We round up the week’s most important cybersecurity news.
- The Ragnar Locker ransomware developer was arrested in France.
- More than 40,000 Cisco IOS XE devices hacked using a zero-day vulnerability.
- In New York, six people were charged in creating an illegal Bitcoin exchange.
- Ukrainian white-hat hackers destroyed the Trigona servers.
The Ragnar Locker ransomware developer was arrested in France
Europol arrested the malware developer linked to the Ragnar Locker ransomware gang and seized the group’s dark net sites as part of an international operation.
The suspect was detained on 16 October in Paris; searches were conducted at his home in the Czech Republic. In addition, five alleged associates were questioned in Spain and Latvia.
According to investigators, since late 2019 the Ragnar Locker gang has attacked 168 international companies around the world, including memory-chip maker ADATA, aviation giant Dassault Falcon, and Japanese game developer Capcom.
During the operation authorities seized crypto assets and shut down nine servers and blocked the hackers’ negotiation and leak sites on the Tor network.
The case was opened in May 2021 at the request of French authorities. Since then, two other suspects have been detained in Ukraine, and another in Canada.
More than 40,000 Cisco IOS XE devices hacked using a zero-day vulnerability
Cisco warned about a critical zero-day vulnerability affecting enterprise networking equipment running IOS XE. It allows a remote unauthenticated attacker to create a high-privilege account on the affected hosts and gain full control of the device. While Cisco has not released patches yet, the only mitigation for now is to disable the HTTP server feature.
Networking gear running Cisco IOS XE includes corporate switches, industrial and aggregation routers, access points and wireless controllers.
First signs of potentially malicious activity were spotted on September 28. By October 18, according to the platform Censys, the number of compromised devices stood at 41,983.
According to Shodan, in total more than 145,000 hosts are at risk, most in the United States. Many belong to service providers, universities, hospitals, and government agencies.
CERT Orange published a script for scanning equipment for the presence of a malicious implant.
Cisco continues the investigation and is preparing a fix for the vulnerable systems.
A Moldovan citizen faces up to 20 years for operating a dark web marketplace
31-year-old Moldovan citizen Sandu Diaconu was extradited to the United States, where he is charged with computer fraud and money laundering through the dark web marketplace E-Root.
The marketplace’s domains were seized by authorities in late 2020. Diaconu was arrested in the United Kingdom in 2021 while attempting to flee the country.
The E-Root marketplace sold access to more than 350,000 compromised computers worldwide for cryptocurrency. The U.S. Department of Justice has gathered evidence that the data purchased on the site was subsequently used to carry out ransomware attacks.
Diaconu pleaded not guilty. He faces up to 20 years in prison, and authorities also intend to seek forfeiture of criminal proceeds.
Six people charged in New York for running an unlicensed Bitcoin exchange
Six individuals will appear in the Southern District of New York for US$30 million unlicensed cryptocurrency transfer business. CoinDesk reports.
According to the FBI, from July 2021 to September 2023 the defendants created a darknet exchange for converting digital assets to cash. Their services were used by drug dealers and hackers.
In the capture of the alleged owners, a confidential source helped law enforcement, taking part in 80 controlled cash seizures totaling about $15 million.
Ukrainian white-hat hackers destroyed the Trigona ransomware servers
On 18 October, Ukrainian cyber activists destroyed the Russian ransomware group Trigona’s website.
White-hat hackers told dev.ua that they found a vulnerability in Confluence, and that part of Trigona’s infrastructure operated via the open internet rather than Tor.
The operation to locate all servers took several days, and it took 15 minutes to wipe the information.
On the main page of the site, the cyber alliance posted: “Trigona is no more. Welcome to the world you created for others.”
Trigone. The servers of the Trigona ransomware gang have been exfiltrated and wiped out by @UCA_ruhate_ Welcome to the world you created for others! pic.twitter.com/ALiud4sPQv
— herm1t (@vx_herm1t) October 17, 2023
Renting new servers will cost operators about $2000. However, the ability to recover also depends on how up-to-date their backups are.
Alfa-Bank denies leak of client data
The Alfa-Bank press service described the post as fake and a hoax that personal data of its clients was publicly released.
Earlier, some Telegram channels reported about a potential leak. They claimed a text file with 1 million lines contained 43,931 records with unique data points.
Nevertheless, representatives of the bank stated that the table in the post was compiled from several random numbers.
“Customer data is protected,” the press service emphasised.
Also on ForkLog:
- EU regulators proposed to improve privacy for the digital euro.
- In the United States, proposals were made to treat Bitcoin mixers as “money-laundering centers”, and experts gave a forecast in case this happens.
- A Russian citizen was charged with creating an illegal Bitcoin exchange in Kazakhstan.
- Ukraine’s regulator expanded the list of unreliable crypto projects.
- A Chinese teacher handed over $546,000 to a scammer “to buy Bitcoin.”
- The founder of Finiko had his arrest extended until 2024.
- Platypus Finance returned 90% of assets lost in the breach.
- Fantom Foundation reported a hack worth hundreds of thousands of dollars.
- Garantex commented on charges of “financing Hamas” Hamas, and Binance, according to media reports, closed over a hundred accounts linked to the group.
- Tether froze addresses linked to the conflicts in Israel and Ukraine.
- TrueUSD clients were notified of potential data compromise.
- Experts calculated the share of high-risk operations with USDT on the Tron network’s OTC market.
- In Russia, phishing attacks against cryptocurrency holders have increased.
- Hackers have used the BNB Chain blockchain for attacks.
What to read this weekend?
A bit of futurology from ForkLogic founder Anatoly Kaplan.