The Good
A court in Dublin, Ireland, has sentenced two cyber criminals, Daniel Almajanu, 35, and his aid Albert Gimy Linul, 29, to four and three years in prison, respectively. The two were a part of a gang that ran a carding operation, stealing credit card details and manufacturing counterfeit cards. Using a skimmer, they collected card details from more than 1000 people at several UK bank outlets as well as the London Underground. Then they embedded these on empty plastic cards using a card writer.
Once ready, they set out to test the cards at various shops around Dublin, buying goods such as cigarettes and liquor, which they then sold on. They were caught in a Dublin pub after raising the suspicions of local police officers. They were found to be carrying 65 counterfeit cards between them, which led to the police searching their homes and seizing a laptop containing stolen data that had the potential to yield up to €5m.
After the arrest, it was discovered that the two were a part of a larger Romanian cyber criminal gang and are wanted by the Belgian, UK and Romanian police forces as well as Europol. Authorities are investigating the gang not only for credit card fraud but also to links with human trafficking, money laundering and prostitution.
The Bad
The SolarWinds hack continues to unfold in several different directions. First, Reuters disclosed this week that it was not only Russian APTs that piggy-backed on the software products made by the company but also Chinese hackers. It now seems that Chinese cyberspies exploited a flaw in the software made by SolarWinds to help themselves compromise U.S. government computers last year.
The vulnerability exploited was different from the one used by Russian hackers to break into numerous organizations throughout the majority of 2020. The flaw was used to breach the National Finance Center, a federal payroll agency, potentially exposing data belonging to thousands of government employees, including staff at the Department of Homeland Security.
Meanwhile, as for SolarWinds Orion, the software originally used as an entry point by Russian hackers, it was announced this week that three new vulnerabilities had been identified and patched. Discovered by researchers at Trustwave’s SpiderLabs unit, the bugs have been assigned CVEs 2021-25274, 2021-25275 and CVE-2021-25276. The most critical, CVE-2021-25276 in SolarWinds Serv-U FTP for Windows, allows remote code execution with high privileges. There is no evidence at present that any of the vulnerabilities have been actively exploited in the wild, but admins and users are advised to update at the earliest opportunity.
SolarWinds have also said that they have managed to identify the original source of the breach. CEO Sudhakar Ramakrishna announced this week that “suspicious activity” in SolarWinds’ Office 365 environment allowed hackers to gain access to and exploit the Orion development environment. It is unclear weather the attackers penetrated the company’s environment through compromised credentials or through a third-party application that capitalized on a zero-day vulnerability. In the latter case, that would make it one of the most sophisticated supply chain attacks in history: hacking a 3rd party vendor to hack SolarWinds to hack other U.S. companies and government agencies.
The Ugly
Over three million customers of a U.S. car company have had their details stolen after a cyber criminal posted them to a dark web forum, reports Infosecurity magazine. The data was stolen from DriveSure, a car dealership service provider focused on employee training programs and customer retention (also known as Krex, Inc) back in December. The data included names, home and email addresses, phone numbers, car and damage details, text and email messages with dealerships.
Security reserachers from Risk Based Security said that nearly 30GB of data had been stolen, including the company’s MySQL databases, logs and backups of their databases, and some 3.3 million email addresses. The leak contains many .mil
and .gov
email addresses, and more than 5000 addresses from more than a hundred leading corporations, which makes it a very lucrative haul for threat actors.
The data can be used for anything from nation-state spearphishing operations, malware and ransomware campaigns and even simpler insurance fraud schemes. The PIIs leaked in this breach could be exploited to break into bank and email accounts, resulting in additional collateral damage to DriveSure clients. For their part, DriveSure responded promptly to Risk Based Security and are said to be investigating the incident.