European Police Arrest 42 After Cracking Covert App


European police arrested 42 suspects and seized guns, drugs and millions in cash, after cracking another encrypted online messaging service used by criminals, Dutch law enforcement said Friday.

Police launched raids on 79 premises in Belgium, Germany and the Netherlands following an investigation that started back in September 2020 and led to the shutting down of the covert Exclu Messenger service.

Exclu is just the latest encrypted online chat service to be unlocked by law enforcement. In 2021 investigators broke into Sky ECC — another “secure” app used by criminal gangs.

After police and prosecutors got into the Exclu secret communications system, they were able to read the messages passed between criminals for five months before the raids, said Dutch police.

“Those arrested include users of the app, as well as its owners and controllers,” their statement added.

Police in France, Italy and Sweden, as well as Europol and Eurojust, its justice agency twin, also took part in the investigation.

The police raids uncovered at least two drugs labs, one cocaine-processing facility, several kilogrammes of drugs, four million euros ($4.3 million) in cash, luxury goods and guns, Dutch police said.

Used by around 3,000 people, including around 750 Dutch speakers, Exclu was installed on smartphones with a licence to operate costing 800 euros for six months.

“Exclu made it possible to exchange messages, photos, notes, voice memos, chat conversations and videos with other users,” Dutch police said.

The online service “was praised by the owners and manager for its high level of security”, police added.

The earlier Sky ECC probe gave investigators a vast trove of messages sent between secretive drug smuggling gangs.

Breaking that encrypted system allowed police to intercept drug shipments and make a large number of arrests.

Related: Hundreds Arrested in ‘Staggering’ FBI Encrypted Phone Sting

Related: 150 People Arrested in US-Europe Darknet Drug Probe

The post European Police Arrest 42 After Cracking Covert App appeared first on SecurityWeek.

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing


As we reflect on 2022, we’ve seen that malicious actors are constantly coming up with new ways to weaponize technologies at scale to cause more disruption and devastation.

The dangers are showing up everywhere – and more frequently. The volume and variety of threats, including Ransomware-as-a-Service (RaaS) and novel attacks on previously less conventional targets, are of particular concern to CIOs and CISOs.

Increasingly, cybercrime is big business run by highly organized groups rather than individuals. Much like the mythological hydra, cutting off the head of one of these organizations (i.e. just stopping a few low level operators in their tracks) isn’t going to solve the problem; the key is to disrupt the networks themselves. That’s a tall order – one that’s going to require widespread collaboration.

Cybercrime networks and Cybercrime-as-a-Service

We anticipated that in 2022 there would be an increase in pre-attack reconnaissance and weaponization among attackers. This would open the door for the growth of Crime-as-a-Service (CaaS) to accelerate even faster.

That prediction of cybercrime proved to be accurate. The FortiGuard Labs team documented 10,666 new ransomware variations in the first half 2022 compared to just 5,400 in the second half of 2021. That’s an almost 100% increase in the number of new ransomware variants found. The rise in popularity of RaaS on the dark web is the main cause of this sudden increase of new ransomware strains.

RaaS is mostly to blame for the explosive growth in ransomware variants, and ransomware payments are also rising. U.S. financial institutions spent close to $1.2 billion on likely ransomware payments in 2021, according to the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury. That was more than double the prior year, and if that trend continues, results from 2022 will be even higher.

Our current predictions indicate that the CaaS market will grow dramatically through 2023 and beyond, with threat actors soon being able to subscribe to new exploits, services and structured programs.

We’re also predicting that threat actors will soon have access to more readymade, “as a service” products. This means even more cybercriminals of all levels will be able to launch more complex attacks without first devoting time and money to creating their own strategy. Additionally, producing and offering “aaS” attack portfolios is a straightforward, efficient, and repeatable way for seasoned hackers to make money, meaning the business model pays. Prepare yourself for an enhanced CaaS catalog to appear in 2023 and beyond as a result.

Collaboration is key

It can’t be emphasized enough: the key to disrupting cybercrime networks is collaboration across the private and public sector. One illustration is what the World Economic Forum’s Partnership Against Cybercrime is doing (PAC). In response to the pandemic’s unparalleled and exponential development in cybercriminal activity, PAC has concentrated on fusing the digital know-how and data of the business sector with the threat information of the government sector to help disrupt cybercrime ecosystems.

It will be simpler to overcome the restrictions that protect hackers if a worldwide strategy and coordinated effort are used to remove communication barriers. It is everyone’s duty to disrupt bad actors and destroy the attack infrastructure, and this calls for solid, reliable partnerships with other organizations. Cybercriminals run their operations like businesses; therefore, the more we can make them rebuild, change their strategies, and start over, the better off digital assets will be.

Not only do we want to stop attacks from happening, but we also want to take down cybercriminals and make them modify how they operate, which costs them effort, time and resources. Sharing actionable threat intelligence among organizations and influencing how cyberthreat mitigation will be done in the future are crucial.

Private-public collaboration in practice  

An example of how this kind of collaboration can be used to disrupt cybercrime networks is the recent African Cyber Surge Operation. The collaboration between INTERPOL, FortiGuard Labs and other INTERPOL private partners resulted in the successful Cyber Surge operation and the dissemination of intel to several law enforcement organizations in the Africa region.

Partners such as FortiGuard Labs offered actionable threat intelligence based on infrastructure research of malware, botnets and command and control (C2), including C2 and malware victims across Africa. The Africa Cyber Surge Operation, which began in July 2022, has brought together law enforcement (LE) officers from 27 nations. They collaborated for almost four months on actionable intelligence provided by INTERPOL private partners.

Through a coordinated effort between INTERPOL, AFRIPOL and the participating nations, this operation targeted both cybercriminals and compromised network infrastructure in Africa. Member nations were able to identify more than 1,000 malicious IP addresses, dark web marketplaces and specific attackers.

The Africa Cyber Surge Operation is a great example of how joint operations and sharing threat intelligence on threat actors among reliable partners can increase an entire region’s cyber resilience. It also demonstrates the need of cybersecurity education and training in bridging the cyberskills gap and effectively combating cybercrime on a large scale.

Collaboration is the key

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base. Just as cybercrime networks are getting stronger and larger, so too must collaborative strategies between private companies and law enforcement agencies. Disrupting cybercrime networks is going to take collaboration on a large scale.

The post Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing appeared first on SecurityWeek.

Russian Millionaire on Trial in Hack, Insider Trade Scheme


A wealthy Russian businessman and associates made tens of millions of dollars by cheating the stock market in an elaborate scheme that involved hacking into U.S. computer networks to steal insider information about companies such as Microsoft and Tesla, a prosecutor told jurors on Monday. 

Vladislav Klyushin, the owner a Moscow-based information technology company with ties to the upper levels of the Russian government, is standing in trial in a Boston federal court nearly two years after he was arrested after landing in Switzerland on a private jet for a skiing trip. 

He’s the only Russian national charged in the nearly $90 million scheme who has been arrested and extradited to the U.S.; four accused co-conspirators — including a Russian military intelligence officer who’s also been charged with meddling in the 2016 presidential election — remain at large. 

Assistant U.S. Attorney Stephen Frank told jurors that the hack-to-trade scheme netted Klyushin and his associates the kind of returns “actual money managers couldn’t even dream about.” Using stolen information about the performance of a company that would dictate its stock price, Klyushin personally turned a $2 million investment into nearly $21 million, and together, the group turned about $9 million into nearly $90 million, Frank said. 

“It wasn’t luck. And it wasn’t because of careful financial research either. The defendant cheated,” Frank said. 

Klyushin’s attorney told jurors that the government’s case is filled with “gaping holes” and “inferences.” He said his client was financially successful long before he began trading stocks and he continued trading in many of the same companies even after access to the alleged insider information was shut off because the hacks were discovered.

“There’s nothing illegal about being Russian, about having wealth, about having an IT company that contracts with the government,” attorney Maksim Nemtsev said, referring to contracts with the Kremlin. 

Klyushin has close ties to a Russian military officer who was one of 12 Russians charged in 2018 with hacking into the Hillary Clinton presidential campaign and the Democratic Party and publishing its emails in an attempt to influence the 2016 election. Prosecutors say Ivan Ermakov, who worked with Klyushin at the IT company, was a hacker in the alleged insider trading scheme. U.S. prosecutors have not alleged that Klyushin was involved in the election interference.

Klyushin and Ermakov were close friends, according to the prosecutor, who showed jurors photos of the men together and said Klyushin even bought Ermakov an apartment to live in. 

Klyushin, who wore headphones to listen to an interpreter as the lawyers spoke, has remained behind bars in the U.S. since he was extradited in December 2021

He was arrested months earlier in Switzerland minutes after he arrived on a private jet and just before he and his party were about to board a private helicopter to whisk them to a nearby ski resort. He fought extradition to the U.S., with one appeal reaching Switzerland’s highest court. 

Kluyshin faces charges including conspiring to obtain unauthorized access to computers and to commit wire fraud and securities fraud. The trial is expected to last a few weeks. 

Klyushin ran M-13, a Moscow-based information technology company that purported to provide services to detect vulnerabilities in computer systems and counted among its clients the administration of Russian President Vladimir Putin and other government entities, according to prosecutors. 

Prosecutors allege that the hackers deployed malware to gather employees’ usernames and passwords for two U.S.-based vendors that publicly traded companies use to make filings through the Securities and Exchange Commission. They then broke into the vendors’ computer systems to get financial disclosures for hundreds of companies — including Microsoft, Tesla and Kohls, Ulta Beauty and Sketchers — before the were filed to the SEC and became public, prosecutors say. 

By getting a company’s financial information ahead of time, the defendants were able to make trades using brokerage accounts, sometimes in their own names, based on whether a company’s shares would likely rise or fall following the public disclosure of the information, prosecutors said.

The scheme unraveled after the SEC reported suspicious trading in the brokerage accounts of several Russian nationals to the FBI in late 2019 and the vendors later discovered they had been hacked.

The post Russian Millionaire on Trial in Hack, Insider Trade Scheme appeared first on SecurityWeek.

US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware


Following the shutdown of the Hive ransomware operation by law enforcement, the US government has reminded the public that a reward of up to $10 million is offered for information on cybercriminals.

Authorities in the United States and Europe announced on Thursday the results of a major law enforcement operation targeting the Hive ransomware. More than a dozen agencies collaborated to take down the Tor-based leak website used by the group and other parts of its infrastructure, including servers located in Los Angeles.

The FBI revealed that Hive’s ‘control panel’ was hacked by agents in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files. The FBI and Europol said they prevented the payment of more than $130 million to the cybercriminals. 

The Hive ransomware operation was launched in June 2021 and it has since made more than 1,500 victims across roughly 80 countries. It’s believed that administrators and affiliates made approximately $100 million from ransom payments. 

Authorities continue to investigate Hive in an effort to identify the threat actors involved in the operation, including developers, administrators and affiliates. 

After the operation against Hive was announced on Thursday, the US State Department reiterated that it’s prepared to pay up to $10 million for information on the identity or location of foreign state-sponsored threat actors that have targeted critical infrastructure. This includes individuals linked to Hive. 

At least some of the people involved in the Hive ransomware operation are believed to be Russian speakers. However, during a press conference announcing the law enforcement operation against Hive on Thursday, US officials refused to comment on potential ties to Russia, citing the ongoing investigation. 

The US government previously reiterated its $10 million reward offer for leaders of the Conti ransomware operation, North Korean hackers, Russian intelligence officers, and DarkSide ransomware operators.

Related: US Government Shares Photo of Alleged Conti Ransomware Associate

Related: US Offers $10 Million Reward Against Election Interference

The post US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware appeared first on SecurityWeek.

US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’


The FBI has at least temporarily dismantled the network of a prolific ransomware gang it infiltrated last year, saving victims including hospitals and school districts a potential $130 million in ransom payments, Attorney General Merrick Garland and other U.S. officials announced Thursday.

“Simply put, using lawful means we hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference.

Officials said the targeted syndicate, known as Hive, operates one of the world’s top five ransomware networks. The FBI quietly gained access to its control panel in July and was able to obtain software keys to decrypt the network of some 1,300 victims globally, said FBI Director Christopher Wray. Officials credited German police and other international partners.

It was not immediately clear how the takedown will affect Hive’s long-term operations, however. Officials did not announce any arrests but said they were building a map of Hive’s administrators, who manage the software, and affiliates, who infect targets and negotiate with victims, to pursue prosecutions.
“I think anyone involved with Hive should be concerned because this investigation is ongoing,” Wray said.

On Wednesday night, FBI agents seized computer infrastructure in Los Angeles that was used to support the network. Hive’s dark web site was also seized.

“Cybercrime is a constantly evolving threat, but as I have said before, the Justice Department will spare no resource to bring to justice anyone anywhere that targets the United States with a ransomware attack,” Wray said.

Garland said that thanks to the infiltration, led by the FBI’s Tampa office, agents were able in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5 million payment.

The operation is a big win for the Justice Department. The ransomware scourge is the world’s biggest cybercrime headache with everything from Britain’s postal service and Ireland’s national health service to Costa Rica’s government crippled by Russian-speaking syndicates that enjoy Kremlin protection. The criminals lock up, or encrypt, victims’ computer networks, steal sensitive data and demand large sums.

As an example of Hive’s threat, Garland said it had prevented a hospital in the Midwest in 2021 from accepting new patients at the height of the COVID-19 epidemic.

A U.S. government advisory last year said Hive ransomware actors victimized over 1,300 companies worldwide from June 2021 through November 2022, receiving approximately $100 million in ransom payments. It said criminals using Hive ransomware targeted a wide range of businesses and critical infrastructure, including government, manufacturing and especially health care and public health facilities.

The threat captured the attention of the highest levels of the Biden administration two years ago after a series of high-profile attacks that threatened critical infrastructure and global industry. In May 2021, for instance, hackers targeted the nation’s largest fuel pipeline, causing the operators to briefly shut it down and make a multimillion-dollar ransom payment that the U.S. government largely recovered.

Federal officials have used a variety of tools to try to combat the problem, but conventional law enforcement measures such as arrests and prosecutions have done little to frustrate the criminals.

The FBI has obtained access to decryption keys before. It did so in the case of a major 2021 ransomware attack on Kaseya, a company whose software runs hundreds of websites. It took some heat, however, for waiting several weeks to help victims unlock afflicted networks.

The post US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’ appeared first on SecurityWeek.