Friday Five 12/17
A ransomware arrest, sanctions against spyware firms, and SIM swapping. Catch up on the infosec news of the week with the Friday Five!
1. NY Man Pleads Guilty in $20 Million SIM Swap Theft by Brian Krebs
It’s that dollar amount that really turns heads. $20 million in cryptocurrency allegedly laundered by Nicholas Truglia, the individual at the center of this story by Brian Krebs. According to Krebs, Truglia has finally plead guilty to conspiracy to commit wire fraud, nearly closing the book on the case. Truglia was arrested back in November 2018, part of a group that purportedly stole more than $100 million from investors via "SIM swaps," scams in which attackers remove SIM chips in stolen phones order to trick providers into giving them access to the device. While he faces a maximum sentence of up to 20 years in prison, in the eyes of Michael Terpin, the cryptocurrency investor whose Binance account Truglia let a friend use to launder money, he's getting off easy. “He at the very least withdrew 100 bitcoin (worth $1.6 million at the time and nearly $5 million today) from my theft into his wallet at a separate, US-based exchange, and then moved or spent it,” Terpin told Krebs. For those unaware of the story’s specifics, this piece, and previous stories on Krebs’ blog, delves into the details further.
2. Kronos Ransomware Outage Drives Widespread Payroll Chaos by Tara Seals
A poorly timed attack against Kronos, which oversees employee scheduling, payroll, and other HR work, is making things harder for companies gearing up for the holidays. Ransomware hit the company over the weekend, paralyzing its cloud-based services, something which could ultimately impact how some employees get paid and request time off. The company is saying it may be offline for weeks, driving many organizations that use the product impacted - Kronos Private Cloud - to issue paper checks. While there isn’t a solid timeline for this getting resolved, those impacted should take some solace that it doesn’t appear too much sensitive data was compromised as a result. In statements to employees, several companies affected said that they believed the most sensitive personal data, including Social Security numbers, had not been breached.
3. Ransomware Affiliate Arrested in Romania by Ionut Arghire
Some positive news here out of Romania, where National Police, working with Europol, announced the arrest of an individual believed to be connected to a ransomware scheme that allowed him to steal financial data and customer and employee information. While details about the operation are few and far between - Europol only said that the suspect was a 41-year-old Romanian national based in Craiova, Romania; it didn't provide the name of the ransomware or the companies he ransomed - but it does hint that he targeted a large IT company, which serviced a handful of other sectors: energy, retail, and utilities.
4. U.S. lawmakers call for sanctions against Israel's NSO, spyware firms by Joseph Menn and Joel Schectman
More NSO news, via Reuters: Because of the spying and other general concerns, a group of politicians this week asked the US Treasury Department to sanction the company, along with a handful of other firms, like DarkMatter, Nexa Technologies and Trovicor. "To meaningfully punish them and send a clear signal to the surveillance technology industry, the U.S. government should deploy financial sanctions," Senate Finance Committee Chairman Ron Wyden, House Intelligence Committee Chairman Adam Schiff and 16 other Democratic lawmakers wrote this week, adding that the industry as a whole relies on U.S. investments and banks and aids in the disappearance and torture of human rights activities and journalists. Sanctions would be the next logistical step. Last month the Commerce Department took steps of its own, placing NSO on the Entity List, essentially heightened export controls regime measures to deter companies from doing business with them.
5. Google Warns That NSO Hacking Is On Par With Elite Nation-State Spies by Lily Hay Newman
A double dip on NSO news as WIRED recaps some epic research published this week by Google’s Project Zero on the spyware group’s ForcedEntry iOS exploit. According to Google, the exploit is so sophisticated it looks, at times, as if it could be the work of a skilled nation-state spy. It’s one thing that the exploit is zero-click, meaning the victim doesn’t have to even interact with it in order for it to work, but the exploit can also side step mitigations put in place designed to thwart exactly this kind of attack. Technically the exploit leverages a vulnerability in a compression tool used to process text in images, something which tricks the phone into opening a malicious PDF without the user being any the wiser. The story comes a few weeks after Reuters reported that Apple alerted 11 U.S. Embassy employees – mostly employees based in Uganda’s capital city, Kampala - that their phones were hacked with spyware from NSO, Pegasus, via ForcedEntry.