Operation Checkmate seized the BlackSuit ransomware sites

A Special Request

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

The US Justice Department confirmed that in a court-authorized operation, law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.

The websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang's sites were taken down by the US Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.

"This site has been seized by US Homeland Security Investigations as part of a coordinated international law enforcement investigation," the banner reads.

The seized sites include the dark web data leak blogs and negotiation sites used to extort victims into paying a ransom demand.  

Other law enforcement authorities that joined this joint operation include the US Secret Service, the Dutch National Police, the German State Criminal Police Office, the UK National Crime Agency, the Frankfurt General Prosecutor's Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others.

Romanian cybersecurity company Bitdefender was also involved in the action.

The Cisco Talos threat intelligence research group reported that it had found evidence suggesting the BlackSuit ransomware gang is likely to rebrand itself once again as Chaos ransomware.

"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the researchers said. 

"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks." (Sergiu Gatlan / Bleeping Computer)

Related: Cisco Talos, DataBreaches.net, Infosecurity Magazine

The US Treasury Department sanctioned Kim Se Un, Jo Kyong Hun, and Myong Chol Min, three senior North Korean officials involved in IT schemes.

They are accused of helping North Korea evade US and United Nations sanctions through an IT worker plot that involved tricking companies into hiring North Koreans using stolen identities.

US law enforcement action centered on Korea Sobaeksu Trading Company, a North Korean company allegedly used as a front for the country’s Munitions Industry Department, which oversees the DPRK’s nuclear program and is involved in the development of ballistic missiles.

North Korean officials ran the IT worker scheme through the company and used it to operate in Vietnam as well as other countries. US officials added that Sobaeksu “has been involved in nuclear procurement activities on behalf of the Munitions Industry Department.”

Kim Se Un is a representative of the company and helps run subordinate companies in Vietnam. The State Department said it authorized a reward offer up to $3 million for information leading to Kim Se’s arrest or conviction.

Jo Kyong Hun, an associate of Kim Se, was also sanctioned and is accused of being a team leader among the IT workers, helping generate revenue for Pyongyang through cryptocurrency and other projects.

The Treasury Department included another Kim Se subordinate, Myong Chol Min, in the sanctions, writing that in addition to facilitating the IT worker scheme, he tried to import tobacco and other products into North Korea. A $3 million bounty for his whereabouts was announced as well. (Jonathan Greig / The Record)

Related: US State Department, IC3.gov News, Fortune, US Department of Justice, Politico, Export Compliance Daily, Caliber, Yohnap News Agency, Censor.net, RBC-Ukraine

Arizona woman Christina Chapman was sentenced to more than eight years in prison for hosting a so-called laptop farm that enabled North Korean cyber operatives to pose as remote IT workers at more than 300 US companies.

The sentence is one of the largest handed down to a US national for their role in the scheme, which has brought in hundreds of millions of dollars for the North Korean regime.

She was sentenced in the US District Court after pleading guilty earlier this year in Washington, DC, to charges including wire fraud, identity theft, and money laundering. Chapman was also ordered to turn over around $284,000 in funds earned by these North Koreans and pay an additional fine of more than $175,000.

Chapman was involved in an operation that, according to the Justice Department, made in total more than $17 million for the North Korean regime between 2020 and 2023. Chapman oversaw at least 90 laptops at her home, sent by unsuspecting US firms that were duped into hiring North Koreans as remote employees.

These North Korean nationals used stolen identities of real US citizens in carrying out the scheme. (Maggie Miller / Politico)

Related: Justice Department, Washington Post, AZFamily, WJLA, BBC News, The Wall Street Journal, UPI

Sean Plankey, Donald Trump’s pick to head the Cybersecurity and Infrastructure Security Agency (CISA), told lawmakers in a Senate nominations hearing that, despite the significant cuts CISA has experienced in recent months, he can get the funding it needs to protect the American public.

Sen. Gary Peters (D-MI), the ranking member on the Senate Homeland Security Committee, focused much of his questioning on funding and workforce cuts to the cybersecurity agency that Plankey would oversee. 

“Cyberattacks are one of the most significant national security threats our nation faces, and I’m extremely concerned by this administration's actions that are undercutting CISA’s capacity to defend our nation,” Peters said.

Plankey said he would request additional funding from DHS Secretary Kristi Noem if he finds the agency’s budget insufficient to defend the US critical infrastructure from mounting threats, including those from China.

“I have no doubt, if I go to her and tell [Noem], we’re driving in this direction to protect the American public, she’ll work under the president's leadership to then work with Congress to get us the funds we need,” Plankey said.

Planeky also committed to working to renew the Cybersecurity Information Sharing Act of 2015, a backbone cyber information-sharing law that lets the private sector send threat intelligence to government partners with legal protections in place. It’s set to lapse Sept. 30.

He echoed that support for the State and Local Cybersecurity Grant program, set to lapse the same day.

Plankey stands a strong chance of his nomination passing to the larger Senate vote, but still could face a hurdle from Sen. Ron Wyden, D-Ore., who previously stated his intent to block Plankey’s nomination and only lift the hold once CISA releases a 2022 report on telecom industry security vulnerabilities. (David DiMolfetta / NextGov/FCW)

Related: Cyberscoop, The Record, Meritalk, Data Breach Today, Politico

Ollie Holman, a 21-year-old UK student who designed and distributed phishing kits linked to £100 million (around $135 million) worth of fraud, has been jailed for seven years.

The kits he created mimicked government, bank, and charity websites so that criminals could harvest victims’ personal information to defraud them.

In one case, a kit was used to mimic a charity’s donation webpage, so when someone tried to give money, their card details were taken and used by criminals.

Holman, of Eastcote in north-west London, created and supplied 1,052 phishing kits that targeted 69 organisations across 24 countries. He also offered tutorials on how to use the kits and built up a network of almost 700 connections. The fake websites supplied in the kits had features that allowed information such as login and bank details to be stored.

It is estimated that Holman received £300,000 from selling the kits between 2021 and 2023. The kits were distributed through the encrypted messaging service Telegram.

Holman, who was studying electronic and computer engineering at the University of Kent in Canterbury, laundered the money he received through cryptocurrency wallets. (Shane Hickey / The Guardian)

Related: Slashdot, Security Week

Unidentified hackers recently compromised a major intelligence website, the Acquisition Research Center website, used by the CIA and other agencies to submit details of sensitive contracts, according to the National Reconnaissance Office (NRO), the spy satellite service that runs the site.

An NRO spokesperson said, “We can confirm that an incident involving our unclassified Acquisition Research Center website is currently being investigated by federal law enforcement. We do not comment on ongoing investigations.”

The extent of the breach is not fully known, but people familiar with the activity said hackers likely obtained information on key technologies for CIA operations.

Other potential areas of compromise could include the Space Force, its efforts to build surveillance satellites and space weapons, and the Golden Dome missile defense program.

Data from one highly sensitive program, Digital Hammer, was compromised, said people familiar with the hacking.

Digital Hammer compiles cutting-edge technologies for human intelligence gathering, surveillance, and counterintelligence operations. The program focuses on the threat of Chinese intelligence and information operations.

Digital Hammer is a closely guarded program working to develop open-source intelligence platforms, analytics, and items such as miniaturized sensors and hidden surveillance tools.

L.J. Eads, a former Air Force intelligence officer, said China would gain much from obtaining intellectual property on Digital Hammer, especially technologies designed in partnership with or directly for the intelligence community.

“This wasn’t a breach of opportunity,” said Mr. Eads, founder of Data Abyss. “Given the sensitivity and exclusivity of the Digital Hammer program, this compromise almost certainly points to a state-sponsored actor, likely China. (Bill Gertz / Washington Times)

A phishing campaign that was targeted at a transportation company executive points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.

According to Unit 42, the domains involved in the effort are the handiwork of a vast cybercrime group based in Nigeria that it dubbed “SilverTerrier” in 2014. 

Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by Interpol. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, including a prominent SilverTerrier leader who’d been flaunting his wealth on social media for years.

Palo Alto has published a list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies. (Brian Krebs / Krebs on Security)

Related: Palo Alto Networks

Starting today, millions of adults trying to access pornography in the United Kingdom will be required to prove that they are over the age of 18.

Under sweeping new online child safety laws coming into force, self-reporting checkboxes that allow anyone to claim adulthood on porn websites will be replaced by age-estimating face scans, ID document uploads, credit card checks, and more.

Some of the biggest porn websites—including Pornhub and YouPorn—have said that they will comply with the new rules. And social media sites like BlueSky, Reddit, Discord, Grindr, and X are introducing UK age checks to block children from seeing harmful content.

Protecting children online is a consequential and urgent issue, but privacy and human rights advocates have long warned that, while they may be well-intentioned, age checks introduce a range of speech and surveillance issues that could ultimately snowball online.

“Age verification impedes people’s ability to anonymously access information online,” says Riana Pfefferkorn, a policy researcher at Stanford University.

Proponents of age verification say that it is possible to minimize data collection. Third-party providers can limit the personal information that is shared with individual sites conducting age verification. And, particularly, these third parties can use what are known as authentication tokens, so people can confirm their age once and then produce this credential across multiple sites and providers as verification. (Matt Burgess and Lily Hay Newman / Wired)

Related: The Independent, The Conversation

The Indian Express reported that the Indian Council of Agricultural Research (ICAR) suffered a significant data breach in April, which led to the loss of “crucial data” including details on recruitment and research projects.

The report added that ICAR has formed a six-member committee this month to look into why the Data Centre (DC) and Disaster Recovery Centre (DRC) stopped working. The committee has been asked to give suggestions on how to improve data security and make sure such incidents don’t happen again. One of the members told this newspaper that the committee has not held its first meeting yet, even though it has been asked to submit its report by July 31.

According to IE, the ICAR’s website was hacked, which impacted its Delhi servers and the replication server at the National Academy of Agricultural Research Management (NAARM) in Hyderabad.

The report noted that data had gone missing covering recruitment details for roles from Technical Officers up to Deputy Directors General (DDG), along with job applications collected last year. It also included information on numerous projects, related submissions by scientists stored in online repositories, and email correspondence. (Financial Express)

Related: The Indian Express, Greater Kashmir, The Wire India

An online meeting of the New Jersey Election Law Enforcement Commission to discuss who would host New Jersey’s gubernatorial debates this fall ended abruptly after a hacker interrupted with racist comments and pornographic videos.

The commission scheduled the meeting to hear from media companies and other partners seeking to sponsor the debates. A variety of noises had marred the meeting before the disruption occurred.

“Internet hackers perpetrated a vile and shocking breach of public trust,” the commission said in a statement. “ELEC ended the meeting as quickly as possible and offers its apologies to all who witnessed the attack.”

The commission notified the governor’s office and the state attorney general’s office about the disruption and said it is seeking a full investigation into the incident. Officials said they will reschedule the meeting about who will host the two debates for gubernatorial candidates and one for the lieutenant governor hopefuls. (Associated Press)

Related: New York Daily News, Politico, NJ.com

Researchers from AquaSec report that a new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory.

They describe Koske as "a sophisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks.

Koske’s purpose is to deploy CPU and GPU-optimized cryptocurrency miners that use the host’s computational resources to mine over 18 distinct coins.

AquaSec identified Serbia-based IP addresses used in the attacks, Serbian phrases in the scripts, and Slovak language in the GitHub repository hosting the miners, but it could make no confident attribution. (Bill Toulas / Bleeping Computer)

Related: AquaSec, BetaNews, Security Affairs

Crypto trading platform Woo X paused withdrawal services after a cybersecurity breach affected several accounts, leading to $14 million in losses.

Nine user accounts experienced “unauthorized withdrawals,” the Woo X team said. The team added that the incident has since been contained. (Vince Quill / Cointelegraph)

Related: CoinCentral, Protos, BeInCrypto, Cryptopolitan, Bloomingbit, AInvest

The recent attacks exploiting the vulnerabilities in several versions of Microsoft’s SharePoint software are just the latest in a string of lapses by the technology giant that have benefited China’s vast and global cyber-espionage operations, a top US national security threat.

Last year, the Department of Homeland Security released a scathing report detailing Microsoft’s mistakes during a 2023 hack in which China stole thousands of emails from top government officials. Two years before that, China-linked cyberattackers compromised more than 250,000 Microsoft Exchange servers.

“They are too big to keep failing like this,” said Jeff Greene, a former top US cybersecurity official who helped write last year’s withering report on Microsoft’s missteps. “While I credit them for leaning into security after our report, they need to do better—and show publicly how they’re doing better.” (Robert McMillan and Dustin Volz / Wall Street Journal)

Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director, Paula M. Stannard, has announced OCR’s 18th HIPAA penalty of the year, assessing a $250,000 penalty on the plastic surgery practice, Specialty Surgery Center of Central New York, a single-facility ambulatory surgery center in Liverpool, New York.

OCR launched an investigation of Syracuse ASC after receiving a data breach notification report on October 14, 2021, about a hacking incident involving unauthorized access to the protected health information of 24,891 current and former patients. A threat actor had access to its network from March 14, 2021, through March 31, 2021, and potentially obtained names, dates of birth, Social Security numbers, financial information, and clinical treatment information. OCR investigation confirmed that this was a ransomware attack involving PYSA ransomware.

OCR’s investigation uncovered no evidence to suggest that Syracuse ASC had ever conducted a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, as required by the HIPAA Security Rule – 45 C.F.R. §164.308(a)(1)(ii)(A). OCR also determined that Syracuse ASC had failed to issue timely notifications to the HHS Secretary and the affected individuals. (Steve Alder / HIPAA Journal)

Related: HHS, BankInfoSecurity

Researchers at Dr. Web have detailed a malware campaign involving a new family of trojans called Scavenger Trojan, which are carefully structured to abuse a vulnerability in how Windows loads certain components. 

 The attackers used this to infect targeted systems and extract sensitive information, especially from crypto wallets and password managers.

In researching a targeted attack on a Russian enterprise, Dr. Web noticed the attackers were taking advantage of DLL Search Order Hijacking.

This method lets malicious files get into software by faking to be legitimate components. The trick is placing a fake DLL in the same folder as the target application, giving it priority over the real system version. Once launched, the fake file runs as if it were part of the original app, giving it access to everything the app can reach.

According to Dr. Web’s report, after adding protection against this technique to their antivirus suite, the company began collecting telemetry data. That’s when they noticed some users were being served unknown malicious files through their browsers.

This led the researchers to the discovery of the Trojan.Scavenger campaign. It later became clear that attackers were distributing this malware in multiple stages and using various bait methods like game patches and cheats to lure victims into running it. (Waqas / HackRead)

Related: Dr. Web

Open source security and compliance startup HeroDevs announced it had received a $125 million strategic growth investment from PSG.

Existing investor Album also participated in the growth investment round. (Chris Metinko / Axios)

Related: PR Newswire, Foley & Lardner, Utah Business, FinSMEs, Silicon Angle

Best Thing of the Day: Closing the Barn Door After the Horse Got Out, But Still...

The UK Ministry of Defence outlined a series of data handling reforms it aims to accomplish in response to the data breach involving the Afghan Relocations and Assistance Policy (ARAP), following a written question from Lord Alton of Liverpool.

Worst Thing of the Day: Yet Another Way to Steal Cars

A new hack developed by Jeremy Yablan, a hacker known online as RocketGod, allows malicious actors to steal cars by intercepting and cloning a key fob’s radio signal, using custom firmware built for the Flipper Zero.

Closing Thought