Table of Contents

  1. Breaches
    1. Avon Cosmetics Leaks 7GB of Personal and Technical Information from Unsecured Server
    2. Industrial intelligence company, Lectra, allegedly struck by Maze
    3. NZ police terminate contract with Gravitas after breach
    4. Athens ISD paid $50k ransom to attackers
    5. Startups disclose data breaches after massive 386M records leak
    6. GTU students complain of massive data leak after mock test
    7. Vermont Tax Department exposed 3 years worth of tax return info
    8. Argentina health officials expose personal data on 115,000 COVID-19 quarantine exemption applicants
    9. Swvl - 4,195,918 breached accounts
    10. Appen - 5,888,405 breached accounts
    11. Scentbird - 5,814,988 breached accounts
    12. Chatbooks - 2,520,441 breached accounts
    13. Havenly - 1,369,180 breached accounts
    14. Dunzo - 3,465,259 breached accounts
    15. Drizly - 2,479,044 breached accounts
    16. Vakinha - 4,775,203 breached accounts
    17. LifeLabs goes to court to block privacy watchdogs from probing 2019 data breach
    18. Data Breach at Crypto Wallet Firm Ledger Exposes User’s Personal Info
    19. Athlete Recruiting Software Company Discloses Data Breach 7 Months after Student-Athlete Data is Exposed
    20. Today’s ‘mega’ data breaches now cost companies $392 million to recover from
    21. Business giant Dussmann Group's data leaked after ransomware attack
    22. Hacker gang behind Garmin attack doesn't have a history of stealing user data
    23. Four suspects charged for roles in Twitter hack, Bitcoin scam
    24. Some potential victims of PaperlessPay breach are first finding out about the breach now
    25. Blackbaud's Bizarre Ransomware Attack Notification
    26. Kiwibank breach ‘significant’ – Privacy Commissioner
    27. Largest providers of Aged Care in Australia, Regis Aged Care Pty Ltd, allegedly breached by Maze
    28. Canadian MSP discloses data breach, failed ransomware attack
    29. More pharmacy chains report HIPAA breaches linked to looting during protests
    30. Hacker leaks 386 million user records from 18 companies for free
  2. Malware
    1. Linux warning: TrickBot malware is now infecting your systems
    2. Malspam campaign caught using GuLoader after service relaunch
    3. Sneaky Doki Linux malware infiltrates Docker cloud instances
    4. FBI warns of Netwalker ransomware targeting US government and orgs
    5. Android Spyware Targeting Tanzania Premier League
    6. Analysis of WastedLocker targeted ransomware
    7. QNAP urges users to update Malware Remover after QSnatch alert
    8. Avoid these PayPal phishing emails
    9. Emotet malware now steals your email attachments to attack contacts
    10. North Korean hackers created VHD ransomware for enterprise attacks
    11. Malware Reverse Engineering Handbook by NATO Ccdcoe
    12. Netflix credential phishing hides behind working CAPTCHA
    13. Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902
  3. Crime
    1. Cracking the Uncrackable: Cybercriminals Deploy EMV-Bypass Cloning
    2. China arrests over 100 people suspected of involvement in PlusToken cryptocurrency scam
    3. Here’s Why Credit Card Fraud is Still a Thing
    4. GandCrab ransomware operator arrested in Belarus
  4. Vulnerabilities
    1. KDE archive tool flaw let hackers take over Linux accounts
    2. BootHole GRUB bootloader bug lets hackers hide malware in Linux, Windows
    3. One Byte to rule them all
    4. Is Your Chip Card Secure? Much Depends on Where You Bank
    5. Multiple Tor security issues disclosed, more to come
    6. Zoom bug allowed attackers to crack private meeting passwords
    7. Cisco fixes severe flaws in data center management solution
    8. OkCupid: Hackers want your data, not a relationship
    9. Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin
    10. Microsoft issues security update for Azure Sphere
    11. X.org security fixes address potential ASLR bypass, heap corruption
    12. Bypassing Windows 10 UAC with mock folders and DLL hijacking
    13. The core of Apple is PPL: Breaking the XNU kernel's kernel
    14. A critical security update for KeePassRPC is available
    15. Magento gets security updates for severe code execution bugs
    16. Industrial VPN vulnerabilities put critical infrastructure at risk
  5. Politics
    1. Fake Stories in Real News Sites
    2. EU sanctions Russian espionage unit, Chinese and North Korean firms
    3. US defense contractors targeted by North Korean phishing attacks
    4. India Is Reportedly Looking To Ban 275 More Chinese Apps -- Including PUBG, Zili and AliExpress
    5. Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations
    6. US to ban TikTok through executive action as soon as Saturday
    7. ECJ rules US Cloud services fundamentally incompatible with EU Privacy laws
  6. Privacy
    1. Jeff Bezos can’t promise Amazon employees don’t access independent seller data
    2. Fingerprinting for ID cards – what can be done? #NoFingerprintIDs
    3. Covid-19 patients’ privacy breach ‘not justified or reasonable’, inquiry finds
    4. Amazon says police demands for customer data have gone up
    5. Google CEO says tech giant deletes this information used by police
    6. How Cops Can Secretly Track Your Phone
    7. Rite Aid deployed facial recognition systems in hundreds of U.S. stores
    8. Face masks are breaking facial recognition algorithms, says new government study
  7. Misc
    1. Microsoft now detects CCleaner as a Potentially Unwanted Application
    2. You don’t need SMS-2FA
    3. Microsoft to remove all SHA-1 Windows downloads next week
    4. New tool detects shadow admin accounts in AWS and Azure environments
    5. The IRS asks tax professionals to enable multi-factor authentication
    6. International cyber law: interactive toolkit
    7. US government sites abused to redirect users to porn sites
    8. A Legal Deep Dive on Mexico’s Disastrous New Copyright Law
    9. Zimbabwe internet disruption limits coverage of planned protests
    10. IBM completes successful field trials on Fully Homomorphic Encryption
    11. Survey of Supply Chain Attacks
    12. DMARC: How Phishing Rings Can Use Your Email Authentication Controls Against You

Breaches

Avon Cosmetics Leaks 7GB of Personal and Technical Information from Unsecured Server

Last month, SafetyDetectives researchers discovered an unsecured database belonging to the popular Avon beauty company. The server, which lacked basic security measures, was easily accessible by investigators, who found a trove of 19 million records, including personal information of employees and website technical data. While the news might not strike a chord at first, the data breach disclosure follows a June 9 regulatory filing by the company, which confirmed a security incident that "interrupted some systems and partially affected operations." On June 12, Avon Products submitted a second regulatory filing stating that, "after suffering the cyber incident communicated on June 9, 2020" they are "planning to restart some of its affected systems in the impacted markets throughout the course of next week."

Industrial intelligence company, Lectra, allegedly struck by Maze

CybleInc threat researchers came across the post of Maze ransomware operators in which they claimed to have breached Lectra, a fast growing technology company based in Paris, France.

NZ police terminate contract with Gravitas after breach

Police are axing their contract with Auckland research firm Gravitas after information they sent the firm about police complainants was lost in a Nigerian hack. Assistant commissioner Jevon McSkimming announced earlier this month -- without naming the company -- that Gravitas had alerted Police to the data breach and had also reported it as "a crime" which Police were investigating. Police had now decided to terminate their contract with Gravitas after they had been "unable to get assurances that our information has been kept properly secure", Police said in a statement on Thursday.

Athens ISD paid $50k ransom to attackers

Athens ISD Board of Trustees has agreed to pay a $50,000 ransom for school data that was taken in a criminal ransomware attack. The attack targeted data stored on district servers, backup systems, and hundreds of computers. As a result, access to data has been blocked including teacher communications, student schedules, grades, and assignments. Further investigation revealed that no information has been taken, only encrypted to prevent access until a ransom was paid.

Startups disclose data breaches after massive 386M records leak

Startups have begun to disclose data breaches after a massive leak of stolen databases was published on a hacker forum this month. This week, BleepingComputer was the first to report that ShinyHunters, a threat actor known for data breaches, began to leak the stolen databases of eighteen web sites for free on a hacker forum.

GTU students complain of massive data leak after mock test

The students of Gujarat Technological University have complained of massive data leaks during online pre-check trial/mock tests. The test was conducted by the university on July 28. Students allege that their personal details including ID proofs were leaked on the university's website. "It was the PreTrial online MCQ test held on 28th July of around 28k students. The data breach has captured all the students' ids which includes our college ids or government ids like PAN or Aadhar cards, maybe linked to their bank accounts too," a student told India TV Digital. The data of thousands of students remained exposed for quite some time. It was only later that the university removed the link. Students took to Twitter to voice their concerns, and strongly protested against the university and demanded answers. India TV Digital tried contacting the university but the calls went unanswered. GTU is yet to respond to the students' concerns about the data breach.

Vermont Tax Department exposed 3 years worth of tax return info

The Vermont Department of Taxes disclosed that taxpayers' private information was exposed because of a security issue affecting its online filing site discovered on July 2, 2020. The data breach affected all Vermonters who electronically filed Property Transfer Tax returns using the tax department's site between February 2017 and July 2020. "Verification credentials for electronically filed property transfer tax returns available in public municipal records could be used to access previously submitted tax return information," the breach notification says.

Argentina health officials expose personal data on 115,000 COVID-19 quarantine exemption applicants

A database of more than 115,000 Argentinians who applied for COVID-19 circulation permits was exposed on the web without a password or any other authentication required to access it. The data included names, DNI numbers, tax ID numbers, and other information about applicants. Essential workers in Argentina can apply for these permits to be exempt from certain COVID-19 quarantine restrictions. Based on the evidence at hand, we believe the data belongs to the San Juan, Argentina government and the country's Ministry of Public Health. Comparitech lead security researcher Bob Diachenko discovered the unprotected database on July 25 and immediately alerted the Ministry.

Swvl - 4,195,918 breached accounts

In June 2020, the Egyptian bus operator Swvl suffered a data breach which impacted over 4 million members of the service. The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities.

Appen - 5,888,405 breached accounts

In June 2020, the AI training data company Appen suffered a data breach exposing the details of almost 5.9 million users which were subsequently sold online. Included in the breach were names, email addresses and passwords stored as bcrypt hashes. Some records also contained phone numbers, employers and IP addresses.

Scentbird - 5,814,988 breached accounts

In June 2020, the online fragrance service Scentbird suffered a data breach that exposed the personal information of over 5.8 million customers. Personal information including names, email addresses, genders, dates of birth, passwords stored as bcrypt hashes and indicators of password strength were all exposed.

Chatbooks - 2,520,441 breached accounts

In March 2020, the photo print service Chatbooks suffered a data breach which was subsequently put up for sale on a dark web marketplace. The breach contained 15 million user records with 2.5 million unique email addresses alongside names, phone numbers, social media profiles and salted SHA-512 password hashes.

Havenly - 1,369,180 breached accounts

In June 2020, the interior design website Havenly suffered a data breach which impacted almost 1.4 million members of the service. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes, all of which was subsequently shared extensively throughout online hacking communities.

Dunzo - 3,465,259 breached accounts

In approximately June 2019, the Indian delivery service Dunzo suffered a data breach. Exposing 3.5 million unique email addresses, the Dunzo breach also included names, phone numbers and IP addresses which were all broadly distributed online via a hacking forum.

Drizly - 2,479,044 breached accounts

In approximately July 2020, the US-based online alcohol delivery service Drizly suffered a data breach. The data was sold online before being extensively redistributed and contained 2.5 million unique email addresses alongside names, physical and IP addresses, phone numbers, dates of birth and passwords stored as bcrypt hashes.

Vakinha - 4,775,203 breached accounts

In June 2020, the Brazilian fund raising service Vakinha suffered a data breach which impacted almost 4.8 million members. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities.

LifeLabs goes to court to block privacy watchdogs from probing 2019 data breach

Two of Canada's provincial privacy officers say that they're still unable to release a full report about last year's security breach at LifeLabs because the company has gone to court to stop the release of information obtained during the investigation into the breach. A joint statement from the privacy commissioners for Ontario and British Columbia says the Toronto-based chain of medical labs has agreed to comply with their orders and recommendations. They say LifeLabs has sought a court order preventing the public release of some of the report, claiming it contains information that's privileged or otherwise confidential.

Data Breach at Crypto Wallet Firm Ledger Exposes User’s Personal Info

Major cryptocurrency hardware wallet provider Ledger has alerted customers to a data breach it faced in June and July. In an email on July 29, the company said it was made aware of the breach on July 14 when a researcher participating in its bounty program reached out with details of a potential vulnerability on their website. While they were able to fix the breach immediately, a further investigation by the team found that an authorized third party carried out a similar action on June 25.

Athlete Recruiting Software Company Discloses Data Breach 7 Months after Student-Athlete Data is Exposed

In January 2020, a security researcher discovered an exposed server belonging to Front Rush, an athlete-recruiting software company offering solutions to more than 9,500 college teams at over 850 institutions across the United States. The initial report was kept low key, and it appears that the unsecured server contained over 700,000 files including medical records, performance reports, driver's licenses and other personal identifiable information of college athletes. Recently, however, Front Rush disclosed that it has started informing potentially affected individuals about the security incident that was overlooked 7 months ago. According to the data breach notification, "on or around January 5, 2020, Front Rush was informed by a security researcher that one of its Amazon Web Services S3 buckets ("the S3 bucket") was publicly accessible from the internet."

Today’s ‘mega’ data breaches now cost companies $392 million to recover from

On Wednesday, IBM released its annual Cost of a Data Breach Report which says that the average data breach now costs $3.86 million. While this average has decreased by 1.5% in comparison to 2019, when over 50 million consumer records are involved, these "mega" breaches can cost up to $392 million to remedy, up from $388 million in 2019.

Business giant Dussmann Group's data leaked after ransomware attack

The Nefilim ransomware operation has begun to publish unencrypted files stolen from a Dussmann Group subsidiary during a recent attack. The Dussmann Group is the largest multi-service provider in Germany with subsidiaries focusing on facility management, corporate childcare, nursing and care for the elderly, and business systems solutions, including HVAC, electrical work, and elevators. The company has confirmed to BleepingComputer that one of their subsidiaries, Dresdner Kühlanlagenbau GmbH (DKA), recently suffered a ransomware attack where data was stolen.

Hacker gang behind Garmin attack doesn't have a history of stealing user data

Wearables and GPS tracker maker Garmin suffered a ransomware attack last week after a hacker gang breached its internal network and encrypted the company's servers. The attack caused a five-day outage for the company, during which time, users feared that the hackers might have also stolen their personal details along with geolocation history from the Garmin's servers. However, three cyber-security firms who spoke with ZDNet this week have said that the hacker group suspected of being behind the Garmin hack is one of the rare groups who don't engage in this particular practice and has no history of stealing customer data before encrypting files. Garmin formally admitted to suffering a ransomware attack in SEC 8-K filings and a public press release.

Four suspects charged for roles in Twitter hack, Bitcoin scam

Four suspects were charged for their supposed involvement in this month's Twitter hack according to press releases from the Department of Justice and State Attorney Andrew H. Warren. 17-year-old Graham Ivan Clark from Tampa, Florida, the first suspect and the one who orchestrated the hack, was arrested and charged as an adult after an operation coordinated by the FBI, the IRS, and the Secret Service as reported by WFLA. "This defendant lives here in Tampa, he committed the crimes here, and he'll be prosecuted here," Warren added. "The State Attorney's Office is handling this prosecution rather than federal prosecutors because Florida law allows for us greater flexibility to charge a minor as an adult in a financial fraud case like this." The other three individuals indicted are 19-year-old Mason Sheppard (Chaewon) from Bognor Regis, United Kingdom, 22-year-old Nima Fazeli (Rolex) from Orlando, Florida, and an unnamed juvenile whose identity is protected by the federal court. Sheppard is facing a maximum penalty of 45 years of imprisonment after being charged with conspiracy to commit wire fraud and money laundering, and for intentionally accessing a protected computer, while Fazeli faces a maximum penalty of 5 years of imprisonment for aiding and abetting the intentional access of a protected computer. Reporting from the New York Times days after the Twitter hack suggests Clarke initially gained access to one of Twitter's internal Slack workspaces, and not to Twitter itself.

Some potential victims of PaperlessPay breach are first finding out about the breach now

As reported at the time, PaperlessPay had been contacted by Homeland Security on February 19 to alert them that someone was offering access to their clients' data for sale on the dark web. In response, PaperlessPay shut down its SQL server immediately and started investigating. They discovered that someone had gained access to their server on February 18, although they couldn't determine precisely what data might have been accessed or copied.

Blackbaud's Bizarre Ransomware Attack Notification

Breach victims employing maximum marketing spin is nothing new. But over the course of three paragraphs, the South Carolina-based vendor of marketing, fundraising and customer relationship management software attempts to set its culpability to nil, congratulates itself for having an amazing cybersecurity team and says that because it cares so much for its customers, it paid an undisclosed ransom to attackers to delete stolen data The entire first paragraph is dedicated to normalizing hacking The problems start from the beginning: "The cybercrime industry represents an over trillion-dollar industry that is ever-changing and growing all the time - a threat to all companies around the world," it begins. "Like many in our industry, Blackbaud encounters millions of attacks each month, and our expert cybersecurity team successfully defends against those attacks while constantly studying the landscape to stay ahead of this sophisticated criminal industry." (Except, of course, when it doesn't.)

Kiwibank breach ‘significant’ – Privacy Commissioner

Kiwibank is investigating how it sent 4200 customers an email or online bank statement with their own account number, name and address, but another person's transaction history. The commissioner, John Edwards, said some people will be identifiable by the statements and information sent.

Largest providers of Aged Care in Australia, Regis Aged Care Pty Ltd, allegedly breached by Maze

The Cyble Research Team identified a breach of a well-known organization based in the Victoria state of Australia -- Regis Aged Care Pty Ltd, claimed by Maze ransomware operators.

Canadian MSP discloses data breach, failed ransomware attack

Managed service provider Pivot Technology Solutions has disclosed that it was the victim of a ransomware attack that resulted in sensitive information being accessed by the hackers. The incident occurred last month and hit impacted data held by the parent company and its subsidiaries and/or former and current affiliates. Threat actors were not able to complete the attack and encrypt files on the company systems but they spent enough time on the network to access sensitive information and also steal some of it. Pivot's quick response to the June 12 incident made it possible to continue operations, said Kevin Shank, President and CEO of the company, earlier this month. An investigation of the incident conducted by a cyber forensic firm revealed on July 1 that the intruders had access to and exfiltrated "limited personal information of US employees and consultants."

More pharmacy chains report HIPAA breaches linked to looting during protests

First it was Walmart disclosing that their pharmacies in stores in California and Chicago had suffered damage and theft by looters of medications ready for pickup with patient information on labels. Then it was CVS, who notified HHS that more than 21,000 patients' information may have been compromised by looters who stole or accessed prescriptions ready for pickup. Now it's Walgreens who is notifying an as-yet-undisclosed number of patients at multiple stores across multiple states.

Hacker leaks 386 million user records from 18 companies for free

A threat actor is flooding a hacker forum with databases exposing expose over 386 million user records that they claim were stolen from eighteen companies during data breaches. Since July 21st, a seller of data breaches known as ShinyHunters has begun leaking the databases for free on a hacker forum known for selling and sharing stolen data.

Malware

Linux warning: TrickBot malware is now infecting your systems

TrickBot's Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels. TrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration, and malware delivery. TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network's devices as a final attack.

Malspam campaign caught using GuLoader after service relaunch

CloudEye is an Italian firm that claims to provide "the next generation of Windows executables' protection". First described by Proofpoint security researchers in March 2020, GuLoader is a downloader used by threat actors to distribute malware on a large scale. In June, CloudEye was exposed by CheckPoint as the entity behind GuLoader. Following the spotlight from several security firms and news outlets, GuLoader activity dropped in late June. But around the second week of July, we started seeing the downloader in malspam campaigns again.

Sneaky Doki Linux malware infiltrates Docker cloud instances

Attackers are targeting misconfigured cloud-based docker instances running on Linux distributions with an undetectable strand of malware. Dubbed Doki, the malware strand is part of the Ngrok Cryptominer Botnet campaign, active since at least 2018. What makes Doki particularly interesting is its dynamic behavior regarding how it connects to its command and control (C2) infrastructure. As opposed to relying on a particular domain or set of malicious IPs, Doki uses dynamic DNS services like DynDNS. Combined with a unique blockchain-based Domain Generation Algorithm (DGA), it can generate and locate the address of its C2 server in real-time and "phone home."

FBI warns of Netwalker ransomware targeting US government and orgs

The FBI has issued a security alert about Netwalker ransomware operators targeting U.S. and foreign government organizations, advising their victims not to pay the ransom and reporting incidents to their local FBI field offices. FBI's flash alert also provides indicators of compromise associated with the Netwalker ransomware (also known as Mailto) and includes a list of recommended mitigation measures. According to the FBI, the operators behind this ransomware strain began targeting U.S. and foreign government orgs starting with June 2020, after Netwalker operators successfully encrypted systems on the network of UCSF School of Medicine, the Australian transportation and logistics company Toll Group (three months later, Toll Group got hit again by Nefilim Ransomware), and Lorien Health Services earlier this month.

Android Spyware Targeting Tanzania Premier League

The Zscaler ThreatLabZ team discovered spyware targeting the ongoing Tanzania Mainland Premier League football season. The Tanzania Mainland Premier League is the top-level professional football (or soccer, as it is most commonly known here in the United States) league in Tanzania, Africa.

Analysis of WastedLocker targeted ransomware

In late July 2020, tech news sites were brimming with articles about Garmin. Various Garmin services, including device syncing with the cloud and tools for pilots, were disabled. The dearth of accurate information left everyone theorizing wildly. In its official statement, Garmin confirmed that it had been hit by a cyberattack that interrupted online services and encrypted some internal systems. The information available at the time of this writing indicates that the attackers used the WastedLocker ransomware. Kaspersky experts performed a detailed technical analysis of the malware, and here are their main findings. WastedLocker is an example of targeted ransomware --- malware tweaked to attack a specific company. The ransom message referred to the victim by name, and all encrypted files got the additional extension .garminwasted.

QNAP urges users to update Malware Remover after QSnatch alert

QNAP urges its users to update the Malware Remover app and bolster their NAS devices' security following a QSnatch malware joint alert published earlier this week by UK's NCSC and the US CISA government cybersecurity agencies. While QNAP made it a point out of asking customers to reinforce their devices' security, the Taiwanese vendor also contradicted reports mentioning an increase in the number of NAS devices infected since October 2019. "Certain media reports claiming that the affected device count has increased from 7,000 to 62,000 since October 2019 are inaccurate due to a misinterpretation of reports from different authorities," QNAP said.

Avoid these PayPal phishing emails

For the last few weeks, there's been a solid stream of fake PayPal emails in circulation, twisting FOMO (fear of missing out) into DO THIS OR BAD THINGS WILL HAPPEN. It's one of the most common tools in the scammer's arsenal, and a little pressure applied in the right way often brings results for them. Claim people are going to lose something, or incur charges, or miss out on a valuable service, and they'll come running. Below is an outline of who these emails claim to be from, what they look like, and the kind of panic-clicking that they're pushing. These are just a few examples; there are many, many others.

Emotet malware now steals your email attachments to attack contacts

The Emotet malware botnet is now also using stolen attachments to increase the authenticity of spam emails used for infecting targets' systems. This is the first time the botnet is using stolen attachments to add credibility to emails as Binary Defense threat researcher James Quinn told BleepingComputer. The attachment stealer module code --- that also steals email content and contact lists --- was added around June 13th according to Marcus 'MalwareTech' Hutchins. Based on research from the Emotet tracking group Cryptolaemus, the malware now steals 131072 byte or smaller attachments with email contents, later to be used as part of reply chains.

North Korean hackers created VHD ransomware for enterprise attacks

North Korean-backed hackers tracked as the Lazarus Group have developed and are actively using VHD ransomware against enterprise targets according to a report published by Kaspersky researchers today. The researchers found VHD ransomware samples between March and May 2020 during two investigations, being deployed over the network with the help of an SMB brute-forcing spreading tool and the MATA malware framework (also known as Dacls). "Functionally, VHD is a fairly standard ransomware tool. It creeps through the drives connected to a victim's computer, encrypts files, and deletes all System Volume Information folders (thereby sabotaging System Restore attempts in Windows)," the report reads. "What's more, it can suspend processes that could potentially protect important files from modification (such as Microsoft Exchange or SQL Server)."

Malware Reverse Engineering Handbook by NATO Ccdcoe

This handbook by CCDCOE Technology Branch researchers gives an overview of how to analyse malware executables that are targeting the Windows platform. The authors are presenting the most common techniques used in malware investigation including set up of LAB environment, network analysis, behavioural analysis, static and dynamic code analysis. The reader will become familiar with disassemblers, debuggers, sandboxes, system and network monitoring tools. Incident response and collaboration tools are also introduced.

Netflix credential phishing hides behind working CAPTCHA

A recent wave of phishing attacks aiming to steal payment card info and credentials for Netflix streaming service starts with redirecting to a functioning CAPTCHA page to bypass email security controls. The actor behind these attempts used a "failed payment" theme to engage potential victims into the redirect chain leading to the phishing page. The fraudulent emails were sent at the beginning of the month and purported to be a notification from the Netflix support service about issues with verifying the billing address and payment details. Looking at the sender's address (netfiix@csupport.co), it is clear that the attacker made an effort to make it look legitimate by trying to impersonate Netflix's customer support.

Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902

Following the initial disclosure of two F5 BIG-IP vulnerabilities on the first week of July, TrendMicro continued monitoring and analyzing the vulnerabilities and other related activities to further understand their severities. Based on the workaround published for CVE-2020-5902, we found an internet of things (IoT) Mirai botnet downloader (detected by Trend Micro as Trojan.SH.MIRAI.BOI) that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload. The samples we found also try to exploit recently disclosed and potentially unpatched vulnerabilities in commonly used devices and software. System administrators and individuals using the related devices are advised to patch their respective tools immediately.

Crime

Cracking the Uncrackable: Cybercriminals Deploy EMV-Bypass Cloning

New research by Cyber R&D Lab detailed a method of bypassing EMV technology to monetize supposedly secure cards. This method, EMV-Bypass Cloning, leverages information from one technology (EMV chips) and converts it into another less-secure technology (magstripe), which allows fraudsters to rely on their familiar cloning techniques.

China arrests over 100 people suspected of involvement in PlusToken cryptocurrency scam

China has arrested 109 individuals suspected of involvement in the PlusToken cryptocurrency fraud ring. Last year, the operators of PlusToken performed a suspected exit scam, in which roughly $3 billion in deposits was taken from up to four million users who suddenly found themselves unable to access their funds. Local media outlet Chain News now suggests this figure could be closer to $6 billion.

Here’s Why Credit Card Fraud is Still a Thing

Most of the civilized world years ago shifted to requiring computer chips in payment cards that make it far more expensive and difficult for thieves to clone and use them for fraud. One notable exception is the United States, which is still lurching toward this goal. Here's a look at the havoc that lag has wrought, as seen through the purchasing patterns at one of the underground's biggest stolen card shops that was hacked last year. In October 2019, someone hacked BriansClub, a popular stolen card bazaar that uses this author's likeness and name in its marketing. Whoever compromised the shop siphoned data on millions of card accounts that were acquired over four years through various illicit means from legitimate, hacked businesses around the globe --- but mostly from U.S. merchants. That database was leaked to KrebsOnSecurity, which in turn shared it with multiple sources that help fight payment card fraud.

GandCrab ransomware operator arrested in Belarus

An affiliate of the GandCrab ransomware-as-a-business (RaaS) has been arrested, according to an official release. Authorities were able to identify the individual in cooperation with law enforcement in Romania and the U.K. The cybercriminal's identity has not been published but Office "K" of the Ministry of Internal Affairs in Belarus says that he is a 31-years old living in Gomel, a city in southeastern Belarus.

Vulnerabilities

KDE archive tool flaw let hackers take over Linux accounts

A vulnerability exists in the default KDE extraction utility called ARK that allows attackers to overwrite files or execute code on victim's computers simply by tricking them into downloading an archive and extracting it. KDE is a desktop environment found in Linux distributions such as OpenSUSE, Kali, KUbuntu, and others that offers a graphical user interface to the operating system. Discovered by security researcher Dominik Penner of Hackers for Change, a path traversal vulnerability has been found in the default ARK archive utility that allows malicious actors to perform remote code execution by distributing malicious archives.

BootHole GRUB bootloader bug lets hackers hide malware in Linux, Windows

A severe vulnerability exists in almost all signed versions of GRUB2 bootloader used by most Linux systems. When properly exploited, it could allow threat actors to compromise an operating system's booting process even if the Secure Boot verification mechanism is active. Aptly named BootHole, the flaw permits executing arbitrary code in GRUB bootloader. An attacker could use it to plant malware known as bootkit that loads before the operating system (OS). Security researchers at firmware and hardware security firm Eclypsium found a buffer overflow (CVE-2020-10713) that in the way GRUB2 parses content from its configuration file, "grub.cfg," located externally, in the EFI System partition. Threat actors could modify "grub.cfg" because it is just a text file that typically lacks any integrity protections such as a digital signature as is the case of other components of the bootloader. Changing GRUB's configuration file allows control over the booting process. Malware added this way is highly persistent as it survives an OS reinstall.

One Byte to rule them all

Brandon Azad, from Project Zero describes a new iOS kernel exploitation technique that turns a one-byte controlled heap overflow directly into a read/write primitive for arbitrary physical addresses, all while completely sidestepping current mitigations such as KASLR, PAC, and zone~require~. By reading a special hardware register, it's possible to locate the kernel in physical memory and build a kernel read/write primitive without a fake kernel task port.

Is Your Chip Card Secure? Much Depends on Where You Bank

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards.

Multiple Tor security issues disclosed, more to come

Over the past week, a security researcher has published technical details about two vulnerabilities impacting the Tor network and the Tor browser. In blog posts last week, Dr. Neal Krawetz said he was going public with details on two alleged zero-days after the Tor Project has repeatedly failed to address multiple security issues he reported throughout the past years. The researcher also promised to reveal at least three more Tor zero-days, including one that can reveal the real-world IP address of Tor servers. The Tor Project has responded to Dr. Krawetz' two blog posts. It's a lengthy response detailing each issue, which we are reproducing in full below. In summary, the Tor Project's reply is that they are aware of the issues the researcher reported, but they differ on the threats they pose to users, claiming they can't be enforced at scale.

Zoom bug allowed attackers to crack private meeting passwords

A lack of rate limiting on repeated password attempts allowed potential attackers to crack the numeric passcode used to secure Zoom private meetings as discovered by Tom Anthony, VP Product at SearchPilot. "Zoom meetings are (were) default protected by a 6 digit numeric password, meaning 1 million maximum passwords," as Anthony discovered. The vulnerability he spotted in the Zoom web client allowed attackers to guess any meeting's password by trying all possible combinations until finding the correct one.

Cisco fixes severe flaws in data center management solution

Cisco has released several security updates to address three critical authentication bypass, buffer overflow, and authorization bypass vulnerabilities found to affect Cisco Data Center Network Manager (DCNM) and multiple Cisco SD-WAN software products. The company also issued security updates to fix another eight high and medium severity vulnerability found in to affect several other Cisco DCNM Software versions. According to Cisco's Product Security Incident Response Team (PSIRT) none of these security issues are currently exploited in the wild. The authentication bypass vulnerability tracked as CVE-2020-3382 received a CVSS base score of 9.8/10 and it was found in the REST API of Cisco DCNM.

OkCupid: Hackers want your data, not a relationship

Check Point Research disclosed a set of vulnerabilities in OkCupid that could lead to the exposure of sensitive profile data on the OkCupid app, the hijack of user accounts to perform various actions without their permission, and the theft of user authentication tokens, IDs, and email addresses. The app in question is OkCupid on Android, with version 40.3.1 on Android 6.0.1 becoming the test subject. The cybersecurity researchers reverse-engineered the mobile software and discovered "deep link" functionality, which meant that it could be possible for attackers to send custom, malicious links to open the mobile app. Reflected Cross-Site Scripting (XSS) attack vectors were also discovered due to coding issues in the app's user settings functionality, which opened up a path for the deployment of JavaScript code.

Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin

Hackers can exploit a maximum severity vulnerability in the wpDiscuz plugin installed on over 70,000 WordPress sites to execute code remotely after uploading arbitrary files on servers hosting vulnerable sites. wpDiscuz is a WordPress plugin marketed as an alternative to Disqus and Jetpack Comments that provides an Ajax real-time comment system that will store comments within a local database. The vulnerability was reported to wpDiscuz's developers by Wordfence's Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23, after a failed attempt to fix the issue in version 7.0.4. According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10.

Microsoft issues security update for Azure Sphere

Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft's Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind. The infrastructure around the Azure Sphere platform is Microsoft's Azure Sphere cloud, which takes care of secure updates, app deployment, and periodically verifying the device integrity. Internally, the SoC is made up of a set of several ARM cores that have different roles.

X.org security fixes address potential ASLR bypass, heap corruption

The X.Org project has announced two security advisories that impact Xserver and libX11. The first advisory for X server is regarding uninitialized memory in AllocatePixmap() that could lead to address space layout randomization bypass. The second, impacting libX11, is a heap corruption caused by integer overflows and signed/unsigned comparisons.

Bypassing Windows 10 UAC with mock folders and DLL hijacking

A new technique uses a simplified process of DLL hijacking and mock directories to bypass Windows 10's UAC security feature and run elevated commands without alerting a user. Windows UAC is a protection mechanism introduced in Windows Vista and above, which asks the user to confirm if they wish to run a high-risk application before it is executed.

The core of Apple is PPL: Breaking the XNU kernel's kernel

Brandon Azad from Project Zero found it might be possible to bypass Apple's Page Protection Layer (PPL) using just a physical address mapping primitive, that is, before obtaining kernel read/write or defeating PAC. Given that PPL is even more privileged than the rest of the XNU kernel, the idea of compromising PPL "before" XNU was appealing.

A critical security update for KeePassRPC is available

A new version of KeePassRPC (1.12.1) was released which resolves critical security vulnerabilities in all previous versions of the plugin. To ensure that your passwords stored within KeePass Password Safe remain secret, you must install this new version 1.4k immediately. This does not affect Kee browser extension users that store passwords only in Kee Vault Successfully exploiting either vulnerability results in an attacker gaining access to all passwords in any open KeePass databases. No obvious user interaction is required, only a visit to a malicious web site; in some cases there is no visible evidence that the vulnerability is being exploited.

Magento gets security updates for severe code execution bugs

Adobe released security updates to fix two code execution vulnerabilities affecting Magento Commerce and Magento Open Source, rated as important and critical severity. Affected software includes Magento Commerce versions 2.3.5-p1 and earlier and Magento Open Source versions 2.3.5-p1 and earlier. Merchants running vulnerable Magento versions are advised to update their installation to the latest version (2.4.0) or to upgrade to Magento Commerce 2.3.5-p2 or Magento Open Source 2.3.5-p2 as soon as possible.

Industrial VPN vulnerabilities put critical infrastructure at risk

Security researchers analyzing popular remote access solutions used for industrial control systems (ICS) found multiple vulnerabilities that could let unauthenticated attackers execute arbitrary code and breach the environment. The flaws are in virtual private network (VPN) implementations and adversaries could exploit them cause physical damage by connecting to field devices and programmable logic controllers (PLCs). After discovering and reporting a critical vulnerability (CVE-2020-14511) in Moxa EDR-G902 and EDR-G903 series routers (version 5.4 and below), Claroty Research Team found that products from Secomea and HMS Networks also had severe flaws that could be leveraged to gain full access to the internal network without authentication.

Politics

Fake Stories in Real News Sites

Fireeye is reporting that a hacking group called Ghostwriter broke into the content management systems of Eastern European news sites to plant fake stories. The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they've posted fake content on everything from social media to pro-Russian news websites.

EU sanctions Russian espionage unit, Chinese and North Korean firms

The Council of the European Union announced sanctions imposed on a Russian military espionage unit, as well as on front companies for Chinese and North Korean threat groups involved in cyber-attacks targeting the EU and its member states. EU's sanctions include asset freezes and travel bans, and forbid EU organizations and individuals from transferring to sanctioned people and entities. "The Council today decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks," a press release reads. "These include the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons) and those publicly known as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper'."

US defense contractors targeted by North Korean phishing attacks

Employees of U.S. defense and aerospace contractors were targeted in a large scale spear-phishing campaign between early April and mid-June 2020 in a series of phishing attacks designed to infect their devices and to exfiltrate defense tech intelligence. Throughout this series of attacks dubbed 'Operation North Star' by McAfee Advanced Threat Research (ATR) researchers who spotted it, the spear-phishing emails were camouflaged as fake job offers from high-profile defense contractors, a tactic used by other similar campaigns targeting the same industries in 2017 and 2019. McAfee linked these attacks to the Hidden Cobra, the threat group behind the previous military cyber-espionage phishing campaigns, based on similarities found in implant execution code and core functionality.

India Is Reportedly Looking To Ban 275 More Chinese Apps -- Including PUBG, Zili and AliExpress

India has drawn up a list of 275 Chinese apps that it will examine for any violation of national security and user privacy, signaling heightened scrutiny and the possibility of more Chinese internet companies being banned in the country, according to people aware of the developments. This follows the high-profile ban of 59 Chinese apps last month, including short video app TikTok, amid simmering geopolitical tensions between the two Asian giants.

Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations

From early May 2020, The Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group. This series of suspected network intrusions also targeted the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME), Italy. These organizations have not been publicly reported as targets of Chinese threat activity groups prior to this campaign. These network intrusions occured ahead of the anticipated September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, a deal which reportedly resulted in the Chinese Communist Party (CCP) gaining more control and oversight over the country's historically persecuted "underground" Catholic community. In addition to the Holy See itself, another likely target of the campaign includes the current head of the Hong Kong Study Mission to China, whose predecessor was considered to have played a vital role in the 2018 agreement.

US to ban TikTok through executive action as soon as Saturday

President Donald Trump on Friday told reporters he will act as soon as Saturday to ban Chinese-owned video app TikTok from the United States. Trump did not specify whether he will act through an executive order, or another method such as a designation, according to NBC News. Trump's comments come as it was reported Friday that Microsoft has held talks to buy the TikTok video-sharing mobile app from Chinese owner ByteDance.

ECJ rules US Cloud services fundamentally incompatible with EU Privacy laws

The US "culture of surveillance" received a major EU push back, with the European Court of Justice ruling against the legitimacy of the EU's Standard Contractual Clauses as a way of transferring data to legal regimes outside of the Union. The Austrian Max Schrems, responsible for the previous dismissal of the 'Safe Harbour' agreement between the US and EU, stated that its successor "Privacy Shield goes down as soon as EU Courts deliberate".

Privacy

Jeff Bezos can’t promise Amazon employees don’t access independent seller data

During Wednesday's antitrust hearing, Amazon and its CEO Jeff Bezos came under fire by lawmakers over the company's alleged use of third-party seller data in developing its own products. Earlier this year, The Wall Street Journal reported that Amazon employees have accessed sales data from independent sellers on its marketplace to help the company develop competing products for its private-label. Amazon has a policy barring the practice, but lawmakers like Rep. Pramila Jayapal (D-WA) focused in on the company's enforcement of that policy.

Fingerprinting for ID cards – what can be done? #NoFingerprintIDs

As of August 2, 2021, voluntary fingerprinting will become compulsory: Against criticism from data protection and fundamental rights organisations, EU governments and a narrow majority in the EU Parliament adopted a regulation to strengthen the security of ID cards and residence documents in 2019. A German transposition law is already being drafted. Starting August 2, 2021, this law will force people to groundlessly submit a print of their left and right index finger upon application. This means that millions of law-abiding citizens are being treated like suspected criminals.

Covid-19 patients’ privacy breach ‘not justified or reasonable’, inquiry finds

There was no justification for MP Hamish Walker and political operative Michelle Boag to leak confidential Covid-19 patient details, the inquiry into the privacy breach. The report also warned of concern at the "routine dissemination" of personal details by the Ministry of Health. Names, addresses, ages and hotel names of people who tested positive for Covid-19 were leaked to some media outlets in early July by Mr Walker, a National MP who had been sent the details by Ms Boag, former National Party president and then-acting chief executive of Auckland Rescue Helicopter Trust.

Amazon says police demands for customer data have gone up

Amazon has said the number of demands for user data made by U.S. federal and local law enforcement have increased more during the first half of 2020 than during the same period a year earlier. The disclosure came in the company's latest transparency report, published Thursday.

Google CEO says tech giant deletes this information used by police

Google now sets a time limit on data used by police for tracking suspects, the CEO said at Wednesday's congressional hearing with tech giants. The data is used for a so-called "geofence warrant," which taps into a massive Google database that tracks where you go anonymously. It's part and parcel of a trend by tech companies to track where you go, what you eat, and what you buy, among a host of other tracking information.

How Cops Can Secretly Track Your Phone

Since May, as protesters around the country have marched against police brutality and in support of the Black Lives Matter movement, activists have spotted a recurring presence in the skies: mysterious planes and helicopters hovering overhead, apparently conducting surveillance on protesters. A press release from the Justice Department at the end of May revealed that the Drug Enforcement Agency and U.S. Marshals Service were asked by the Justice Department to provide unspecified support to law enforcement during protests. A few days later, a memo obtained by BuzzFeed News offered a little more insight on the matter; it revealed that shortly after protests began in various cities, the DEA had sought special authority from the Justice Department to covertly spy on Black Lives Matter protesters on behalf of law enforcement.

Rite Aid deployed facial recognition systems in hundreds of U.S. stores

Over about eight years, the American drugstore chain Rite Aid Corp quietly added facial recognition systems to 200 stores across the United States, in one of the largest rollouts of such technology among retailers in the country, a Reuters investigation found. In the hearts of New York and metro Los Angeles, Rite Aid deployed the technology in largely lower-income, non-white neighborhoods, according to a Reuters analysis. And for more than a year, the retailer used state-of-the-art facial recognition technology from a company with links to China and its authoritarian government. In telephone and email exchanges with Reuters since February, Rite Aid confirmed the existence and breadth of its facial recognition program. The retailer defended the technology's use, saying it had nothing to do with race and was intended to deter theft and protect staff and customers from violence. Reuters found no evidence that Rite Aid's data was sent to China.

Face masks are breaking facial recognition algorithms, says new government study

Face masks are one of the best defenses against the spread of COVID-19, but their growing adoption is having a second, unintended effect: breaking facial recognition algorithms. Wearing face masks that adequately cover the mouth and nose causes the error rate of some of the most widely used facial recognition algorithms to spike to between 5 percent and 50 percent, a study by the US National Institute of Standards and Technology (NIST) has found. Black masks were more likely to cause errors than blue masks, and the more of the nose covered by the mask, the harder the algorithms found it to identify the face.

Misc

Microsoft now detects CCleaner as a Potentially Unwanted Application

Microsoft is now detecting the popular CCleaner Windows optimization and Registry cleaner program as a potentially unwanted application (PUA) in Microsoft Defender. CCleaner is a junk file remover, Registry cleaner, and general Windows performance optimization utility developed by Piriform. In 2017, Avast purchased Piriform, and there has been some concern among its users about the bundling of Avast products and promotions. In a new threat entry to the Microsoft Security Intelligence site, Microsoft is now classifying CCleaner as a PUA:Win32/CCleaner threat. This page does not provide any information as to why Microsoft is now classifying CCleaner as a PUP/PUA, but Microsoft has stated that they do not support Registry cleaners and that they should not be used.

You don’t need SMS-2FA

Tavis Ormandy has written an article advocating against using SMS 2FA, claiming it doesn't help prevent phishing attacks.

Microsoft to remove all SHA-1 Windows downloads next week

Microsoft announced this week plans to remove all Windows-related file downloads from the Microsoft Download Center that are cryptographically signed with the Secure Hash Algorithm 1 (SHA-1). The files will be removed next Monday, on August 3, the company said on Tuesday. The OS maker cited the security of the SHA-1 algorithm for the move.

New tool detects shadow admin accounts in AWS and Azure environments

Cyber-security firm CyberArk has released a new free tool that can detect "shadow administrator accounts" inside cloud environments like Amazon Web Services (AWS) and Microsoft Azure. The new tool, named SkyArk, comes with two components, namely AWStealth and AzureStealth, each for scanning a company's respective AWS and Azure environments. Both components work by analyzing a company's entire list of AWS or Azure accounts and the permissions assigned to each user, looking for so-called "shadow admins."

The IRS asks tax professionals to enable multi-factor authentication

The U.S. Internal Revenue Service is asking tax professionals to enable additional forms of authentication in software that provides the option as an improved defense against hacker takeover attempts. The agency specifically refers to multi-factor authentication (MFA), which requires at least two supplementary data points besides the username/password combination to check the identity of a user.

International cyber law: interactive toolkit

The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways.

US government sites abused to redirect users to porn sites

In an ongoing blackhat SEO campaign tracked by BleepingComputer, scammers are using open redirects found on government websites to redirect visitors to pornography sites. An open redirect is an URL that anyone can use to redirect a visitor to a website of their choosing. Blackhat SEO scammers use these open redirects to get listings in search engines, such as Google, that show the page's title being redirected to but are listed as if it is located on the government site. For about two weeks, scammers have been injecting government open redirect links into search engines as shown in the heavily redacted image below.

A Legal Deep Dive on Mexico’s Disastrous New Copyright Law

Mexico has just adopted a terrible new copyright law, thanks to pressure from the United States (and specifically from the copyright maximalists that hold outsized influence on US foreign policy). This law closely resembles the Digital Millennium Copyright Act enacted in the US 1998, with a few differences that make it much, much worse.

Zimbabwe internet disruption limits coverage of planned protests

Network data from the NetBlocks internet observatory confirm that internet access has been disrupted in Zimbabwe on Friday 31 July 2020 for a second consecutive day, following a lesser disruption on Thursday. The incident has been widely described by users as a slowdown or 'throttling' of connectivity speeds on state-owned network TelOne. Authorities have yet to present a court order or basis for the incident at the time of writing.

IBM completes successful field trials on Fully Homomorphic Encryption

IBM has completed two field trials of FHE with real data in the financial industry --- one with a large American bank, and one with a large European bank. IBM This diagram of the FHE trial with a large American bank demonstrates using machine-learning models against financial data to determine likelihood of a loan being issued.

Survey of Supply Chain Attacks

The Atlantic Council has a released a report that looks at the history of computer supply chain attacks. Recommendations included in the report. The entirely open and freely available dataset is here.

DMARC: How Phishing Rings Can Use Your Email Authentication Controls Against You

In the first reported case of its kind, a phishing ring in Eastern Europe is exploiting companies' own Domain-based Message Authentication, Reporting and Conformance (DMARC) controls to impersonate CEOs in business email compromise (BEC) scams worth millions. A group called Cosmic Lynx, the Agari Cyber Intelligence Division (ACID) has identified the first known Russian cybercrime group to conduct BEC attacks. During its investigation, the ACID team documented more than 200 Cosmic Lynx BEC scams targeting large, multinational companies in 46 countries just within the last 12 months.