Arrest of LockBit operator, FIFA cyber-espionage and other cybersecurity developments

We have compiled the week’s most important cybersecurity news.

The United States seeks extradition of a Russian national charged in LockBit ransomware attacks

On November 9, Canadian authorities arrested 33-year-old Russian national Mikhail Vasilyev on charges related to large-scale ransomware attacks using the LockBit program. According to the U.S. Department of Justice.

Vasilyev’s arrest followed the October 2021 detentions of двух его сообщников in Ukraine.

According to court documents, the defendant and his accomplices used LockBit to attack critical infrastructure targets and large industrial companies, demanding multi-million-dollar ransoms. 

During the arrest, authorities seized two firearms, eight computers, 32 hard drives and more than €400,000 in various cryptocurrencies. 

The United States authorities filed for his extradition, noting he also holds Canadian citizenship. He faces up to five years’ imprisonment.

Since its appearance in 2019, the LockBit ransomware gang has attacked at least 1,000 people in the United States and worldwide. Its members have received tens of millions of dollars in ransoms from victims.

Bug in the ‘Vkusno — i Tochka’ terminal allowed free orders

A group of teenagers discovered a vulnerability in the self-service terminals of the restaurant chain ‘Vkusno — i Tochka’ and ordered food for free for about a month. This was reported by the Telegram channel Baza.

According to the channel, the incident occurred in October at the fast-food outlet on Volokolamsk Highway in Moscow. In the posted video, the teenagers place an order at the self-service terminal, then cut the power to the terminal and go to collect the order.

Such actions resulted in the system automatically refunding the last order when power was restored. The incident was detected during a cash register audit. The shortfall amounted to about 12 000 rubles.

Representatives of ‘Vkusno — i Tochka’ confirmed the bug in the system and said they are working to fix it. They did not disclose whether the customers who exploited the vulnerability were identified, or whether any damages would be reimbursed.

15,000 websites hacked in a campaign to poison Google’s search results

Hackers infected nearly 15 000 sites with SEO spam. This was reported by Sucuri.

According to them, attackers create a sufficient number of indexed pages to boost the authority of fake Q&A forums for search engines, notably Google.

Most of the compromised sites run on WordPress, each containing about 20 000 spam files.

Going forward, compromised resources are likely to be used as malware payloads or phishing sites. Another possible scenario is driving traffic for advertising fraud.

Sucuri researchers could not conclusively determine the breach mechanism. They speculate it stems from a vulnerable plugin or a weak WordPress administrator password.

In Qatar and Greece, details of government cyber-espionage were disclosed

Qatar’s officials organised a large-scale, long-running intelligence operation against FIFA officials, with the help of former CIA operatives. Swiss media reported.

According to available information, Qatar’s upper echelons of government, including the emir, were involved in the cyber-espionage. The aim was to ensure Qatar retained the right to host the 2010 World Cup.

The budget stood at $387m; the attacks spanned five continents. One operation involved deploying at least 66 operatives over nine years.

In late October the FBI launched an investigation into former CIA agent Kevin Chalker, founder and CEO of Global Risk Advisors, which, as reported, helped the Qatari government conduct this operation.

Meanwhile, in Greece, local media uncovered that the government, led by Prime Minister Kyriakos Mitsotakis, commissioned illegal surveillance of government officials, journalists and businesspeople. They were targeted with Predator spyware.

Thirty-three people are listed as affected. One of them is the current Greek foreign minister and a member of the ruling New Democracy party, Nikos Dendias.

In Ukraine, local leaders of fraudulent call-centres were arrested

Ukraine’s Cyber Police and Europol arrested five key members of an international scam network whose operations caused more than €200m in harm per year.

Criminals ran call centres that deceived victims into investing in cryptocurrencies, stocks and options. They also built a network of fake websites to lure potential victims. They displayed allegedly rising returns but, in fact, prevented withdrawals.

The scheme operated in Ukraine, Germany, Spain, Latvia, Finland and Albania. The total number of call-centre staff exceeded 2,000.

Three call centres were located in Ukraine. According to cyberpolice, five of the detainees are organisers of local operations in Kyiv and Ivano-Frankivsk. During searches, law enforcement seized more than 500 pieces of computer equipment and mobile phones.

Detainees face up to eight years in prison.

Hackers stole Yappy users’ data

On November 8, the Gazprom-Media-controlled Yappy service for vertical videos was hacked, with user data stolen. Telegram channel “Data Leaks” reports.

Tables with 2 million rows were exposed. They contain full names, usernames, hashed passwords, phone numbers, device data and registration dates. The leaked database is current as of July 1.

Yappy representatives confirmed the data leak but stressed that public dumps contained non-current anonymised user data.

Experts believe attackers gained access through an account of one of the service’s administrators.

In Russia, the first conviction for using a secure messenger

The Tomsk District Court sentenced a Russian man to three years of restricted freedom for using a secure messenger for personal purposes.

According to the case materials, the secured messenger VIPole was involved. Using it, the defendant “neutralised the means of protecting computer information, manifested in the inability to unambiguously identify the user and their network activity on the internet.”

The man was charged with using malware. He pleaded guilty. The sentence has not yet entered into force and may be appealed.

At the same time, the Russian Ministry of Digital Development sent a letter to state bodies and banks asking them to report on VPN usage. The article in «Vedomosti» reports.

In the questionnaire, companies should indicate the name and type of VPN, system data, the internet resources for which a proxy is required, and the city, region and country of use.

The distribution list includes: ‘Roscosmos’, ‘Rostec’, ‘Gazprom’, ‘Rostelecom’, Sberbank, VTB, Promsvyazbank, Gazprombank, ‘Otkrytie’, Alfa-Bank, Rosselkhozbank, Raiffeisen Bank, Rosbank and Sovcombank. IT sources explained that the survey is tied to the forthcoming service block.

‘Kaspersky Lab’ has already announced plans to shut down its VPN service Kaspersky Secure Connection in Russia by the end of 2022. However, for users outside the country, the feature set and VPN servers will remain unchanged. The company declined to comment on the reasons for this decision.

Also on ForkLog:

• Authorities in India froze related to the E-nuggets $2.5m.
• DeFi project DFX Finance hacked for $7.5m.
• CFPB named the most popular Bitcoin scam schemes since 2018.
• Hackers who breached Deribit transferred 1610 ETH to Tornado Cash. The mixer was accused by U.S. authorities of facilitating the financing of North Korea’s nuclear program.
• A U.S. resident pleaded guilty to fraud on Silk Road for 50,000 BTC.
• Huobi accused the pNetwork team of ‘malicious behavior’ in the GALA incident.
• Binance processed transactions from Iran totaling $8bn in violation of U.S. sanctions.
• The British arm of Santander will block transfers to crypto exchanges to protect customers.
• The SEC charged the organizers of Trade Coin Club with fraud totaling $295m.

What to read this weekend?

Let us recall the Mt. Gox case, which suffered the largest breach in cryptocurrency history.

Follow ForkLog’s bitcoin news in our Telegram — cryptocurrency news, prices and analysis.