Onion World News

Twenty-three persons who were involved in the Business Email Compromise (BEC) scheme that scammed companies of about $1.2 million have been apprehended and charged by a collaborative investigation led by Europol.

The unnamed suspects were arrested in series of raids at 34 different locations in 3 different countries including Romania, the Netherlands, and Ireland.

The cybercrime group created cloned webpages and fake email addresses that looked exactly like those belonging to real, legitimate companies and sold fake Covid-19 protective equipment across many countries specifically to companies in Asia and Europe.

The victimized companies were cleverly tricked by the criminals into placing orders on their fake websites, asking payments to be made in advance while they wait for goods to be delivered.

The expected delivery of the goods paid for by the victims never occurred, while the monies paid was laundered through many bank accounts controlled and domiciled in Romania after which the scammers cashed out using Automated Teller Machines (ATM).

The criminal suspects were reported to be of African descent but resident in Europe.

Europol disclosed its team of cybercrime experts launched an investigation into the activities of the cybercriminal gang in 2017 and confirmed the group has also been involved in the sale of other fake goods before the Covid-19 pandemic.

The health information of dependants, former and current employees of the United States Waste Management Resources have been exposed after the company noticed some suspicious activities on their database systems.

To verify these claims, the services of forensic experts were deployed to investigate the suspicious activities to know the scope and nature of the malicious operation and subsequently, inform the Federal Bureau of Investigation (FBI) for further investigative action.

The outcome of the investigation revealed an attacker obtained unauthorized access into the company’s database and took some files which included names, driver’s license numbers, state, and government ID numbers, Social Security numbers, dates of birth, credit, and debit card numbers as well as bank account numbers.

Also, health insurance information, the password for financial electronic accounts, medical history of staff members and their dependants, passport numbers, and usernames were exposed.

The unknown hacker was able to access the healthcare information of certain staff who submitted claims to its self-insured health plan.

The spokesperson of Waste Management Resources stated that the company regrets the data breach incident that may have affected certain job applications and employment-related information and restated their commitment to the safety and security of data within their network.

He admonished the affected individuals to check their credit reports and call for a fraud alert or freezing of credit to prevent any suspicious activity on their accounts.

The data breach, however, has no interruption with business activities and efforts have been in top gear to keep it in check and avoid future occurrences.

Some security consultants who knew of the incident have questioned the need for sensitive information such as passport numbers and passwords to individual bank accounts would be collected and stored in an HR system.

A major Singaporean telco, StarHub, has disclosed that its data file comprising mobile phone numbers, identity card numbers, and email addresses belonging to 57,191 individual customers who subscribed to its services was exposed and victimized in a data breach.

The compromised data was found to have been uploaded illegally to a 3rd party data dumpsite. Though its IT systems and database were not involved, there is no sign that any data had been tampered with which further confirmed that credit card and other bank account information of customers are safe.

Since the data breach was discovered, the company swiftly set up an incident management team in collaboration with cybersecurity experts and concerned authorities to facilitate the retrieval of its customers’ data from the dumpsite and also review current security architecture to shield critical infrastructure and systems.

Affected customers have been notified and complimentary credit monitoring for 6months has been given to them.
The CEO of StarHub, Nikhil Eapen, has apologized for the unfortunate incident, reiterating that customer privacy and data security are critical concerns for the company and would continue to take standard measures to protect them and ensure their safety.

A spokesperson for StarHub however confirmed the company has scrutinized and verified the integrity of its network infrastructure and found that no StarHub customer database or information systems have been compromised.
He stated that the services of a cybersecurity firm have been deployed in collaboration with concerned stakeholders to unravel what went wrong.

Security researchers at WizCase have discovered that the personal data of over three million senior citizens of the United States had been exposed. The discovery was facilitated through a review website, SeniorAdvisor, in a security oversight.
A misconfigured Amazon S3 bucket was discovered that meant that data, including phone numbers, emails, and users’ surnames have been exposed.

The WizCase research team also disclosed that about 2000 scrubbed reviews were found in which sensitive data of the users have been edited or totally wiped off. These reviews, however, could be traced back to the author of the post as they had a lead ID.

The dangerous aspect of this breach is the fact that senior citizens are, in particular, exposed to fraud which may include calling or emailing a user and disguising as a bank or government official with intent to obtain sensitive financial information, adding users to a robodialer list, and phishing emails that manipulate users to input sensitive information into malicious websites.

The process of disclosure was not clear enough said the WizCase cybersecurity team because the affected company was contacted through the assistance of AWS security on two different occasions without a response.

Eventually, a review website, SeniorAdvisor was contacted by a journalist and that gave an insight into the assumption that the breach was secured even though it is yet to be confirmed whether affected people have been notified. The data breach, however, is confirmed to have been corrected.

United States Healthcare provider, Forefront Dermatology, has announced there is a breach of its network, which may have exposed the medical records and personal data of about 2.4 million patients.

The staff records of the organization based in Wisconsin, have been placed at risk from the breach of its data which made intruders secure unauthorized access to some files on its IT systems that contain the information of employees and patients.

Having recognized this ugly development early enough, the company swiftly took its network offline to prevent the situation from getting even worse.

The information that has been exposed included patient names, dates of birth, living addresses, patients account numbers, healthcare provider names, health insurance plan member ID numbers, medical and clinical treatment information among other sensitive data.

However, there is no evidence that patients' driver's license numbers, Social Security numbers, or financial account/payment card information was also involved, Forefront Dermatology submitted.

Forefront Dermatology is planning to bring the new development to the notice of her patients, who have been admonished to check through their healthcare statements in case of any breach.

The healthcare provider is also putting structures in place to brace up its control of security to prevent future hacks.

The incident is being monitored by regulators at the US Department of Health and Human Services, the agency that confirmed the incident affected about 2,413,553 individuals.

Fionn Kelleher and Adam Conway, both, citizens of the republic of Ireland, have saved the government of Ireland and millions of its citizens from what that could have been the country’s biggest ever recorded information leak and scammers would have used the medium to obtain personal information of unsuspecting citizens.

The two smart citizens spotted a typo error in the newly launched URL for Ireland’s new covid-19 recovery certificate portal, quickly registered the correctly spelt domain, and through the domain, redirect visitors to the official website.

The typo error was spotted in the original official domain; ‘irishcovidcertifcateportal.org’ which has an omission of letter (i) from the word ‘certificate’, and that could have been spotted by scammers who could create a URL with accurate spelling and millions of citizens would have used the correctly spelled URL to register their sensitive information without knowing they are expressly entering their confidential information into the scammer’s website.

The misspelled official URL was designed to obtain visitors’ dates of birth, cell phone numbers, and Personal Public Service (PPS) Numbers, which is used to access government services.

The official Irish covid-19 URL was launched to register Irish citizens who recently recovered from covid-19 in the past 6 months and allow them complete an online form in application for digital covid certificate.

The republic of Ireland’s Department of Health now use a new, shorter domain: irishcovidcertportal.org even though the choice of a .org domain instead of a .gov is still throwing up questions from different quarters.

A renowned UK-based loyalty Mgt software company, Antavo, has rolled out a bug bounty program with a Hungary-based cybersecurity outfit, Hacktify.

The bug bounty program is designed to collect submissions from professional hackers for any security errors detected in its loyalty management application and reward them for any bug or critical vulnerabilities found.

Each qualifying security flaw found is to be rewarded up to $283.

Antavo has always set aside a sizeable amount of resources to improve infrastructure and further develop its team of experts to provide privacy and data protection for its customers and clients.

A low-severity bug and 3 critical vulnerabilities have been submitted to the company. Since the bug bounty program was launched in early July, it has paid a bug bounty reward.

PepsiCo, BMW, BREWDOG, SHOEBALOO, LILLYDOO, TELARUS, and AbInBev are some of the big names Antavo is servicing. They are dishing out professional service delivery to keep that high level of clientele.

Antavo further explained that they chose to work with Hacktify because the platform is affordable and therefore, preferable to the white hackers.

Hacktify is well known in the industry and has a well-structured background. They have high-quality check principles: reproducible, in-scope, 100% clarity, and recommendation to fix.

The most popular search engine in the world, Google, has come out with another version, Chrome 92. The latest version has been designed to detect phishing scams fifty times faster than the last version of the Chrome browser.

This improvement simply implies that users of the latest version, Chrome 92, will receive a notification warning immediately they land on a malicious website so they can better protect themselves or navigate their way out of the dangerous site at once.
Phishing classification results will no longer be attained in 1.8 seconds which it used to be but can now be obtained in 100 milliseconds.

The speed development makes it possible for users to get immediate notification and could stop users from inputting their password in case of entering a malicious domain. The streamlined detection algorithm lessens the burden on the Central Processing Unit time and therefore, elongates battery life.

The development team of Chrome was able to achieve this by way of computational tweaks. This is how Chrome views the color profile of a web page by analyzing the frequency and range of colors present in comparison to those familiar with phishing domains.

The colors in each pixel are counted and stored in hashmaps (for green, blue and red colors).

To preserve privacy, the safe browsing mode should be activated. This enables images to be swiftly analyzed by the user’s machine instead of being done outside the browser.

No More Ransom, a website that is made up of a collection of powerful ransomware decrypting tools, was set up to assist victims whose data/files have been maliciously compromised and recover them from ransomware attacks. Over 600,000 victims have been assisted by the decryptors in its repository to recover their files without any need to pay cyber criminals that are peddling malware money for data recovery.

The Europol’s European Cybercrime Centre, Kaspersky, Dutch National Police’ High Tech Crime Unit, and McAfee collaborated to create the No More Ransom platform. Five years running, the initiative has 170 collaborators working together internationally both from the private and public sectors. 

The portal provides 121 decrypting tools published on the website by member-collaborators and the tools can be used to decrypt about 151 ransomwares.

The No More Ransom website was created in 37 different languages to give people of different language backgrounds and countries the opportunity to access and make optimal use of the website.

The initiative, findings revealed, has deprived cybercriminals of about $1.06 billion.

Following the increasing rate of cyber-attacks, The United States Department of State’s Rewards for Justice (RJF) has come up with a bounty reward of $10 million for anyone who can provide any useful information that can lead to the location and identity of state-sponsored cybercriminals.

The criminals have launched several cyber attacks on the critical infrastructure of the United States, which violates the computer fraud and abuse act.

These criminal activities include; intentional damage to a protected computer without authorization, ransomware attack threats, illegal access to a computer to steal sensitive information and data among others.

A Tor-based reporting channel has been created on the dark web by the US authorities to protect the security and safety of credible information providers which can lead to the source and identity of the perpetrators of the incessant cyber-attacks.

The $10 million reward could be paid in cryptocurrency option if so desired. The United States authorities confirmed in their statement.

The offer of a reward was introduced to stem the tide of increasing cyberattacks against the United States’ critical infrastructures that have spiked outrage across the length and breadth of the country.

Earlier in the year, a sum of $4.3million worth of Bitcoin was received by cybercriminals from the gas supply company, Colonial Pipeline as a result of a ransomware attack on its sensitive data which cut off the supply of gas to many east coast states.

However, some security professionals opined that paying the ransom demanded by attackers will not solve the cybersecurity challenges, but, will rather fortify and encourage the perpetrators to prepare for the next target as huge financial gains are attached.

Security researchers have warned attackers can exploit the vulnerabilities detected in the biometric access control devices that were manufactured by IDEMIA to carry out their nefarious activities.

Three vulnerabilities that affect finger vein/fingerprint-reading MA VP MD devices, fingerprint-reading products SIGMA and MorphoWave, and versions of facial recognition device VisionPass have been detected by researchers.

These vulnerabilities could allow attackers to bypass devices’ biometric identification and distantly open walls controlled by these devices to penetrate secured areas through the remote code execution. Service denial and the reading/writing of arbitrary files are some other threats attackers could launch against some of the devices manufactured by IDEMIA. 

Vulnerability CVE-2021-35521 with a common vulnerability scoring system of 5.9 is a kind of bug that can allow attackers to have an unauthorized execution of commands, making it possible to read/write arbitrary files on affected devices.

Common Vulnerability Exposure 2021-35522 has a common vulnerability score of 9.8 could pave way for attackers to distantly execute arbitrary code.

Another Common Vulnerability 2021-35520 with a CVSS of 6.2 occurs within the serial port handler as a result of the attacker’s access to it which ultimately causes service denial.

The vendor, IDEMIA, has patched all the vulnerabilities. It published a security advisory in pdf listing all affected devices and how to fix them.

Applying TLS server authentication on the device, feeding it with the public certificate of the access control server can reduce the possibilities or totally eradicate any form of vulnerabilities.

 The United States Department of Homeland Security (DHS) has directed that tighter security controls be implemented on critical pipelines following the recent attack on Colonial Pipeline.

The order is directed to pipelines moving natural gas and dangerous liquids categorized by the Transportation Security Administration as “critical”.

The directive by the Department of Home Security is to better ensure the pipeline sector takes the necessary steps to protect their operational activities from increasing cyberattacks, and better shield economic and national security.

Specific measures are expected to be implemented to develop and effect a cybersecurity contingency and recovery plan, shield against ransomware attacks and other known threats to operational technology systems and IT, and conduct a review of cybersecurity architecture design.

This security directive is specifically made for the concerned sector alone and therefore, considered as security-sensitive.
A security expert, Michael Fabian, believes that in case of ransomware attack for damage control and continuity of the business standard security practices on incident and disaster responses are very important.

He further stated that OT/IT security controls must include secure configurations, incident response, and disaster response planning, asset inventories, network and host protection technology, and technical solutions around backup and recovery.

When all these strategies are in place, the effects of ransomware attacks will be drastically reduced and organizations will not be at the mercy of cybercriminals demanding ransom payments to restore service operations.

As incidents of cyberattacks continue to rise in the United States, Jefferson Health, a US healthcare provider, has announced that some information of its patients may have been exposed following a breach on third-party Elekta systems.

Medical record numbers of patients, clinical information related to treatment, patients’ names and dates of birth, and some of patients’ Social Security numbers were included in the data that have been exposed.

However, Insurance, payment card information, and financial account were not captured, the healthcare provider submitted.

 The breach was targeted at Smart Clinic, a cloud-based mobile application that was manufactured by Elekta’s systems that controlled a database of cancer patients at one of Jefferson Health’s fourteen hospitals, Sidney Kimmel Cancer Center.

The mobile application, Smart Clinic, gives clinic providers access to information about patients undergoing cancer treatment.

The healthcare provider, Jefferson health, reported it regretted the sad incident and promised to put measures in place to prevent a reoccurrence. It further stated that affected patients would be contacted accordingly and given free credit monitoring services.

In its continued efforts to protect its users from threats and attacks, the popular browser, Mozilla, is set to release its latest version of Firefox 91, which has been designed to process HTTPS in Private Browsing mode by default.

This implies that the Firefox browser will first establish a secure, encrypted HyperText Transfer Protocol (HTTP) connection to a website when users click on an insecure link on a web page or when they enter a risky HTTP Url in the address bar.

This development indicates a major improvement in how Firefox 91 handles insecure connections, Mozilla said.

They further analyzed that the new HyperText Transfer Protocol Secure (HTTPS) by the default policy in the Firefox private browsing windows is not directly applied to the loading of in-page components like styles, images, or scripts in the websites that users are visiting; its basic function is to ensure that the page itself is securely loaded.

In the majority of cases, loading a page over HyperText Transfer Protocol Secure (HTTPS) will also cause those in-page components to load over HTTPS.

If a website cannot support HyperText Transfer Protocol Secure (HTTPS), Mozilla stated that it will fall back to HTTP, which means its protection covers only passive attackers other than active attackers.

The latest development by Mozilla is frankly a right move in the right direction, even though critics argue that much more is expected from the world’s top-ranking browser.

Reactions from critical stakeholders indicate a shortfall in the new invention as the protection applies only to Private Browsing Windows, and it is not switched on for normal browsing sessions by default.

However, some concerned experts stressed the need for continued implementation of more security measures for an improved data and privacy protection.

A team of security researchers based in Germany has discovered a hacking technique that allowed them to bypass the domain validation technology of a non-profit certificate authority that gives owners of domain with SSL certificates used in authenticating sites that use Hypertext Transfer Protocol Secure (HTTPS).

The vulnerability discovered in the Let’s Encrypt mechanism that is used to authenticate the web domain ownership, allows cybercriminals to get digital certificates for domains without hassles.

 The distributed domain validation technology was created in February 2020 to prevent manipulator-in-the-middle attacks due to border gateway protocol-based hijacking attacks earlier experienced by the organization.

The technology, however, was prone to a downgrade attack in one form because of how the vantage points select nameservers in the target domains which can be manipulated via a remote adversary.

One other vulnerability of the technology is that the vantage points are chosen from one small, fixed set of 4 cloud-based systems.

What the downgrade attacks do is undermine multiple vantage points to multiple nameservers within the system by reducing it to multiple vantage points to one attacker-selected nameserver. The system is manipulated into using a nameserver by bringing to other validation nodes, high latency connections.

The researchers discovered that attackers succeeded in launching attacks against one out of every four domains in controlled tests.

Fraudulent certificates of about one-tenth of a million domains tested amounting to one hundred and seven thousand domains were obtained using an automated off-path attack designed by the researchers to target this vulnerable subset of domains.

Also, the effectiveness of their attacks against other leading certificate authorities was evaluated and the researchers discovered that the developed techniques had deprived Let’s Encrypt of the security advantages it would have benefitted from.

An association of hackers based in Germany, the Chaos Computer Club (CCC), has announced that it will withdraw its alliance with Germany’s ruling political party, Christian Democratic Union (CDU), after one of its activists was allegedly threatened with legal prosecution by the latter following a security bug report.

A security researcher, Lilith Wittmann, found security flaws in the mobile app that the Christian Democratic Union (CDU), used to run their electoral activities and canvassed for votes in the last federal election season.

Wittman’s disclosure revealed the mobile application’s web Application Programming Interface (API) had a security flaw that allowed unauthorized access to personal data and information of about 18,500 campaigners, which included photos and their email addresses.

What further complicated the matter was that the dates of birth, residential addresses, and interests of one thousand, three hundred and fifty users could also be accessed through the Application Programming Interface (API).

Wittman decided to be modest with his discovery. He did not publicize the security vulnerability he discovered, but rather submitted them to Computer Emergency Response Team-Bund, the data protection officer in Berlin, and the data protection department of The Christian Democratic Union. Immediately after the report filtered in, The CDU shut down the mobile app and alerted its users that a data leak was feasible.

Following Wittman’s private disclosure of the security flaws he discovered to the concerned authorities, It was learned that the Christian Democratic Union (CDU) allegedly filed a lawsuit against him (Wittman).

The development did not go well with the members of the Chaos Computer Club and they criticized the Christian Democratic Union party for being ungrateful and liked their action as shooting the messenger.

The CCC further stated that it would no longer report any vulnerability discovered as a result of the CDU’s action.

A security researcher has received a total of $7,500 in bug bounty after he discovered a vulnerability in a popular steam gaming platform. The security flaw could allow gamers to credit their in-game Steam wallet account by increasing the value of deposits artificially.

Alerted by the discovery, the creator of the Steam gaming platform, Valve Software, swiftly swung into action to remedy the flaw which was reported to open up a loophole that could allow unlimited funds’ cheat.

The discovered flaw was published by HackerOne, a publication with a focus on security reportage that describes how the security researcher who discovered the vulnerability in the Steam gaming platform analyzed the process by which an attacker would have to first modify his Steam account email to an address with an input of ‘amount100’.

Having done that, a potential attacker would move to fund their wallet by choosing an option that accepts Smart2Pay as the method of payment, after which a payment of $1 will be made.

Smart2Pay is an electronic Dutch payment services system made for merchants who engage in online transactions.
When the corresponding POST request to the Smart2Pay API is intercepted by the attacker, a response would be found that could be edited to replace the payment amount, which could be edited to a bigger amount than the amount that was actually paid ($100 other than $1).

The manipulation can only be effected where ‘amount100’ appears in the email of the Steam account and will change back to the original value before the doctored request is submitted.

The Valve Software spokesperson expressed sincere appreciation to the researcher who discovered the vulnerability in their Steam gaming platform early enough to allow prompt fixing of the flaw without any negative impact on customers.

A discovered vulnerability that could permit an attacker to remotely hijack a domain in Node.js has been fixed.

The JavaScript runtime environment engineers have advised users to protect their applications against series of bugs by updating to the latest version.

The first Common Vulnerabilities and Exposures-2021-3672/Common Vulnerabilities and Exposures-2021-2293) is a result of poor handling of characters in domain names, that gave access to cross-site scripting (XSS) or remote code execution (RCE) exploits.
The high severity flaw also caused the crashing of the application occasioned by the missing of input validation of hostnames which was returned by Domain Name Servers (DNS) in the library of Node.js DNS.

This has been observed to lead to incorrect hostnames’ output, which can result in injection vulnerabilities in applications that use the library as well as domain hijacking.

 A second Common Vulnerabilities Exposures-2021-22939 is the uncompleted validation of rejectUnauthorized parameter.

If the Node.js Hypertext Transfer Protocol Secure Application Programming Interface was incorrectly used and the rejectUnauthorized parameter was in passed undefined, there was no returned error, therefore, the connection to the server using an expired certificate would be taken. This is classified as low severity.
 
 Finally, a use-after-free flaw Common Vulnerability Exposure-2021-22930 that could permit an attacker to manipulate corruption of memory to alter process behavior was added as a backup fix when it was discovered that previous efforts did not completely address the issue.

To stand protected against the flaws, users have been advised to upgrade to the latest version of Node.js.

Three vulnerabilities classified as high risk has been discovered in the popular fitness and gym management application, Wodify. The vulnerabilities could let the unauthorized user modify production data and access sensitive private information.

More than 5,000 gyms around the world use Wodify to run their businesses. It is widely used in the United States with CrossFit boxes as a performance tracking application, and to process membership payments.

The three flaws detected in the Wodify app could allow an attacker to tamper with its payment settings, read and modify the data.

Following an unsuccessful process of disclosure, the detected flaws are still unpatched and it has been dragging on for six months.

The workouts of all users on the Wodify platform can be read and modified as a result of an insecure direct object reference (IDOR) vulnerability detected in the application and the fact that the access was not limited to a single box, gym, or tenant, all entries worldwide could be viewed and subsequently, altered.

This vulnerability could permit an attacker to insert stored JavaScript payloads that are malicious thereby opening up to cross-site scripting (XSS) exploits. The attacker could then take control of a user’s session, steal the user’s JSON Web Token (JWT) or steal a hashed password.

The financial damage could be devastating and would negatively affect the owners of the CrossFit boxes and the gym, as having their accounts compromised would allow the attacker to update payment settings, and direct members’ payments to the attacker instead of the legitimate, real owners.

The vulnerability is yet to be patched as efforts that were made to reach out to Wodify to provide credible information relating to when the flaws would be fixed failed. However, Wodify customers have been advised to reach out to their service providers and ask when this bug will be fixed.

A US medical imaging center based in Atlanta, Georgia, Express MRI, has disclosed the medical information of its patients may have been accessed in a data breach.

The data breach which dates back to the 10th of July, 2020 was noticed when unauthenticated emails were sent from the Express MRI email account.

At first, it was conceived that medical data were not affected, but the result of another round of investigation revealed that some information of patients were read, or exported. 

It was confirmed that Social Security numbers and financial information of patients were not involved, however, breached data included patients’ addresses, names, dates of birth, and email addresses.

More information on exposed data also involved the name of the referring physician, the scanned body part, and whether the scan was connected to the motor vehicle accident investigation or a workers’ compensation claim.

The impact of the breach is yet to be ascertained, but the CEO of Express MRI, Alex Halpern has apologized to the affected patients and reiterated the organization’s commitment to protecting patient’s privacy and information.

He further stated that the security architecture has been strengthened to prevent potential hacks in the future.

The renowned music-sharing site, Audiomack, is partnering with Bugcrowd to launch a public bug bounty program in an effort to encourage security researchers to share information in case of suspected vulnerabilities.

The music service is running its new Vulnerability Disclosure Program (VDP) which it had previously for almost one year.

This time, Audiomack is opening up the bug bounty program to all security researchers with a promise of a very competitive reward for individuals who can promptly detect a vulnerability in their system network.

The director of engineering at Audiomack, Sean Coker, explained that the previous Vulnerability Disclosure Program (VDP) has aided the company to sort and prove the existence of potential vulnerabilities, thus, allowing the company’s engineers to work on fixing the bugs.

Throwing the bug bounty program open provides Audiomack the opportunity to a broader range of testing skills and discovery of potential threats that can be fixed before being exploited by attackers.

The Vulnerability Disclosure Program will not cover any attempts to use social engineering, brute-force attacks, or security defects associated with third-party vendors, to secure access to Audiomack systems.

The number of high-severity and critical vulnerabilities that were discovered by researchers on Audiomack systems increased by 73% from 2019 to 2020 Bugcrowd submitted.

Malicious activities which included Remote Code Execution (RCE) have been carried out in Aruba Network routers due to multiple vulnerabilities that were discovered.

Security researchers discovered eight vulnerabilities in the Aruba Instant software, which allow the settings of Aruba routers to be configured by the administrators.

As a result of these vulnerabilities, Aruba routers have been used by some security experts to access the internet from different quarters and this could be dangerous if accessed by real attackers.

One of the vulnerabilities found was command injection vulnerability. It was detected in the Command Line Interface (CLI) and it provided access to download files to the server and create directories.

The same vulnerability was used through the web interface’ query string that interacts with the Command Line Interface (CLI) module.

Aruba routers are configured through a restricted command-line interface. The Aruba router has an associated Computer Generated Imagery (CGI) portal which allows users to send commands to the Command Line Interface (CLI) through the web interface.

With the chain of vulnerabilities discovered in Aruba routers, It is evident that attackers can remotely control them and access their network without a physical presence in as much as the attacker is operating on the same network. A simple query sent to the search engine of the device showed thousands of exposed routers.

The effects of having routers that are vulnerable in public locations and that can be accessed via the internet can be devastating in realizing the fact that Aruba is a major supplier of gear for notable enterprises like universities, hospitals, and airports. However, information emanating from Aruba reveals that the bugs have been fixed.

Security researchers have advised that a cross-site scripting (XSS) vulnerability discovered in a popular WordPress plugin, SEOPress, could give way to an attacker to take total control of a website.
Whenever a user accessed the ‘All Posts’ page, the security defect allowed an attacker to inject arbitrary web scripts on a vulnerable website that would execute anytime.
One of the available features in SEOPress is the ability to add description posts and an SEO title that can be executed through a newly introduced REST-API endpoint or while saving edits to a post. However, the REST-API endpoint was implemented insecurely,
“The endpoint’ permissions_callback validates only when a user has in the request, a valid REST-API nonce.

Using the rest-nonce WordPress core AJAX action, REST-API nonce that is valid can be generated by a user that is authenticated. This connotes that a subscriber, or a user that is authenticated with a valid nonce, can call the REST route, update the Search Engine Optimization title and the description for any post.

Due to an escape on the stored computer or a lack of sanitization, the payload could include malicious web scripts which would execute any time the ‘All Posts’ page is accessed by a user.

A variety of malicious actions like arbitrary redirects, webshell injection, new administrative account creation, and many more can be facilitated due to Cross-site scripting (XSS) vulnerabilities of this nature.

This vulnerability can be used by an attacker to take over absolute control of a WordPress site.

WordPress has patched the vulnerability in its 5.0.4 version and recommended that users update the plugin at once.

The United States’ Indiana Department of Health has issued a statement stressing that personal data of its citizens, obtained via the Covid-19 contact tracing survey, have been accessed improperly by a security vendor.
The Indiana Department of Health announced it would bring to the notice of about 750,000 of its citizens that its Covid-19 contact tracing data have been improperly accessed.
Names, dates of birth, gender, address, ethnicity, and email addresses were part of the information that was exposed. However, no medical information or sensitive financial information was involved.

The US state of Indiana’s Health Commissioner, Kris Box, said: No medical information and Social Security numbers of its citizens on the Covid-19 contact tracing survey were obtained and that the risk involved in the accessed information is low.

One year of complimentary credit monitoring services has been provided for affected Citizens while the software configuration flaw which resulted in the leaking of the data have been remedied by indigenous security experts of The US State of Indiana.

A cybersecurity firm, UpGuard, has been fingered in the whole issue and accused as responsible for the illegal access into the Covid-19 contact tracing database, the spokesperson for Indiana said in a statement. UpGuard in response criticized the statement saying the data was left openly accessible on the net.

A Florida-based woman, Medghyne Calonge, 41, has been found guilty by a unanimous decision of jurists of the US Southern District of New York for having unauthorized access to a protected computer and causing major damage to an organization after her employment was terminated.

Calonge was arraigned and found guilty on a two-count charge. One, for gaining unauthorized access to a protected computer and causing major damage, two, for knowingly causing damage to a protected computer.

According to a US Department of Justice (DoJ), investigations revealed Calonge angrily deleted tens of thousands of human resources records at her former employer’s place when she was relieved of her post as the head of human resources because she could not meet up the minimum requirement expected of her having stayed in the job for 5 months.

Further facts showed that while she was being terminated, and just before the security guards escorted her from the building, two staff observed Calonge repeatedly hit the delete key on her desktop computer. Later, Calonge violently and uncontrollably walked through the internal network of the company, erasing over 17,000 resumes and job applications.

Her actions were uncalled for as vital information that is very useful to the employer’s company was wiped off. This cost the company time and a lot of money to repair.

Calonge’s former employer has been reported to have spent more than a hundred thousand dollars on the case even though recovering all lost data was not feasible.

Having found Calonge guilty of these crimes, she now subsequently awaits her sentencing.

By the submission of the US Department of Justice (DoJ), the charge of damaging computers intentionally carries a maximum jail term of ten years, while damaging computers recklessly carries a maximum jail term of 5 years.

A new finding by Rapid7 has revealed there is a vulnerability that gives attackers a chance to run arbitrary commands on devices and servers running the security software on the web application firewall (WAF) of Fortinet.

Fortinet gives FortiWeb an offering of SaaS as well as hardware Web Application Firewalls with various network capacities while FortiWeb protects web applications from attacks that focus on both unknown and known vulnerabilities.

Rapid7’s William Wu, The FortiWeb’s Security Assertion Markup Language (SAML) configuration page had a command injection flaw that gave access to attackers to insert arbitrary system commands in the web requests.

The commands would then be executed on the operating system that is running the FortiWeb as the root user.

What the proof of concept does is to explain how the vulnerability could be exploited by attackers simply by introducing a backtick and an arbitrary command to a Hypertext Transfer Protocol (HTTP) request.

Before an attacker can launch an attack, access needs to be obtained into the administrator’s credentials because the vulnerability can only be accessed by those authenticated.

Once the attacker compromises a device, he can capitalize on the vulnerability to control the affected device as much as he wants in an enabling environment. He can even install crypto-mining software, a persistent shell, or any other malicious software on the system.

Should the device’s management interface be exposed to the internet, the exploited platform could be used by an attacker to go beyond the secured boundary through the affected network.

Fortinet is expected to patch the bug in FortiWeb’s next version (6.4.1), which will be released very soon.

For now, administrators have been advised to make the device management interface of FortiWeb inaccessible to the general internet and more especially, untrusted networks.

Conclusively, direct internet exposure of management interfaces for devices such as the FortiWeb should be discouraged. Instead, they should be accessible only through a secure VPN connection or using trusted, internal networks.

A peer-to-peer botnet, Mozi, has been developed by attackers to achieve a lasting presence on network gateways and routers.

The Mozi malware which transmits to the Internet of Things (IoT) by using weak Telnet hash passwords and known vulnerabilities has been in existence for two years. It uses the infected devices to send spam and launch Denial of Service (DoS) attacks.

The modified Mozi botnet has been found by Microsoft’s security researchers to establish a lasting effect on networking gateways made by ZTE, Netgear, and Huawei.

Attackers use two methods; be-spoke and tailored methods to make sure malware infections persist even after a device reboots which confirms the Mozi botnet as an effective threat to Industrial Control Systems(ICS).

Using scanning tools, attackers can search for vulnerable devices, have them infected, fetch needed information, and move sideways to attack targets of higher value which includes critical Industrial Control System devices in the Operational Technology networks and Information Systems.

Attackers will have a firm grip on Operational Technology or enterprise, which enables deep penetration into targeted networks when routers are infected. The infection technique can sabotage the component system and can also be applied to plant ransomware in industrial plants.

When routers are infected, attackers can perform man-in-the-middle attacks through Hypertext Transfer Protocol (HTTP) hijacking and DNS spoofing to cause safety incidents in Operational Technology facilities, bring about endpoint compromise and ransomware deployment.

Some steps to be taken for safety are: making sure that devices are up-to-date and well patched and adopting the password security best practices for proper protection.

Following the disclosure by The Research Foundation for the State University of New York (SUNY) that unauthorized access to its network system was detected earlier this year, It has been discovered that personal information belonging to about 47,000 people has been exposed.

The actual identities of the victims have not been confirmed. Whether they are donors, employees, or some others who might be connected with the organizations in one way or the other.

However, the services of cybersecurity experts have been engaged to unravel the cause of the data breach, recover stolen files, and fix the loophole to prevent further threats and invasion.

The incident, which was discovered on the 14th of July was reported to involve the Social Security numbers of the victims. The appropriate authorities have been notified and efforts are in top gear to get to the root of the matter.

As a form of relief, a year of identity theft protection and credit monitoring services will be provided for thousands of individuals affected.

Also, the organization has put improved security infrastructures in place such as the deployment of response tools and endpoint protection, as well as a multi-factor authentication mechanism for the safety and security of its network.

Canadian immersive entertainment technology provider, D-Box, has announced its progressive recovery from a ransomware attack that partially disrupted many of its IT systems a few weeks ago.

It was reported that the major IT systems affected have been restored and the restoration process of the whole system function would be concluded soon.

The services of the Incidence response experts have been deployed to determine the extent of the cyber-attack and to ensure that the effect was limited to internal systems and that its theatre and studio operations and services were not affected.

D-Box has decided to delay the release of its latest quarterly financial results by one month to pass the stipulated deadline of August 14th.

A 40% increase in revenue ($3.1m) was made in the second quarter, which ended in June by the company that makes haptic seating for commercial theatres and home cinemas.

The chief executive/president of D-Box, Sebastien Mailhot, concluded that the financial effect of the cyber attack on the company is negligible compared to the increased returns made over the specific time frame.

D-Box said in its statement that it was not necessary to issue service updates or patches to partners due to the cyber assault, which is not being treated on this evidence as a software supply chain attack.

However, as a precaution, D-Box is giving its employees' identity theft prevention services free of charge for one year.

Following a controversial intellectual property lawsuit filed by the tech giant, Apple, against a virtualization software maker, Corellium, contending that it (Corellium) was replicating its operating system without permission. It has been confirmed that Apple has dropped the suit a few days before the commencement of the trial.
Corellium’s software technology allows security researchers to conveniently test for exploits and bugs through the creation of virtual iOS devices within one browser.
It also gives tech journalists the opportunity to run disposable instances of Signal or research stories into App Store security issues.

Corellium, whose technology had been on sale over a period of time before a lawsuit was instituted against it, said its software was similar to popular desktop virtualization tools from Virtual Box and VMWare.

However, Corellium has vividly debunked Apple’s claims of copyright infringement, saying the reason behind Apple’s filing of a suit against it was a result of its unsuccessful bid to acquire Corellium in the year 2018.

Apple’s legal action has raised concerns among security researchers and stakeholders in the security community.
They feel that it could hamper security research, while others see the lawsuit as another way that the tech giant, Apple, wants to exploit to take over control of the whole structure.

Apple’s case against Corellium was based on claims that it bypassed Apple’s security architectures which violates the controversial Digital Millennium Copyright Act (DMCA).

The United States District Judge, Rodney Smit, threw away Apple’s copyright infringement case instituted against Corellium in December, last year, but allowed the Digital Millenium Copyright Act (DMCA) part of its lawsuit to continue after he likened the legal proceedings instituted against corellium by Apple as confusing and insincere.

More than 93,000 unsuspecting users of fake cryptocurrency mining apps have been defrauded to the tune of $350,000. The victims were cleverly conned and made to purchase the apps, pay for fake subscriptions and upgrades through a process that appeared legitimate and convincing.
Researchers, who have been monitoring the performances and versatility of various cryptocurrency mining apps, have discovered about a hundred and seventy of such fraudulent Android applications which claimed to offer cloud crypto-mining services but never provided any. Instead, they lured their victims into paying for enticing offers that they would never have.

Though many of these fraudulent cryptocurrency mining apps can be found on third-party app stores, 25 of them that were available on the Google Play store have been removed.

Cryptocurrency mining controls computers’ processing power to verify cryptocurrency transactions by solving complex mathematical problems.

In this case, the unsuspecting victims were enticed by a promise of renting a cloud computing power through the apps and having a small cut of each verified transaction which later turned unrealistic.
What the apps do is to craftily collect money for non-existent services through the legitimate process without delivering the promised service.

Users pay between $12.99 and $259.99 for the virtual hardware through the in-app billing system of Google Play or with cryptocurrency transferred into the wallet of the fake app developers.


When users log in to use the apps, they are given a slowly incrementing, fictitious coin balance, which is only visible while the app is running and will automatically reset to zero when the app is restarted or the device is rebooted.

On the dashboard, a hash mining rate that is typically inexpensive is displayed to lure app users into purchasing upgrades that promise fast mining rates, everyday rewards, referral incentives, and other benefits.

Some CloudScam apps meet withdrawal attempts with an error message of ‘insufficient balance’, while ‘BitScam’ apps bar their users from withdrawing coins except they reach a minimum balance.
Attempts to withdraw beyond a minimum threshold will instantly trigger a message that falsely alerts a pending withdrawal and the resetting of the coin balance to zero.

Cryptocurrency will remain an avenue for cyber-fraudsters to feast on their unsuspecting victims despite the recent crash in Bitcoin and the Chinese crackdown on the crypto-mining which have greatly watered down the enthusiasm.
Moving forward, anyone that is interested in cryptocurrency services should be cautious of offers that are too enticing and beware of apps that are created to steal resources from people.

Researchers have warned that the vulnerability in the popular preprocessor language, Less.js , could be exploited to make remote code execution (RCE) against websites that permit users to input Less.js code.
Less.js converts the source code of a language to valid CSS code and is then applied to facilitate the writing of CSS for websites.
The Less.js library supports plugins which can be included in the less code directly, using the @plugin suntax from a remote source.

Since Plugins are written in JavaScript, any included plugins will execute when the Less code is interpreted.
This feature is what can expose a user to a remote attack. Canadian infosec firm researchers, Software Secured, stated.
If the Less code is processed on the side of the client, it gets to (XSS) cross-site scripting but processed on the server-side which leads to RCE.
All Less version which support the @plugin syntax are exposed to attack, the researchers concluded.
To create web code snippets that support standard languages and Less.js., researchers looked at a website called CodePen.io .
The researchers launched their Proof of Concept against the website and by that action, leaked their AWS secret keys and were able to run unrestricted commands in their AWS Lambdas.
The vulnerability to a remote attack was reported to CodePen.io, and subsequently, the bug was fixed.
Jeremy Buis, a software security researcher and content writer, said the vulnerability of Less.js requires certain conditions to be successfully carried out.
He said a clear sample of a vulnerable situation can be a feature that allows custom styling through Less code from a user. The application can be exploited when the Less.js is in a vulnerable configuration.
Buis further stated that the bug has not been patched and people have known about the backtick feature. There is a configuration to mitigate it in latest versions.
Buis advised users of Less.js to lower the risks by allowing regular CSS use, in lieu of Less code.
If it becomes necessary, to avoid the threat of RCE and SSRF attacks, the Less code must be transpiled on the client-side . In addition, to cushion the treat of XSS, update to a recent version where JavaScript based backtick execution is off by default. Fork the Less library and remove the support of @plugin syntax.

In its quest to further protect users from the high-impact web attacks, Mozilla has announced that Firefox, now supports Fetch Metadata request headers.
The headers are designed to provide extra security information to the web servers that can help determine whether to allow or block requests.  They allow users to deploy a strong defense-in-depth mechanism known as Resource Isolation Policy, which not only helps shield users from potentially harmful attacks but can also assist web servers to distinguish between same-origin and cross-site requests.

In its quest to further protect users from the high-impact web attacks, Mozilla has announced that Firefox, now supports Fetch Metadata request headers.
The headers are designed to provide extra security information to the web servers that can help determine whether to allow or block requests.  They allow users to deploy a strong defense-in-depth mechanism known as Resource Isolation Policy, which not only helps shield users from potentially harmful attacks but can also assist web servers to distinguish between same-origin and cross-site requests.
The new version of the popular browser, Firefox 90, which was launched and made available to all users on the 13th of July, 2021, is the latest to have the Google-developed privacy feature.
Firefox 90 will feature four different headers namely: Mode, Dest, Site, and User which protect users through web applications against various cross-origin threats, including cross-site leaks (XL-Leaks), cross-site request forgery (CSRF), and specter-style side-channel attacks.
Fetch Metadata request headers were first introduced in Chrome76 in July, the year 2019. They are readily available for Opera and Edge, which are based also on the open-source chromium framework.

New research reveals that security lapses discovered in an online text editor, Etherpad, can expose victims’ servers and make them prone to cyber-attacks. The defects can allow attackers to compromise the server of their victims and steal sensitive information from them at a remote distance.
A cross-site scripting flaw (XSS) can enable attackers to create a pad or a maleficent shared document, that programs the attacker-controlled code in the browser of the victim, paving way for hackers to create, read, or modify data.

The second found vulnerability is the argument injection bug. This allows attackers with administrative access, to program arbitrary code on the server of their victims by installing plugins from a URL that is in their control. The vulnerability of argument injection can be exploited only if an admin account exists, which, of course, is not the case in a default configuration.
The two vulnerabilities, CVE-2021-34816 and CVE-2021-34817, which were categorized as critical, could be merged by attackers to remotely compromise a server.
The vulnerability of XSS has been fixed in version 1.8.14 of Etherpad. The vulnerability of argument injection is yet to be fixed, but the researchers that discovered the error claimed it is significantly difficult to exploit on its own.
The vulnerability could be abused if the account of the administrator is compromised. That could be achieved either through the exploitation of the XSS vulnerability or by other means.
As reliably gathered, the open text editor, Etherpad, has more than 250 available plugins, features a version history and chat functionality. It is popular, especially within the community of open source, and has been bookmarked over 10,000 times by users.
Paul Gerste, a researcher of vulnerability at SonarSource, a Switzerland-based developer of DevSecOps tools, discovered the security issues. He submitted that the vulnerabilities are critical when chained, but the exploitation has some limitations.
He further posited that instances with a default configuration are vulnerable and the attacker must be able to import a pad. If the Etherpad instance is accessible publicly and has no restriction on pad creation, then, it is vulnerable. Attackers who already have access to a pad could increase their privileges by targeting other users.
Since plugins can be published through NPM, attackers can always find a way to initiate malicious code. Therefore, admins must always be careful about which plugins they install.

Eight members of a criminal gang who defrauded some shoppers online to the tune of €2 million (about $2.4 million) have been apprehended by the Greek and Romanian police.
A cash sum of €220,000 (about $261,000), cell phones, and travel documents were also seized by the authorities during the sting operation which took place in 30 different locations. The operation was coordinated by the Eurojust, the European Union agency that facilitates cross-border cooperation in criminal cases.

The news of the arrests broke on the 8th of July (the same day Interpol concluded its yearly conference) which focused on ‘‘National Central Bureaus’’,that serves as the bridge between the organization and frontline police globally.
At the event, senior police officials from the 167 Interpol member countries talked about the expansion of Interpol’s secure network communications to border control agencies and national police, as well as the threat from the rapidly increasing ransomware.
The arrests came after two arrests were made in June in another Eurojust-backed operation linked to the same criminal gang’s involvement in an online fraud that was aimed at the Dutch housing market.
The criminals deployed phishing scams to swindle their victims and made them pay for what they perceived were real goods and services through legitimate websites, which included about €50,000 ($59,000) worth of vehicles through Amazon, eBay, and then, accommodation via Airbnb.
The gang set up at least 300 bank accounts with forged identity documents, in some European countries like Spain, Hungary, Poland, Netherlands, and Germany where they intended to keep their proceeds.
One the methods the criminals used to attract their unsuspecting victims was to arrange deceptive advertisements using companies perceived to be truly existing in the public space.
Asides stealing cash, the social engineering attack infected the devices of victims with a malware and captured their financial details which included bank account and credit card numbers, and other personal information that are sensitive. The data fetched through deceptive means were shared among the criminal network.
The method to be adopted in the global response to the ransomware threat is important. It has to be the one that will be trustworthy, increase rapid operational assistance to law enforcement agencies and see the effective and efficient exchange of data.

Technology powerhouse, Microsoft, has awarded the sum of $13.6 million to security researchers under its bug bounty program in the past 52 weeks.
The tech giant, which runs various technology-based programs under its coordinated vulnerability disclosure (CVD) program, disclosed the figure through a news medium. It announced it gave out Its single highest reward for the discovery of vulnerabilities in its Hyper V program, which was a whopping $200,000.

In the previous year, security researchers netted an average of $10k per report Microsoft revealed.
340 security researchers from 58 countries were rewarded. Microsoft further disclosed that 1,200 of the reports the researchers published and that it received qualified for a payout.
The tech giant said the sheer volume of reports shows the level of creativity and talent of the global security research community and their invaluable collaboration and contribution in seeking solutions to the challenges of an ever-changing security environment.
The company made it known that it is constantly studying the threat landscape to make necessary changes to the program and respond.
Microsoft has announced that as part of its plan for the year running 2021, it has introduced new challenges and scenarios to reward research that will have the highest impact on customer security.
The area of focus has helped to discover and fix risks attached to customer security and privacy, and in reward, gave researchers top awards for their impactful work and contribution. The tech giant stated.

Project maintainers have warned that A Hypertext Transfer Protocol (HTTP) request smuggling vulnerability in Apache Tomcat, has been present since 2015. The Apache Tomcat maintainers revealed that the vulnerability was discovered in multiple versions of the software.
Apache Tomcat is a free and open-source Java servlet container that is well-maintained by the Apache Software Foundation.

The Hypertext Transfer Protocol Transfer (HTTP) encoding request header, was not accurately parsed by the Apache Tomcat, which led to the possibility of requesting smuggling when it was used with a reverse proxy. 
It will ignore the transfer-encoding header if the client declares it will only receive a Hypertext Transfer Protocol (HTTP) /1.0 response. Apache Tomcat respects the identity encoding and does not admit the chunked encoding is always the final encoding if present. The vulnerability has been present in the Tomcat codebase since the year 2015.
It might have been present before that time, but that is the earliest release of the versions currently supported. The committee that works with volunteers-staff is not interested in unsupported, older versions.
The Hypertext Transfer Protocol (HTTP) request smuggling is a hacking method that can be used to disrupt the way a website processes sequences of HTTP requests received from one or multiple users.
Attackers can bypass the security structure, secure unauthorized access to sensitive data, and compromise other users of the application in case of request smuggling vulnerabilities.
Though a CVSS score is yet to be assigned, the security team of Tomcat rated it as important on a level of low, moderate, important, and/or critical.
Those patches were made public on the 8th of June, even though the public announcement was halted until the 12th of July, because certain versions possessed a significant regression of the processing of JSP.
Those who use the affected versions are expected to upgrade to Apache Tomcat 10.0.7 or later, or 8.5.68 or later, or 9.0.48 or later. The issue was fixed in 9.0.47 and 8.5.67 but release votes for those highlighted versions did not pass.

A bug bounty program initiated by The decentralized finance (DeFi) protocol, Yearn Finance, has been instituted in association with Immunefi.
Launched on 1st of July 2021, the program is expected to pay out between $5,000-$20,000 for high severity flaws and $20,000 and $200,000 for critical vulnerabilities.
Yearn Finance is made up of a cryptocurrency (called YFI) and DeFi products that offer yield generation and lending aggregation on the Ethereum blockchain. The protocol is governed by YFI holders and supervised by independent developers.

White hats are called to find bugs in Yearn Finance’s applications, web domains, and smart contracts, basically to protect users from hacks that could result in stealing of funds.
Cryptography, Logic, Re-entrancy, Encryption, and randomness flaws are vulnerabilities to take into consideration.
It is of interest to Yearn Finance that bug hunters could help protect users from flash loan attacks, the vector by which its yDAI vault was broken into in February, resulting in losses worth $11 million.
The YFI’s value appreciated by over 220 percent in the year 2020 and up till 12th of May, when it peaked at a record high of $95k. Now, YFI is about $35k worth with 36k coins in circulation.
In recent years, The DeFi community has been recording an increasing number of scams, cyber-attacks, and frauds.
Between the months of January and April of the year 2021 alone, about $156 million was stolen from DeFi protocols, more than the total amount stolen in the whole of 2020, according to a report from CipherTrace, a blockchain analytics firm.

The CEO and founder of Immunefi CEO, Mitchell Amador, said the vulnerabilities in smart contracts show a possibility of a direct loss of funds. This means companies must come up with the most cost-effective way of ensuring their safety. Launching of bug bounty programs is one thing to consider, and we are happy to see more companies follow suit.
Immunefi hosts bug bounty programs for smart contract projects and blockchain like BadgerDAO, SushiSwap and yAxis, and says its clients collectively safeguard user funds in the neighborhood of $25 billion.
Since its official launch in December 2020, the platform has confirmed it paid out over $3 million in bounties.

The renowned cryptocurrency exchange platform, Binance, has explained how they were able to track down money laundering syndicates involved in series of cybercrime activities, especially ransomware scams.
The Police in Ukraine made a public announcement of the clampdown on some persons and infrastructure linked to the notorious Clop ransomware operation a few weeks ago.
Those arrested, Binance claimed, were involved in laundering and cashing out funds as against being behind Ransomware creation.

FANCYCAT, as the group is called, was involved in many criminal scams, including money laundering for operators of the dark web and ransomware peddlers.
As in the case of drug dealers, criminally extracted funds like ransomware would have to be disguised before they could be spent safely in the real world to purchase goods. This is so because funds linked to criminal activities can be targeted for order forfeiture. If the money to be laundered is in digital form, one major fraudulent strategy they use is abusing exchanges.
The Blockchain analysis reveals that there is a connection of money launders domiciled in some macro exchanges that withdraw and make deposits to one another to wash the money. According to Binance, One typical example of such an exchange is a crypto exchange platform located on Cayman Island.
Based on these findings, Binance had to apply fraud detection mechanisms to identify and clamp down on suspects' accounts before collaborating with the law enforcement agencies to build cases, open discreet investigation and nab criminal groups.
As further explained by Binance, 2 lengthy approaches were initiated in the investigation of the FANCYCAT group. Our AML analytics and detection program detected suspicious activities on our website, Binance.com, and further expanded the suspect links. Once the complete suspect links were mapped out, we collaborated with chain analytics companies Crystal and TRM Labs to carefully analyze on-chain activities and have a better knowledge of how this group operates.
Based on the findings, we discovered this specific group wasn’t only involved in Clop attack funds laundering, but also Petya and other funds sourced illegitimately. However, this led to the clear identification and eventual arrest of the FANCYCAT group.
The investigation is still ongoing with the criminal syndicate, FANCYCAT, across many jurisdictions and the networks related to other cyber attacks.
A few months back, Binance opened a case study showing how it collaborated with the Cyber Police in Ukraine to nab a notorious cybercriminal group on the laundering of over $42m of illegal funds in a separate investigation.
For some regulators who are concerned about tax evasion in cryptocurrency exchanges, the campaign against money laundering is yet to yield the desired results.
Reports confirmed the United Kingdom’s Financial Conduct Authority, ordered Binance to stop all cryptocurrency activities in the United Kingdom. The selling and buying of cryptocurrencies are not regulated in the United Kingdom. However, trading in derivatives is under control and this is where the activities of Binance Markets are focused. This has brought the whole company a regrettable sanction.

A suspect, who was involved in various cybercrime activities, has been arrested by the Moroccan police. His targets were customers of Telecommunication companies, French Bank customers, and contacts of many multinational organizations.
The suspect, who operated under Dr. HeX's identity, hijacked thousands of victims through phishing scams and credit cards. He was accused of deforming the websites of many corporate firms and launching malware campaigns against corporate networks of French-speaking communications organizations, various multinational companies, and many banks.

Moreover, the suspect had to develop phishing and carding kits which they later sold to would-be cybercriminals through forums online.
The arrest of the criminal suspect in May by the Moroccan police was facilitated by the Cybersecurity company, Group-IB, based on cybercrime threat intelligence.
The arrest was a milestone in a 2-year investigation.
The cybersecurity company says the starting point in its research to capture and deanonymize the alleged cybercriminal was the extraction of a tool used to conduct social engineering campaigns and to create phishing web pages exploiting the brand of a Big French bank.
Scripts contained in the phishing kit are scripts like Dr. HeX as its creator’s handle, and the email address of a contact that was reused across the web for other purposes, going by the statement issued by Group-IB on its investigation.
The email used in the phishing kit made Group-IB threat intelligence analysts locate the YouTube channel of the alleged attacker who signed up with the same name; Dr. HeX. Also, The Group-IB researchers were able to record another name connected to the cybercriminal, through the link left in the description to one of his uploaded videos, pointing to an Arabic crowdfunding platform.
The name, according to the data analysis of DNS, was used to register a minimum of 2 domains created using the email fetched from the phishing kit.
With the application of its graph network analysis technology (Patented), a cybersecurity company, Group-IB’s researchers have built a network graph based on the email address fetched from the phishing kit, which exposed other elements of the hacker’s infrastructure sourced by him in several campaigns together with his pages.
A total of 5 email addresses linked with the accused were identified, along with 6 pet names, and his social media accounts on Facebook, Skype, YouTube, and Instagram. The suspect was involved in the attacks on about 134 websites from the year 2009 to 2018.
Further analysis revealed the suspect’s links with other malicious activities, including posts on several hidden or low profile forums related to the malware development. It was also discovered that Dr. HeX was directly involved in many attacks on big French corporations to steal customer’s bank card details.
To eventually locate and apprehend the suspect, Interpol’s Cybercrime Directorate, worked in collaboration with Group-IB and the Police in Morocco to locate and nab the suspect whose investigation is ongoing.
A few weeks ago, Interpol launched a new desk for new cyber operations to boost the capacity of about 49 African countries in fighting cybercrime. It says; the new desk will certainly drive joint operations support and intelligence-led coordinated actions against cybercriminals.