How international authorities took out the popular cybercrime platform ‘Ghost’
An international law enforcement operation took down an encrypted cybercrime communication platform known as “Ghost,” and led to dozens of arrests around the world. Australian federal authorities announced Wednesday, Sept. 18, it made 38 arrests in raids across the country while authorities in Canada, Sweden, Ireland and Italy conducted similar raids.
“We allege hundreds of criminals including Italian organized crime, motorcycle gang members, Middle Eastern organized crime and Korean organized crime have used Ghost in Australia and overseas to import illicit drugs and order killings,” Ian McCartney, deputy commissioner of the Australian Federal Police, said.
“Importantly, the AFP has prevented the death and serious injury of 50 individuals in Australia, because we’ve been able to decrypt these messages,” McCartney said.
Europol, the global task force helping in the effort, said the coalition dismantled a drug lab in Australia and seized drugs, weapons and more than $1 million globally.
“Today we have made it clear that no matter how hidden criminal networks think they are, they can’t evade our collective effort,” Europol’s Executive Director Catherine De Bolle said.
“This was truly a global game of cat and mouse, and today, the game is up,” Europol’s Deputy Executive Director Jean-Phillipe Lecouffe told reporters.
The AFP said the French assisted in decrypting Ghost communications.
“This time, the AFP engineered a new technological solution as the administrator regularly pushed out software updates, the AFT was able to modify those updates,” McCartney said. “In effect, we infected the devices, enabling us to access the content on Australian devices.”
The alleged ringleader of Ghost, Yoon Jung, was arrested at his home on Tuesday, Sept. 17. Authorities accused him of using a network of resellers to offer specialized iPhones to criminals worldwide. The cellphones reportedly sold for nearly $1,600 a piece and included a six-month subscription to the Ghost app as well as technical support.
The app reportedly gained popularity among criminals for its “advanced security features” and its disruption is a major blow to organized cybercrimes globally.
As the investigation continues, more disruption to illegal activities and arrests are reportedly expected in connection with the cybercrime network.
The Europol-led crackdown includes help from the United States, Canada, Australia, Ireland, Sweden, France, Iceland and the Netherlands.
23andMe agrees to $30 million settlement after major data breach
Genetic testing company 23andMe has agreed to a $30 million settlement after a data breach exposed the personal information of approximately 6.9 million customers. The breach, which went undetected for five months, compromised users’ names, birth years, genders, ancestry reports, and raw genotype data, with hackers specifically focusing on customers of Chinese and Ashkenazi Jewish descent.
U.S. intelligence agencies recently identified foreign actors, particularly Russia and China, as key perpetrators behind multiple sophisticated cyber threats targeting critical infrastructure and personal information in the United States.
The hacker has only been identified as “Golem,” and shared victims’ personal information on an online forum used by cybercriminals, The New York Times reported.
As a part of the settlement, 23andMe will compensate affected customers and provide free access to a security monitoring program for three years. The company expects cyber insurance to cover $25 million of the $30 million total settlement.
23andMe said it will conduct annual cybersecurity audits and maintain a dedicated data breach incident response plan. The company is also ceasing to store personal information for inactive or deactivated accounts to minimize data retention risks.
The genetic testing company denies any wrongdoing and the settlement is still pending approval by a judge.
Polish security takes down covert Russia-linked sabotage group
Poland security services revealed on Monday, Sept. 9, it took out cyber hackers who were attempting to “wage a de facto cyber war” by Russia and Belarus. Polish intelligence said it is part of ongoing efforts to sabotage Poland’s institution’s due to its military aid to Ukraine.
“The Belarusian and Russian foreign services had one specific goal, to extort information, to blackmail individuals, and institutions and to wage a de facto cyber war,” Poland Deputy Prime Minister Krystsztof Gawkowski said.
Gawkowski added that Polish intelligence had neutralized the saboteurs.
The deputy prime minister also said that the goal of Russian and Belarusian infiltration is to sabotage military, economic and political operations, alleging the adversaries worked their way into local and central government institutions, including state-owned corporations setting up military contracts.
According to the Polish government, cyberattacks against the country have doubled in the first half of 2024 and last June alone Poland blocked several attacks aimed at critical infrastructure.
Warsaw claims that Moscow is attempting to destabilize the nation due to its supply of military aid to Ukraine, pointing to alleged effort by covert Russian intelligence to steal information on weapons deliveries to Ukraine. Poland has linked previous sabotage and arson to the Kremlin. However, Russia denies the allegations.
Two major cyber security breaches impact billions of people worldwide
Researchers at CyberNews are calling it “the largest password compilation,” as nearly 10 billion unique plaintext passwords have been exposed. The data was uploaded to a file titled “RockYou2024,” and these passwords are used by people worldwide.
The CyberNews team warned that this massive leak increases the risk of credential stuffing attacks, which can be detrimental to both users and businesses. Cybercriminals can exploit the leaked information to gain unauthorized access to unrelated services.
Researchers emphasize that attackers can use the leaked passwords and target any system lacking protection against brute-force attacks. This situation could lead to a cascade of data breaches, financial fraud and identity theft, CyberNews said.
To safeguard your accounts, cyber security experts recommend:
Resetting all passwords: Immediately reset all passwords associated with the leak. Use strong, unique passwords that are not reused across platforms.
Enabling multi-factor authentication: Whenever possible, enable multi-factor authentication. This adds an extra layer of security by requiring additional information during login.
Using a password manager: Consider using password manager software to create and securely store complex passwords on your devices.
In another data breach, AT&T reported on Friday, July 12, that a hacker downloaded and released call and text records of tens of millions of customers between May and October 2022.
The breach did not include the contents of calls and messages, and information such as names, Social Security numbers and birthdates was not compromised. AT&T will notify current and former customers if their information was affected.
US identifies stealth Chinese cyber threat ‘prepositioning’ in critical infrastructure
The U.S. military’s new Cyber Command chief and head of the National Security Agency has sounded the alarm about a stealthy Chinese cyber threat to critical American infrastructure. Unlike typical cyber intrusions that steal data or military secrets, this threat sits dormant within civilian systems, primed for disruptive attacks.
Air Force Gen. Timothy Haugh, who spoke with The Wall Street Journal at a security conference in Singapore, detailed the activities of a Chinese hacking network known as Volt Typhoon. The group is suspected of positioning itself within key infrastructure networks to launch future attacks.
“China has penetrated systems and then use the capabilities inside those systems to live off the land using the technical capabilities of the systems they’ve compromised to reside there or not for the purpose of intelligence collection, but to assure access in things like critical infrastructure or within Guam, areas that we know have relevance from a military perspective, but also for pre-positioning for other activities,” Haugh said.
In January, U.S. officials identified and dismantled a network of routers across the U.S. and Guam that were vulnerable due to a lack of system updates. Since 2021, Volt Typhoon has accessed critical U.S. infrastructure in communications, utilities, transportation and government sectors. Microsoft highlighted this threat last year, noting its potential to disrupt essential services like water supplies, power grids and transportation systems.
Haugh emphasized the need to protect American networks and ensure U.S. military operational security, especially in regions like the Indo-Pacific, susceptible to Chinese cyber actions. Officials are particularly concerned that during conflicts, China could exploit its covert access to launch cyberattacks harming civilians.
New CISA cybersecurity measures to fight ransomware raise privacy concerns
Ransomware attacks are causing significant damage to organizations of all sizes, exploiting unknown vulnerabilities. To combat this, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, has initiated the Ransomware Vulnerability Warning Pilot. This program notifies organizations about potential ransomware threats, potentially preventing millions in damages.
For example, UnitedHealth Group, suffered a ransomware attack earlier this year, resulting in nationwide health care service outages and costing the company $872 million. The attackers allegedly stole 6 terabytes of patient data and demanded a $22 million ransom.
“We’ve normalized the fact that we have shifted the burden of cybersecurity onto individuals and small businesses, which are least prepared to bear that burden,” CISA Director Jen Easterly said. “We’ve normalized this crazy misalignment of incentives where technology companies have prioritized speed to market and driving down cost and cool features over security.”
By addressing these vulnerabilities, organizations can significantly reduce their risk of becoming victims of cyber extortion and avoid the severe financial consequences that follow.
The pilot program, which currently includes 7,000 organizations, is expected to be fully operational by the end of 2024. It works by CISA identifying vulnerabilities and alerting organizations, providing them with necessary information to patch their systems and prevent attacks.
However, privacy advocates are concerned about one of the tools used in the program — the administrative subpoena. A 2022 review of CISA’s procedures showed that the agency can issue subpoenas to organizations or individuals to gather information on internet-based systems without a court order, as these subpoenas do not require judicial review, and opting out is not possible.
These subpoenas can be issued secretly, without the knowledge or consent of those targeted. CISA can retain personally identifiable information for six months if it relates to a suspected cybersecurity incident.
CISA ensures that personally identifiable information is promptly deleted in accordance with established procedures. Despite this, the lack of judicial oversight and the secretive nature of these subpoenas have raised concerns about potential privacy violations and abuses of power.
CISA also offers its own cybersecurity tools and has started a process for organizations to submit their own free tools and services for both the public and private sectors.
Report warns AI could overwhelm system made to curb online child exploitation
A new report from the Stanford Internet Observatory revealed that the CyberTipline for reporting online child exploitation (CSAM) is overwhelmed and needs improvement for law enforcement to capture predators. The CyberTipline is “enormously valuable and leads to the rescue of children and prosecution of offenders,” however, the report said child sex abuse material created by artificial intelligence is threatening to overwhelm the situation.
The system is currently bogged down with millions of tips and law enforcement officers are not able to prioritize the reports for investigation.
The CyberTipline was created by the National Center for Missing and Exploited Children (NCMEC) in 1998 and “established a national resource center and clearinghouse to provide technical assistance to state and local governments, law enforcement agencies and individuals in locating and recovering missing children.”
The CyberTipline allows the public and electronic service providers to report online child sex abuse exploitation. Staffers working the CyberTipline review the reports, identify the location of the victim or predator and send the information to the appropriate local law enforcement agency.
If a report cannot be geolocated to a specific area, the report is then made available to federal law enforcement.
In 2023, the center received more than 36 million reports of child exploitation. Of those, 2.1 million CyberTipline reports were given to federal law enforcement agencies.
“Almost certainly in the years to come, the CyberTipline will just be flooded with highly realistic-looking AI content, which is going to make it even harder for law enforcement to identify real children who need to be rescued,” researcher Shelby Grossman said.
Just 5%-8% of the tips lead to arrests because of a lack of funding and legalities, according to the report.
In 2023, about 92% of the tips received involved countries outside of the U.S. — a stark difference from 2008 when the majority of the tips concerned American victims and offenders.
The Stanford report outlines a few recommendations such as having Congress increase funding to NCMEC, providing clear information to social media platforms on how to file a detailed report to the CyberTipline, and providing resources to law enforcement so they have the time and investigate child sex abuse crimes.
Several AI companies — including OpenAI, Meta and Google — have agreed to implement new practices and principles to minimize the risk of child sexual abuse material and train to remove the material from their platforms.
Israel carries out strike against Iran in response to drone attack
Israel struck back in its first military response to Iran since last weekend’s attack. The 12-person jury is selected in former President Donald Trump’s hush money trial. These stories and more highlight The Morning Rundown for Friday, April 19, 2024.
Israel carried out strike against Iran in response to drone attack
Israeli forces struck back against Iran early Friday, April 19, morning following last weekend’s drone and missile barrage toward Israel, but details remain sparse in the aftermath.
Get up to speed on the stories leading the day every weekday morning. Get The Morning RundownTM newsletter straight to your inbox!
Iranian officials reported their anti-aircraft systems intercepted three small drones near an air base and nuclear site in the province of Isfahan, causing no reported damage. Iranian army commander Gen. Abdolrahim Mousavi said the explosions heard in the area were related to air defense actions against suspicious objects.
The United Nation’s International Atomic Energy Agency (IAEA) confirmed no damage to Iran’s nuclear sites following the incident. Iran temporarily closed its airports after the attack but they have since reopened.
While Israel has not officially commented on the attacks, several officials from Israel, Iran and the U.S. have confirmed the strike to multiple news outlets, marking Israel’s first military response to Iran’s assault that involved 300 missiles and drones, with 99% intercepted.
The direct attack by Iran was reportedly in retaliation for a suspected Israeli airstrike on Iran’s embassy in Syria earlier in the month, which killed seven officials, including a top general.
For nearly a week, Israel indicated plans to retaliate for Iran’s actions despite advisement against it from the U.S. and its allies. An Israeli official told The Washington Post the attack was intended to demonstrate Israel’s capability to strike inside Iran.
An Iranian official told Reuters that Iran has no plans to respond to Israel’s attack.
Congresswoman’s daughter among dozens detained at pro-Palestinian protests
More than 100 students were arrested Thursday, April 18, at Columbia University during a pro-Palestinian protest on the campus’s main lawn. The arrests occurred as New York City police, in riot gear, dismantled a makeshift tent city that had been set up by the protesters without school permission.
In a statement to the Columbia community, Shafik announced the suspension of all students participating in the protest, expressing regret over their refusal to resolve the situation peacefully.
The protests started on Wednesday, April 17, while Shafik testified on Capitol Hill, where she was accused of failing to respond to antisemitism on campus.
Full jury seated in Trump’s hush money trial
The historic hush money criminal trial of former President Donald Trump has seated its full jury, with the judge stating, “We have our jury,” after the 12th juror was selected during day three of the trial in New York on Thursday, April 18.
One alternate was chosen, with five more still needed. The judge expressed hope that jury selection would conclude Friday, April 19.
The day began with the dismissal of two of the seven jurors selected earlier in the week. One juror was dismissed after expressing doubts about remaining impartial after being questioned by family and friends. The second juror was excused after concerns arose about the truthfulness of his answers regarding whether he or any family members had been accused of a crime.
The judge replaced the two and then selected five others to complete the jury, including a speech therapist, a former wealth manager, a physical therapist and a product development manager.
Opening statements are tentatively scheduled for Monday, Aril 22.
FBI: Chinese threat to U.S. infrastructure is bold, unrelenting
FBI Director Christopher Wray emphasized the immediate threats China poses to U.S. national and economic security, highlighting U.S. critical infrastructure as a primary target during his speech at the Vanderbilt Summit on Modern Conflict and Emerging Threats on Thursday, April 18.
Wray detailed the Chinese Communist Party’s drive for power, which motivates their strategies including the theft of intellectual property and technologies crucial to future economies.
“I’m talking about everything from indiscriminate hacking to economic espionage, to transnational repression, to fentanyl and the precursor chemicals that are coming out of China and ending up in our communities,” Christopher Wray, director of the FBI, said. “What we’re facing today is the CCP throwing its whole government into undermining the security of the rule of law world.”
Nearly a year ago, Microsoft reported that the cyber group Volt Typhoon had been secretly accessing critical infrastructure organizations in the U.S. since mid-2021. Security researchers from Microsoft and Google have linked the Volt Typhoon group to China. The group targets sectors such as communications, utilities, transportation, and government to spy on and infiltrate those networks.
Earlier this week, a spokesperson from the Chinese Ministry of Foreign Affairs stated that Volt Typhoon is not affiliated with China’s government but is a criminal ransomware group.
Netflix adds 9.3 million subscribers, will no longer report quarterly tally
On the same day Netflix announced it had added more than 9 million subscribers in the first quarter of the year amid its crackdown on password sharing. The streaming giant said it would no longer report subscriber numbers each quarter.
The 9.3 million additional subscribers far surpassed estimates, bringing the global total to nearly 270 million subscribers — a record high.
The company also reported over $9 billion in revenue, a 15% increase from a year ago. Netflix said it is switching to announcing subscriber additions only when major milestones are reached.
Netflix told investors that the company’s success should be assessed based on its revenue and operating margins, adding that time spent using the service is the best way to gauge customer satisfaction.
Taylor Swift’s latest album breaks Spotify record before being released
One of the most anticipated albums of all time is now available, breaking records even before its release just hours ago. Spotify reported Taylor Swift’s 11th studio album, “The Tortured Poets Department,” broke its record for the most pre-saved album in the streaming service’s history.
Swift’s latest album dropped overnight, with the Grammy winner surprising fans by announcing this release is a double album, sharing 15 extra songs with fans at 2 a.m.
No numbers have been disclosed yet on the success of “The Tortured Poets” album.
Swift’s 2022 album “Midnights” spent six weeks at No. 1 on the Billboard charts and earned the Grammy for album of the year.
Chinese hackers target US infrastructure with unprecedented persistence
Recent warnings from the National Security Agency (NSA) highlight an ongoing cyber threat posed by the persistence of Chinese hackers. In a cybersecurity advisory issued with other federal agencies, the NSA singled out a Beijing-backed hacker network known as “Volt Typhoon” for targeting and infiltrating American critical infrastructure.
“The [advisory] focuses on PRC-sponsored cyber actor, Volt Typhoon, targeting IT networks of communications, energy, transportation, water, and wastewater organizations in the U.S. and its territories,” the NSA said in a statement. “The authoring agencies recognize the reality that the PRC has already compromised these systems. In some cases, the cyber actors have been living inside IT networks for years to pre-position for disruptive or destructive cyberattacks against operational technology in the event of a major crisis or conflict with the United States.”
Chinese hacking groups like Volt Typhoon actively targeted vital sectors of U.S. infrastructure, including electric grid operators, water systems and shipping ports. The groups’ tactics involve gaining and maintaining access to these networks for long periods. Some instances of continuous access lasted up to five years. This prolonged presence provides the hackers with the capability to execute potentially devastating cyberattacks at their discretion. These attacks also threaten the stability and functionality of resources relied upon by everyday Americans.
“If and when China decides the time has come to strike, they’re not focused just on political and military targets,” FBI Director Christopher Wray said. “We can see from where they position themselves across civilian infrastructure, that low blows aren’t just a possibility in the event of a conflict, low blows against civilians are part of China’s plan.”
Despite the gravity of their activities, Volt Typhoon’s methods do not always use cutting-edge technology. Rather, the group relies on persistent hacking attempts, exploiting vulnerabilities that may be accessible to relatively-skilled hackers, not just experts.
The vulnerability of U.S. infrastructure cybersecurity is made worse by its fragmented and decentralized nature.
Several entities and individuals are responsible for operating different components of critical infrastructure. Therefore, coordination efforts to combat cyber threats are often insufficient. This fragmentation is particularly evident in sectors such as the water system where 150,000 individual, independently-managed operations make up the system. This is a trend found across all 16 critical infrastructure sectors in the country.
In response to these ongoing threats, federal agencies are urging infrastructure operators to bolster their cybersecurity defenses. Recommendations include implementing multi-factor authentication and conducting regular reviews of network activity logs to detect and prevent unauthorized access.
China’s AI-generated content targets US, India and South Korea elections
China and North Korea are intensifying their cyber operations, leveraging artificial intelligence to influence global opinions and elections in the U.S., South Korea, India, and Taiwan, according to Microsoft’s latest Threat Intelligence report. The report details China’s use of AI-generated content, such as videos, memes and fake news anchors, to sway public opinion and influence the outcomes of key elections.
Clint Watts of Microsoft’s Threat Analysis Center highlights China’s use of fake social media accounts to probe divisive U.S. domestic issues, aiming to understand what divides U.S. voters. These influence operations have targeted various issues within the U.S., gathering intelligence on American political views.
Last year, the group Storm 1376 falsely claimed the Maui fires were set by the U.S. government as a test of a “weather weapon.” The challenge lies in combating misinformation from realistic generative AI, as many refuse to accept such content as false, especially when it aligns with their beliefs and values.
In Taiwan, a suspected AI-generated audio falsely portrayed Foxconn’s Terry Gou endorsing another presidential candidate, which YouTube quickly removed. Meanwhile, North Korea has focused on cryptocurrency thefts and supply chain attacks, funding its military ambitions and enhancing intelligence collection through AI.
The U.N. estimates that since 2017, North Korean cyber actors have stolen over $3 billion in cryptocurrency. Microsoft acknowledges that while AI-generated content currently has a minimal impact on elections, China’s ongoing efforts to refine this content could become more effective as technology advances.