The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra’s day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.

“On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform,” reads Finastra’s disclosure, a copy of which was shared by a source at one of the customer firms.

“There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing.”

But its notice to customers does indicate the intruder managed to extract or “exfiltrate” an unspecified volume of customer data.

“The threat actor did not deploy malware or tamper with any customer files within the environment,” the notice reads. “Furthermore, no files other than the exfiltrated files were viewed or accessed. We remain focused on determining the scope and nature of the data contained within the exfiltrated files.”

In a written statement in response to questions about the incident, Finastra said it has been “actively and transparently responding to our customers’ questions and keeping them informed about what we do and do not yet know about the data that was posted.” The company also shared an updated communication to its clients, which said while it was still investigating the root cause, “initial evidence points to credentials that were compromised.”

“Additionally, we have been sharing Indicators of Compromise (IOCs) and our CISO has been speaking directly with our customers’ security teams to provide updates on the investigation and our eDiscovery process,” the statement continues. Here is the rest of what they shared:

“In terms of eDiscovery, we are analyzing the data to determine what specific customers were affected, while simultaneously assessing and communicating which of our products are not dependent on the specific version of the SFTP platform that was compromised. The impacted SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with a broad suite of our products, so we are working as quickly as possible to rule out affected customers. However, as you can imagine, this is a time-intensive process because we have many large customers that leverage different Finastra products in different parts of their business. We are prioritizing accuracy and transparency in our communications.

Importantly, for any customers who are deemed to be affected, we will be reaching out and working with them directly.”

On Nov. 8, a cybercriminal using the nickname “abyss0” posted on the English-language cybercrime community BreachForums that they’d stolen files belonging to some of Finastra’s largest banking clients. The data auction did not specify a starting or “buy it now” price, but said interested buyers should reach out to them on Telegram.

abyss0’s Nov. 7 sales thread on BreachForums included many screenshots showing the file directory listings for various Finastra customers. Image: Ke-la.com.

According to screenshots collected by the cyber intelligence platform Ke-la.com, abyss0 first attempted to sell the data allegedly stolen from Finastra on October 31, but that earlier sales thread did not name the victim company. However, it did reference many of the same banks called out as Finastra customers in the Nov. 8 post on BreachForums.

The original October 31 post from abyss0, where they advertise the sale of data from several large banks that are customers of a large financial software company. Image: Ke-la.com.

The October sales thread also included a starting price: $20,000. By Nov. 3, that price had been reduced to $10,000. A review of abyss0’s posts to BreachForums reveals this user has offered to sell databases stolen in several dozen other breaches advertised over the past six months.

The apparent timeline of this breach suggests abyss0 gained access to Finastra’s file sharing system at least a week before the company says it first detected suspicious activity, and that the Nov. 7 activity cited by Finastra may have been the intruder returning to exfiltrate more data.

Maybe abyss0 found a buyer who paid for their early retirement. We may never know, because this person has effectively vanished. The Telegram account that abyss0 listed in their sales thread appears to have been suspended or deleted. Likewise, abyss0’s account on BreachForums no longer exists, and all of their sales threads have since disappeared.

It seems improbable that both Telegram and BreachForums would have given this user the boot at the same time. The simplest explanation is that something spooked abyss0 enough for them to abandon a number of pending sales opportunities, in addition to a well-manicured cybercrime persona.

In March 2020, Finastra suffered a ransomware attack that sidelined a number of the company’s core businesses for days. According to reporting from Bloomberg, Finastra was able to recover from that incident without paying a ransom.

This is a developing story. Updates will be noted with timestamps. If you have any additional information about this incident, please reach out to krebsonsecurity @ gmail.com or at protonmail.com.

Google is rolling out two new features to help Android users evade stalkers who abuse Bluetooth tags to surreptitious track them.

The Temporarily Pause Location feature lets users halt location updates sent to Bluetooth trackers via their phone for up to 24 hours. In Google’s view, this will allow users to quickly take action against a tag without having to stop and search for a hidden device, which may compromise safety.

When users feel safe enough to search for the device, the Find Nearby feature is introduced to help locate it. Android users could already activate a sound on a tracker placed on them, but the feature employs a visual aid – a shape that fills as the user nears the tracker – to simplify locating it. A text prompt will also describe the status of the connection to the tag.

Both features build on the existing protections Google has made available to users for years, more of which it said will continue to be rolled out over time.

However, these features work exclusively with trackers compatible with Android’s Find My Device Network, which launched earlier this year after much anticipation and was met with its fair share of naysayers.

Critics’ main gripe was that the network defaulted to activation only in high-traffic areas, although this can be manually changed to enable it everywhere. It meant tracker locating performance was limited in low-density areas.

Another issue lies in the limited number of devices compatible with the network. Only Pebblebee tags and Chipolo ONE Point and Chipolo CARD Point devices are fully compatible, benefiting from the bonus features that come with it.

Apple’s AirTags, among the most popular devices of their kind, are compatible but with limitations. Android users will be alerted if an AirTag is being used to track them, but the Find My Device Network features announced this week, for example, won’t work.

Other network features include gathering additional data about the tracker device itself. Once located, users can hold the tag near the back of their Android phone to retrieve data like the device identifier and the owner’s hidden email address. The data can be saved via screenshots and forwarded to law enforcement in extreme cases.

Both Apple and Google have been working for well over a year on a common device specification to allow trackers from all manufacturers to benefit from the advanced features on their respective networks.

Detecting Unwanted Location Trackers – the proposed specification name – was rolled out in May 2024 and Apple said that devices made by major players such as Chipolo, eufy, Jio, Motorola, and Pebblebee will adopt it in the future.

Serious and ongoing concerns

Consumer-grade Bluetooth trackers have been on the market for over a decade, but it was the release of Apple’s AirTags in 2021 that renewed concerns about people’s safety.

It took just over a year before the very worst offenses were carried out with the assistance of the tags, which were designed to help locate lost keys and pets.

Andre Smith was killed by his ex-girlfriend who tracked him using an AirTag concealed within his car’s bodywork. She would go on to be sentenced to 18 years in prison for manslaughter.

Numerous other grizzly cases have been reported over the years, from women stalked after separating from their partners, to celebrities tracked while on holiday. Charities such as Refuge and the Suzy Lamplugh Trust have reported an uptick in reports of AirTag and other Bluetooth tracker abuse since.

Apple has routinely and vehemently condemned abuse of AirTags. It said in a 2022 statement: “Based on our knowledge and on discussions with law enforcement, incidents of AirTag misuse are rare; however, each instance is one too many.”

Apple’s anti-tracking features mirror Android’s in that not all tags work with its Find My network. Tags adhering to the Detecting Unwanted Location Trackers standard but not compatible with Find My will also trigger unwanted tracking notifications on iOS 17.5 or newer. ®

In a sweeping international crackdown, law enforcement agencies from 15 countries, including the United States and multiple European nations, have dismantled 27 of the most popular platforms used for carrying out distributed denial-of-service (DDoS) attacks, Europol announced Wednesday. The operation, known as PowerOFF, has led to the arrest of three administrators in France and Germany and identified 300 users of these illegal services.

Booter and stresser websites allow individuals to launch overwhelming amounts of traffic at targeted websites, effectively rendering them inaccessible. These platforms are widely used by threat actors due to their simplicity and effectiveness in disrupting online services without the need for advanced technical skills. The takedowns occurred just before the Christmas holiday period, a time known for increased DDoS activity.

In addition to the website seizures, authorities launched an online advertising campaign aimed at deterring potential offenders. As part of these preventive measures, ads will target individuals searching for DDoS-for-hire services on Google and YouTube, highlighting the illegality and consequences of such activities.

“We know that Booter services are an attractive entry-level cyber crime, and users can go on to even more serious offending,” Frank Tutty, from the U.K.’s National Crime Agency, said in a news release. “Therefore, tackling this threat doesn’t just involve arresting offenders, it includes steering people away from straying into cyber crime and helping them make the right cyber choices.”

The operation involved close cooperation between agencies such as the FBI and Europol, as well as national police forces from countries including Brazil, Canada, and Japan. The timing of the operation was strategic, particularly given recent reports, including one from Cloudflare, that indicate a significant increase in DDoS attacks worldwide, with the banking and financial sectors being major targets amid growing geopolitical tensions.

U.S. prosecutors in Los Angeles this week unsealed one indictment charging one defendant with running booter services. 

Ricardo Cesar Colli, a.k.a. “TotemanGames,” 22, of Brazil, is charged with conspiracy to violate and violating the Computer Fraud and Abuse Act related to the alleged operation of a booter service named Securityhide.net (formerly known as Securityhide.com). Additionally, prosecutors in Alaska have indicted one defendant with being the administrator of significant booter services. That indictment remains under seal. The Department of Justice said Wednesday it “continues to work with international partners to pursue an arrest and extradition” related to those charges. 

This coordinated effort reflects a broader strategy by international law enforcement to tackle cyber threats comprehensively, from dismantling illegal infrastructures to preventing future attacks through education and awareness campaigns. The crackdown on DDoS-for-hire services is part of a series of operations in recent months led by Europol and its partners, which have also targeted other forms of cybercrime, including phone phishing scams and illegal streaming networks.

COMMENTARY

As organizations lean into low-code/no-code (LCNC) platforms to streamline development and empower citizen developers, security risks become increasingly challenging to manage. One of the more under-the-radar LCNC threats is OData injection, an attack vector that can expose sensitive corporate data and is predominant on the Microsoft Power Platform. This new vulnerability is poorly understood by security professionals in LCNC environments, where traditional safeguards are lacking.

What Is OData? 

OData, or Open Data Protocol, is an OASIS standard that has gained traction in LCNC platforms as a way to manage and deliver data through REST APIs. It’s widely adopted because it allows seamless communication between applications and data sources, regardless of the underlying data storage model. In LCNC environments, it is commonly used as a query language to retrieve data from a variety of sources, such as SQL databases, SharePoint, or Dataverse.

OData is particularly valuable in LCNC platforms because of its simplicity — developers don’t need to be database experts to use it, and the same query language can be used for very different data sources. 

The OData Injection Threat

OData injection manipulates user input that is later used by an application or automation to form an OData query. The query is then applied to an enterprise data source. This allows an attacker to gain unauthorized access to manipulate or exfiltrate sensitive user and corporate data. 

While SQL injection (SQLi) is generally understood by security professionals, OData injection poses a different set of challenges, especially in LCNC environments, where multiple data sources are often connected and managed by citizen developers with minimal security training. Unlike SQLi, which is confined to relational databases, OData can connect to a wide array of data sources, including custom applications and third-party services, broadening the potential impact of an attack. 

OData also lacks the well-established security practices that have been developed for SQL. For example, SQLi can typically be mitigated with parameterized queries, a practice that has become standard over the years. OData injection, however, doesn’t have a similar one-size-fits-all solution. Developers must create custom input validation mechanisms — a manual and error-prone process. In addition, the general lack of awareness of OData injection techniques further reduces the likelihood that custom validation methods will be implemented. 

A New External Attack Surface

OData vulnerabilities in LCNC environments often stem from the unrecognized risks associated with external data inputs. These are frequently integrated into workflows that manipulate critical enterprise data, including Web forms, email messages, social media, and external Web applications. These inputs typically are accepted without stringent validation, leaving the attack surface vulnerable and often undefended, as developers and security teams may overlook these sources as potential risks.  

This oversight allows attackers to exploit these inputs by injecting malicious OData queries. For instance, a simple product feedback form could be exploited to extract sensitive data or modify stored information. 

Security Challenges 

Because most citizen developers don’t have formal security training and are often unfamiliar with the dangers of accepting unchecked external inputs in their workflows, OData Injection vulnerabilities can flourish undetected.

Also, unlike SQL injection, validating user inputs in OData queries requires a more hands-on approach. Developers must manually sanitize inputs — removing harmful characters, ensuring proper formatting, and guarding against common injection techniques. This process takes time, effort, and more advanced programming knowledge that most LCNC developers lack.

Furthermore, in traditional development environments, security vulnerabilities are often tracked and remediated through ticketing systems or backlog management tools like Jira. This formal process does not exist in most LCNC development environments, where developers may not be full-time coders and have no formalized way to handle bug tracking or vulnerability management.

Mitigation Best Practices

Combating OData injection requires a proactive security strategy. Ideally, LCNC developers should be trained on OData query risks and how external inputs could be exploited. This is unrealistic, since citizen developers aren’t full-time coders. 

Instead, automation can play a significant role in monitoring and detecting OData injection vulnerabilities. Security teams should deploy tools that continuously assess LCNC environments for potential vulnerabilities, especially as new applications and workflows are created. This will help identify weaknesses early and quickly provide developers with actionable insights into how to fix them.

Collaboration between security teams and LCNC developers is another essential piece of the puzzle. Security teams should be granted access to monitor the development process in real-time, particularly in environments where critical corporate data is being processed. When vulnerabilities are identified, security must communicate clearly with developers, offering specific guidance on how to remediate issues. This could include best practices for input validation and sanitation, as well as tools for automating the process where possible.

Lastly, security should be integrated into the LCNC development life cycle. Much like the “shift-left” movement in traditional software development, security checks should be built into the LCNC workflow from the outset. Automated testing tools can be leveraged to scan for vulnerabilities as applications are being built, reducing the likelihood of OData injection vulnerabilities slipping through the cracks.

As the adoption of LCNC continues to grow, so will the complexity of the threats organizations face. Addressing LCNC vulnerabilities like OData injection now will help keep enterprises safe in the long run.

Germany’s Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country.

The types of impacted devices include digital picture frames, media players and streamers, and potentially smartphones and tablets.

BadBox is an Android malware that comes pre-installed in an internet-connected device’s firmware that is used to steal data, install additional malware, or for the threat actors to remotely gain access to the network where the device is located.

When an infected device is first connected to the internet, the malware will attempt to contact a remote command and control server run by the threat actors. This remote server will tell the BadBox malware what malicious services should be run on the device and will also receive data stolen from the network.

BSI says the malware can steal two-factor authentication codes, install further malware, and create email and messaging platform accounts to spread fake news. It can also engage in ad fraud by loading and clicking on ads in the background, generating revenue for fraud rings.

Finally, BadBox can be set up to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic. This tactic, known as residential proxying, often involves illegal operations that implicate the user’s IP address.

Germany’s cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker’s command and control servers. 

Sinkholing prevents the malware from sending stolen data to the attackers and receiving new commands to execute on the infected device, effectively preventing the malware from working.

“The BSI is currently redirecting the communication of affected devices to the perpetrators’ control servers as part of a sinkholing measure pursuant to Section 7c of the BSI Act ( BSIG ),” reads BSI’s announcement.

“This affects providers who have over 100,000 customers (More about sinkholing). There is no acute danger for these devices as long as the BSI maintains the sinkholing measure.”

Infected device owners to be notified

Device owners who are impacted by this sinkholing operation will be notified by their internet service providers based on their IP address.

The agency says that anyone who receives a notification should immediately disconnect the device from their network or stop using it. Unfortunately, as the malware came pre-installed with firmware, other firmware from the device’s manufacturer should not be trusted and the device should be returned or discarded.

BSI notes that all of the impacted devices were running outdated Android versions and old firmware, so even if they were secured against BadBox, they remain vulnerable to other botnet malware for as long as they are exposed online.

“Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions in particular pose a huge risk,” warned BSI President Claudia Plattner. “We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market. But consumers can also do something: cyber security should be an important criterion when purchasing!”

Moreover, the announcement mentions that, due to the vast variance in Android IoT manufacturers and device iterations, it’s very likely that many more devices infected by BadBox or similar malware exist in the country, which BSI could not pinpoint this time.

This may include smartphones and tablets, smart speakers, security cameras, smart TVs, streaming boxes, and various internet-connected appliances that follow an obscure route from manufacturing to resell networks.

Signs that your device is infected by botnet malware include overheating when seemingly idle, random performance drops, unexpected settings changes, atypical activity, and connections to unknown external servers.

To mitigate the risk of outdated Android IoTs, install a firmware image from a trustworthy vendor, turn off unnecessary connectivity features, and keep the device isolated from critical networks.

Generally, it is recommended that you buy smart devices only from reputable manufacturers and look for products offering long-term security support.

Dec 13, 2024The Hacker NewsIoT Security / Operational Technology

Iran-affiliated threat actors have been linked to a new custom malware that’s geared toward IoT and operational technology (OT) environments in Israel and the United States.

The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms.

“While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration,” the company said.

The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY, and FrostyGoop (aka BUSTLEBERM) to date.

Claroty said it analyzed a malware sample extracted from a Gasboy fuel management system that was previously compromised by the hacking group called Cyber Av3ngers, which has been linked to cyber attacks exploiting Unitronics PLCs to breach water systems. The malware was embedded within Gasboy’s Payment Terminal, otherwise called OrPT.

This also means that the threat actors, given their ability to control the payment terminal, also had the means to shut down fuel services and potentially steal credit card information from customers.

“The malware is essentially a cyberweapon used by a nation-state to attack civilian critical infrastructure; at least one of the victims were the Orpak and Gasboy fuel management systems,” Claroty said.

The end goal of the infection chain is to deploy a backdoor that’s automatically executed every time the device restarts. A notable aspect of IOCONTROL is its use of MQTT, a messaging protocol widely used in IoT devices, for communications, thereby allowing the threat actors to disguise malicious traffic.

What’s more, command-and-control (C2) domains are resolved using Cloudflare’s DNS-over-HTTPS (DoH) service. This approach, already adopted by Chinese and Russian nation-state groups, is significant, as it allows the malware to evade detection when sending DNS requests in cleartext.

Once a successful C2 connection is established, the malware transmits information about the device, namely hostname, current user, device name and model, timezone, firmware version, and location, to the server, after it awaits further commands for execution.

This includes checks to ensure the malware is installed in the designated directory, execute arbitrary operating system commands, terminate the malware, and scan an IP range in a specific port.

“The malware communicates with a C2 over a secure MQTT channel and supports basic commands including arbitrary code execution, self-delete, port scan, and more,” Claroty said. “This functionality is enough to control remote IoT devices and perform lateral movement if needed.”

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.

A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. Image: Amitai Cohen twitter.com/amitaico.

The five men, aged 20 to 25, are allegedly members of a hacking conspiracy dubbed “Scattered Spider” and “Oktapus,” which specialized in SMS-based phishing attacks that tricked employees at tech firms into entering their credentials and one-time passcodes at phishing websites.

The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.

These attacks leveraged newly-registered domains that often included the name of the targeted company, such as twilio-help[.]com and ouryahoo-okta[.]com. The phishing websites were normally kept online for just one or two hours at a time, meaning they were often yanked offline before they could be flagged by anti-phishing and security services.

The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

In August 2022, multiple security firms gained access to the server that was receiving data from that Telegram bot, which on several occasions leaked the Telegram ID and handle of its developer, who used the nickname “Joeleoli.”

The Telegram username “Joeleoli” can be seen sandwiched between data submitted by people who knew it was a phish, and data phished from actual victims. Click to enlarge.

That Joeleoli moniker registered on the cybercrime forum OGusers in 2018 with the email address joelebruh@gmail.com, which also was used to register accounts at several websites for a Joel Evans from North Carolina. Indeed, prosecutors say Joeleoli’s real name is Joel Martin Evans, and he is a 25-year-old from Jacksonville, North Carolina.

One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was Twilio, a company that provides services for making and receiving text messages and phone calls. The group then used their access to Twilio to attack at least 163 of its customers. According to prosecutors, the group mainly sought to steal cryptocurrency from victim companies and their employees.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said Akil Davis, the assistant director in charge of the FBI’s Los Angeles field office.

Many of the hacking group’s phishing domains were registered through the registrar NameCheap, and FBI investigators said records obtained from NameCheap showed the person who managed those phishing websites did so from an Internet address in Scotland. The feds then obtained records from Virgin Media, which showed the address was leased for several months to Tyler Buchanan, a 22-year-old from Dundee, Scotland.

A Scattered Spider phishing lure sent to Twilio employees.

As first reported here in June, Buchanan was arrested in Spain as he tried to board a flight bound for Italy. The Spanish police told local media that Buchanan, who allegedly went by the alias “Tylerb,” at one time possessed Bitcoins worth $27 million.

The government says much of Tylerb’s cryptocurrency wealth was the result of successful SIM-swapping attacks, wherein crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.

A still frame from a video released by the Spanish national police, showing Tyler Buchanan being taken into custody at the airport.

Prosecutors allege Tylerb worked closely on SIM-swapping attacks with Noah Michael Urban, another alleged Scattered Spider member from Palm Coast, Fla. who went by the handles “Sosa,” “Elijah,” and “Kingbob.”

Sosa was known to be a top member of the broader cybercriminal community online known as “The Com,” wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate networks.

In January 2024, KrebsOnSecurity broke the news that Urban had been arrested in Florida in connection with multiple SIM-swapping attacks. That story noted that Sosa’s alter ego Kingbob routinely targeted people in the recording industry to steal and share “grails,” a slang term used to describe unreleased music recordings from popular artists.

FBI investigators identified a fourth alleged member of the conspiracy – Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas — after he used a portion of cryptocurrency funds stolen from a victim company to pay for an account used to register phishing domains.

The indictment unsealed Wednesday alleges Elbadawy controlled a number of cryptocurrency accounts used to receive stolen funds, along with another Texas man — Evans Onyeaka Osiebo, 20, of Dallas.

Members of Scattered Spider are reputed to have been involved in a September 2023 ransomware attack against the MGM Resorts hotel chain that quickly brought multiple MGM casinos to a standstill. In September 2024, KrebsOnSecurity reported that a 17-year-old from the United Kingdom was arrested last year by U.K. police as part of an FBI investigation into the MGM hack.

Evans, Elbadawy, Osiebo and Urban were all charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Buchanan, who is named as an indicted co-conspirator, was charged with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

A Justice Department press release states that if convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count as well.

Further reading:

The redacted complaint against Buchanan (PDF)

Charges against Urban and the other defendants (PDF).

Everyone’s favorite Linux component has hit a milestone, while a fresh contender comes of age – with a touch of Lisp.

In news that is sure to delight the Linux world, version 257 of systemd has arrived. Just a day before its release, a major new version of another Linux init system came out, GNU Shepherd version 1.0. They’re very different ways of doing the same basic task, and we’re happy to see more options in this particularly controversial role.

The last version of systemd, back in June, merited special attention from The Register – it received two separate articles. The first highlighted an impressively tone-deaf attempt at a joke, when the Fediverse announcement proclaimed that Version 256 of systemd boasts “42 percent less Unix philosophy.” A week later, a point-release followed: systemd 256.1: Now slightly less likely to delete /home.

To recap that fun little feature, if you run the systemd command to clear up temporary files, and you don’t get it exactly right, it totally wipes the entire tree of user home directories. The headline feature of version 257 indicates to us that the repercussions of that hilarious incident are still being felt:

In summary, the developers have made a backwards-incompatible change to the format of one of its config files, which they’re reluctant to do. The change in the file-format makes it less likely that unwary use of the command systemd-tmpfiles --purge will remove all data for all users on the computer. So that’s good.

The gist is that the systemd-tmpfiles tool was named so because originally it was designed to manage temporary files. Since then, it’s grown to do much more. It manages many kinds of files that are created and removed in normal operation of a Linux computer. Its config file, which is called tmpfiles.d (and that link will tell you everything you could ever want to know about what files it can manage) now has a new specifier:

In other words, you have to specifically mark lines that describe the files that the purge sub-command will remove. It’s a small enough change, but it means that if that config file doesn’t tell it to, the command systemd-tmpfiles --purge now will not delete everything in every folder created since the first user was added. So that’s good.

It is an absolutely minimal sort of fix, though. The fact is that the name systemd-tmpfiles is not remotely accurate any more. The tool no longer just manages temporary files. The developers could have made a deeper, more generally helpful change, such as renaming the command – but that would cause more breakage. (We suspect this probably is not function that is used often or by many people, but that’s a separate consideration.) Whether this minimal config-file-format change, which does make things safer, is a better course of action than a more drastic, breaking one such as renaming a command is a judgement call.

It’s fair to say that making the minimum possible form of change is a typical Unix sort of attitude. On the other hand, Apple’s macOS is still a certified UNIX™ and it’s made many far more sweeping changes than this – and yet it’s by far the most successful commercial Unix in history.

The other changes are mostly far underneath the covers, so to speak, and will likely be invisible to anyone who isn’t maintaining a Linux distribution. The tooling around the new Unified Kernel Image format is improved, cgroups version 1 and System V service scripts inch close to being deprecated, it now understands volume button presses on mobile phones – showing how mainstream Linux is moving into more pockets – and it’s offloaded some old keyboard handling code to X.org. The feature that made us smile is that during shutdown, systemd hands responding to the classic “three finger salute” back to the kernel. So if systemd crashes during shutdown, with any luck Ctrl+Alt+Delete will still reboot your computer. That one sounds handy.

(The Reg FOSS desk’s top tip for rebooting balky systemd-controlled boxes is that if you press Ctrl+Alt+Del seven times within two seconds, it tells systemd to reboot immediately whatever is going on. Only try this if the machine’s not shutting down normally as it might do bad things if it’s not an emergency. It’s also worth remembering the REISUB keystroke exists too.)

Shepherding services for Guix

The other new init system in the news this week is from the GNU Project, and it’s called Shepherd. Shepherd itself isn’t new. In fact, development started in 2003, so it’s old enough to drink in the US. What is new is that the development team has released version 1.0. To go with this milestone in maturity, it also has a new logo and website.

The main distinctive thing about Shepherd is that it’s implemented in GNU Guile. Guile is the GNU implementation of the Scheme programming language, and it was intended to be the GNU Project’s standard extension language. Indeed, its original name was GEL, short for GNU Extension Language.

Its use of GNU Guile makes Shepherd something of a flag-bearer for the Guile language and project. Additionally, Shepherd is the default init system of the GNU Guix distribution.

Guix is both a packaging tool and a distro built with that tool. Guix has closely comparable goals to Nix, and to the NixOS distro built with it. It aims to automate away manual package management. The key difference is that while Nix has its own, unique language for writing config files, Guix uses standard Guile Scheme, and so in theory it’s more accessible to more people. We say “in theory” because Nix itself is really pretty niche even in the Linux world, and we hear far more about Nix than Guix.

Shepherd defines services in a restricted subset of Scheme. That is probably enough to immediately either win over, or forever put off, many people. Scheme uses Lisp-style prefix notation (yes, with lots of parentheses), which tends to polarize techies. If you like Lisp and Lisp-based systems, you might enjoy Enzuru’s Lisp-centric Linux distro, which is still under construction.

We doubt that Shepherd is going to transform the Linux init system landscape, but it’s good to see one of the alternative init systems taking a step towards greater maturity. ®

Bootnote

If the rather obscure pun in our subheading isn’t clear, “Guix” is pronounced like geeks. So, no, Nix and Guix do not rhyme. They just look like they should.

A federal court has indicted 14 more North Korean IT workers as part of an ongoing U.S. government campaign to crack down on Pyongyang’s use of tech professionals to swindle American companies and nonprofits.

The Justice Department said the 14 indicted workers generated at least $88 million throughout a conspiracy that stretched over approximately six years, ending in March 2023. North Korea-controlled companies in China and Russia — Yanbian Silverstar and Volasys Silverstar, respectively — used the so-called “IT Warriors” to obtain false U.S. identities, pose as employees doing remote IT work in the United States and transfer funds from their employers to eventually end up in the hands of the North Korean government, according to the indictment. 

“When the defendants gained access to a U.S. employer’s sensitive business information, the defendants in some instances extorted payments from the employer by threatening to release, and in some cases releasing, that sensitive information online,” per the indictment, which the DOJ publicized Thursday.

The U.S. District Court of the Eastern Division of Missouri handed down the indictment. In addition to the indictment, the State Department announced rewards of up to $5 million for individuals and companies involved in the scheme.

“Yesterday’s indictment is the latest in a series of actions under a National Security Division initiative launched earlier this year to disrupt North Korea’s efforts to generate revenue by duping American companies into hiring its citizens for remote work,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division. “This indictment and associated disruptions highlight the cybersecurity dangers associated with this threat, including theft of sensitive business information for the purposes of extortion.”

The Justice Department has repeatedly targeted this specific group of alleged conspirators in an attempt to disrupt them, including court-authorized seizures of a collective $764,800 via two orders unsealed Thursday, in addition to seizures of more money and internet domains the DOJ said the group used to appeal to prospective employers.

But it’s also sought to combat the broader trend of North Korea using its IT workers for nefarious purposes, including via arrests and alerts with other federal agencies.

The charged workers’ names are Jong Song Hwa, Ri Kyong Sik, Kim Ryu Song, Rim Un Chol, Kim Mu Rim, Cho Chung Pom, Hyon Chol Song, Son Un Chol, Sok Kwang Hyok, Choe Jong Yong, Ko Chung Sok, Kim Ye Won, Jong Kyong Chol and Jang Chol Myong.

Michael Barnhart, who leads Mandiant’s North Korea threat hunting team, told CyberScoop after the indictment was announced that threat actors have recently become more dangerous since gaining employment at Western organizations.

“For the first time, we’re seeing IT workers follow through on releasing sensitive data of organizations they’ve infiltrated to pressure victims into paying exorbitant ransoms,” he said.  “They’re also demanding more cryptocurrency than they ever have before. We assess that the heightened media attention and ongoing government disruptions targeting their cyber operations this past year are forcing an escalation in their tactics.”

You can read the full indictment here. 

The Dubai Police are the latest victims of impersonation by fraudsters in the United Arab Emirates (UAE), who are sending thousands of text messages out to unwitting mobile users while purporting to represent the law enforcement agency.

Researchers at BforeAI observed a recent surge in phishing attacks leveraging alleged police communications, which encourage text recipients to click on a malicious URL to respond to supposed legal trouble or to register with an “official” online portal. The included links redirect victims to fake websites designed to harvest sensitive information, including bank details or personal identification details.

The campaign uses well-crafted lures with official branding, suggesting a moderate level of sophistication, according to BforeAI. But while the lures are tailored to UAE citizens, the phishing methodology resembles a ‘spray-and-pray’ model in its broad reach.

“The campaign targets individuals likely to respond to law enforcement-related communications, of which legitimate comms of this nature are not uncommon in the UAE — targeting particularly those with a limited understanding of digital threats,” Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, tells Dark Reading.

“The most striking aspect of this campaign is the calculated misuse of Dubai Police branding to establish credibility and deceive victims,” he adds. “This demonstrates a sophisticated understanding of social engineering techniques and reliance on psychological manipulation, exploiting fear and trust in law enforcement — which for citizens of the UAE is of utmost importance.”

Related:Governments, Telcos Ward Off China’s Hacking Typhoons

Cybercriminals Increasingly Target UAE, Middle East

Cybercrime campaigns targeting organizations and individuals in Dubai and other parts of the UAE are noticeably on the rise. According to research from Kaspersky earlier this year, 87% of companies in UAE have faced some form of cyber incident in the past two years.

“The UAE is a high-value target due to its affluent population, high Internet penetration, and reliance on digital services,” Qureshi says. “Cybercriminals exploit these factors alongside vulnerabilities in newly adopted technologies.”

The cybercrime spree is part of a larger trend in the targeting of individuals and organizations in some areas of the Middle East in general, he notes.

“There’s a focus on wealthy regions and individuals to maximize financial gain,” he says. “There are also regional geopolitical interests and an increased focus on Middle Eastern entities due to economic and political dynamics.”

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

To boot, because the area has embraced digital transformation and IT modernization with gusto, cybercriminals are targeting digital adoption vulnerabilities that come from the rapid implementation of advanced technologies without adequate protections, according to Qureshi.

Anchoring a UAE Cybercrime Campaign in Singapore

The cyberattackers behind the Dubai Police offensive appear to have used an automated domain generation algorithm (DGA) or bulk registration to quickly cycle through different domains to host malicious Web pages bent on financial fraud. Each domain is short-lived, in order to better avoid detection.

Most of those domains originated from Tencent servers based in Singapore, according to BforeAI researchers, who noted the company’s servers have hosted malicious activity before, including spam, phishing, and botnets.

“Tencent, a Chinese-based technology giant, maintains a significant hub in Singapore, leveraging the city-state’s strategic location and robust digital infrastructure,” says Qureshi. “Despite Singapore’s strong cyber-resilience and rigorous policies to address malicious activity, its status as a global tech hub makes it a prime location for abuse of legitimate platforms by cybercriminals.”

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Qureshi adds that the presence of malicious activity on Tencent servers could be due to the exploitation of legitimate services.

“High-traffic servers can be abused to host or relay malicious content without the company’s direct knowledge,” he explains, adding that jurisdictional complexity could also be at play: “Singapore’s law enforcement may face challenges in coordinating with foreign entities and differentiating criminal use from legitimate operations. While Tencent is based in Singapore — they are a Chinese firm.”

Two of the registrants were found to be from India and Dubai itself, with suspicious names suggesting that they originate from a legitimate company, according to the research. For the most part though, the cyberattackers have managed to keep their identity anonymous.

Tencent did not immediately return a request for comment.

How Organizations in the Middle East Can Protect Against Cyber Fraud

For organizations in the region, campaigns like this should prompt changes in risk management, Qureshi advises. Although the phishing messages are broad-based, in the age of the mobile office, even campaigns designed to hit individuals can end up affecting companies.

Common-sense security hygiene includes the basics, like double-checking the official domain of the Dubai government and the payment portal before proceeding with any payment, as well as looking for red flags like missing HTTPs protocol, broken links, out-of-place Web designs, or suspicious phrasing or grammar.

Qureshi advises organizations to take several additional steps to mitigate their risk, including:

And finally, “this Dubai Police campaign highlights the globalized nature of cybercrime, where local targets are exploited using international infrastructure,” Qureshi warns. “The importance of cross-border cooperation and leveraging threat intelligence to stay ahead of evolving tactics cannot be overstated.”