and trusted as a local storage option before its numerous problems were revealed.
Ring LLC is a home security and smart home company owned by Tech-giant Amazon. The firm creates home security systems with exterior cameras, such as the Ring Video Doorbell smart doorbell, and runs the Neighbors app, which allows users to share video footage with each other online in a communal setting.
According to a report by Motherboard, the ALPHV ransomware gang has claimed to have acquired access to Amazon-owned Ring’s systems and its data. Despite the fact that there is no proof of a system breach, Ring did indicate as much in a statement to the news organization. But, it is well known to them that a ransomware assault has affected one of its third-party providers.
In a response to Ring, ALPHV shares a post on Twitter saying “There’s always an option to let us leak your data”. The ransomware group has not yet made any of the data it is said to have stolen from the business available. But, there is still cause for alarm when Motherboard discovered a Ring listing on ALPHV's data dump website.
Ransomware groups like ALPHV have evolved into using data dump sites to entice victims into paying ransoms in order to regain access to their data. In an effort to persuade businesses to cooperate with the hackers holding their data hostage, a tiny percentage of the stolen data from those businesses is frequently posted publicly.
The ALPHV ransomware gang has attacked companies in the US, Europe, and Asia. The group has also been referred to as BlackCat, named after the malware it deploys. In the past, ALPHV has taken credit for hacking hospitality firms like the Westmont Hospitality Group, which manages IHG and Hilton hotels around the world, as well as leaking medical data from the Lehigh Valley Health Network.
ALPHV's data dump site, where it posts stolen data in collections referred to as "Collections," is another feature that sets it distinct from other ransomware organizations. Other ransomware organizations may have comparable websites, but ALPHV's is renowned for being indexed and simpler to search.
Currently, Amazon is looking into a third-party vendor's data breach that ALPHV has claimed responsibility for. We are unlikely to hear anything more until this investigation is over. Ring's products are widely utilized in homes all over the world since they are among the best video doorbells and home security cameras today.
However, the firm employs end-to-end encryption (E2EE) in the majority of nations to prevent governments and other parties from accessing the data from your cameras and snooping on them. If the ALPHV ransomware gang did end up infiltrating Ring’s third-party vendors, it is possible that the group has also managed to steal corporate or customer data in the attack.
If you are concerned about your Ring data or even the fact that the firm is charging for features that were previously free, it is a good time to consider some alternatives instead. In any case, we will probably soon learn whether or not the ALPHV ransomware gang managed to steal client data.
According to a LinkedIn post last week by Alon Gal, co-founder of the Israeli cybersecurity monitoring company Hudson Rock, stolen data has been discovered, that contained email addresses of more than 200 million twitter users.
The breach would probably result in "hacking, targeted phishing, and doxxing," according to Gal, who labeled it as a "significant leak" and said that the information had been uploaded on an internet hacker forum.
He claimed that despite alerting the firm, Twitter, he had not received a response.
"I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter's conclusion of the data being an enrichment of some sort which did not originate from their own servers," says Alon Gal.
Although, Twitter has denied all claims of the emails, allegedly linked to the users’ accounts, being obtained through a hack.
In regards to the issue Twitter responded by stating “in response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”
According to Twitter, the stolen records in question was instead probably a collection of data “already publicly available online.” While it still warns online users to be wary of suspicious emails.
Gal, meanwhile, disapproved of Twitter's answer in a fresh post on LinkedIn. In contrast to instances of data enrichments, he noted, “The authenticity of the leak is evident in the lack of false positives between Twitter usernames and emails found in the database, opposite to cases of data enrichments.”
The disclosure came to light following the multiple reports that Twitter data of millions of users – 5.4 million in November 2022, 400 million in December 2022, and 200 million last week – have been exposed online for sale on cybercrime forums.
Twitter, in its latest post says that the latest dataset breach of 200 million users “could not be correlated with the previously reported incident, nor with any new incident or any data originating from an exploitation of Twitter systems.”
It added that, “None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.”
Moreover, in December 2022, another set of reports claimed that 400 million email addresses and phone numbers were stolen from Twitter – which the company denied as well.
The last time the U.S. military used its Secure Electronic Enrollment Kit (SEEK II) devices was more than ten years ago, close to Kandahar, Afghanistan. The bulky black rectangle piece of technology, which was used to scan fingerprints and irises, was switched off and put away.
That is, until Matthias Marx, a German security researcher, purchased the device for $68 off of eBay in August 2022 (a steal, at about half the listed price). Marx had unintentionally acquired sensitive, identifying information on thousands of people for the cheap, low price of less than $70. The biometric fingerprint and iris scans of 2,632 people were accompanied by names, nationalities, photographs, and extensive descriptions, according to a story by The New York Times.
From the war zone areas to the government equipment sale to the eBay delivery, it seems that not a single Pentagon official had the foresight to remove the memory card out of the specific SEEK II that Marx ended up with. The researcher told the Times, “The irresponsible handling of this high-risk technology is unbelievable […] It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online.”
According to the Times, the majority of the data in the SEEK II was gathered on people who the American military has designated as terrorists or wanted people. Others, however, were only ordinary citizens who had been detained at Middle Eastern checkpoints or even people who had aided the American administration.
Additionally, all of that information might be utilized to locate someone, making the devices and related data exceedingly hazardous, if they ended up in the wrong hands. For instance, the Taliban may have a personal motive for tracking down and punishing anyone who cooperated with U.S. forces in the area.
Marx and his co-researchers from Chaos Computer Club, which claims to be the largest hacker group in Europe, purchased the SSEK II and five other biometric capture devices- all from eBay. The group then went on with analyzing the devices for potential flaws, following a 2021 report by The Intercept, regarding military tech seize by the Taliban.
Marx was nonetheless concerned by the extent of what he discovered, despite the fact that he had set out from the start to assess the risks connected with biometric devices. The Times reports that a second SEEK II purchased by CCC and last used in Jordan in 2013 contained data on U.S. troops—likely gathered during training—in addition to the thousands of individuals identified on the single SEEK II device last used in Afghanistan.
A recent research report by The Conversation demonstrates that, much like many legal commodities, stolen products are distributed via a supply chain that includes producers, wholesalers, and consumers. However, this supply chain entails links of several criminal organizations, operating in an illicit underground marketplace.
Producers, Wholesalers, and Distributors
This supply chain of compromised data begins with the inclusion of a producer, i.e. a hacker or a threat group, who gains unauthorized access to vulnerable systems and steals sensitive information. The stolen data may include credit card numbers, bank account information, social security number, etc.
The stolen data is then advertised by wholesalers and distributors, in order to trade the data.
In the end, a consumer may purchase the stolen data. This data is utilized in order to commit cybercrime activities, or scams like fraudulent credit card transactions, identity thefts, or phishing attacks.
This trade of stolen data between producers, wholesalers, and consumers is reportedly carried out in the darknet markets, which are illicit websites, imposing as legitimate e-commerce websites, except they are accessible only when operated through a special browser or authorization codes.
According to reports, several thousand sellers were found selling tens of thousands of stolen data products, on just 30 darknet markets. Over an eight-month period, these data retailers have generated a whopping sum of $140 million or more in sales.
Darknet Markets:
Darknet markets offer a platform for sellers to get in touch with potential customers to aid transactions, much like any conventional e-commerce website. However, darknet markets are well-recognized for selling illegal products. Another significant distinction is the need for specialized software, such as the Onion Router, or TOR browser, which offers security and anonymity to the user, to access darknet markets.
Renowned darknet market, Silk Road came to light in the year 2011 by apparently combining TOR and bitcoin. Later, in 2013, the market was eventually seized, with the founder, Ross Ulbricht being sentenced to two life sentences plus an additional 40 years of imprisonment without the chance of parole. The severe prison term given to Ulbricht did not have the anticipated deterrent impact. To fill the void, numerous markets developed, which led to the development of a robust ecosystem that profited from stolen personal data.
Taking into consideration how major a role the darknet market plays in trafficking stolen data, the study conducted the largest systematic examination of stolen data markets, in order to better comprehend the extent of the illegal darknet ecosystem. The study first examined 30 darknet markets, which advertised stolen products.
Further information was deciphered about the stolen products of the market in the course of a week for eight months, from September 1, 2020, through April 30, 2021. The information extracted from this scrutiny was utilized to determine the number of vendors trading the stolen products, the number of stolen data products advertised, the number of products sold and the amount of revenue generated.
The study, after evaluating the ecosystem's overall characteristics, analyzed each market separately. In doing so, it was discovered that a small number of markets were in charge of selling the majority of the stolen data items. Apollon, WhiteHouse, and Agartha were the three biggest markets, accounting for 58% of all sellers. The total number of sales ranged from 0 to 237,512, and the number of listings ranged from 38 to 16,296. During the 35-week period, there were significant variations in each market's total revenue, which ranged from $0 to $91,582,216 for Agartha, the most successful of all markets mentioned.
Darknet Stolen Data Marketplaces
The research done by The Conversation sheds like on the booming underground economy and illicit supply chains of stolen data, that are being operated in the darknet markets. For as long as the data continues to be stolen, there is a possibility of an upsurge of marketplaces to trade the stolen information.
While the darknet markets could not be possibly taken down directly, efforts to prevent the customers from utilizing the stolen data offer some hope in the picture. One way to do this is, by utilizing the advancement of A.I. technology, which can provide law enforcement agencies, financial institutions, and others with the information required to prevent data from being stolen, or stolen data utilized for cybercrime activities.
This would further halt the flow of stolen data in supply chains, eventually disrupting the underground economy that is largely benefitting from your personal information.
Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia.