Just a few years ago, illicit services and online contraband were firmly sourced in the hidden, largely untraceable depths of the internet: the dark web. People frequenting dark web sites knew how to take advantage of the anonymity offered, and often managed to evade law enforcement. However, fast forward a couple of years and this model is changing. We are now seeing illegal products and services brazenly advertised on popular social media, where criminal markets are open to the masses, often leaving the police with little to do but watch. When I previously researched online crime with the police, selling drugs on the dark web was big business. Marketplaces like Silk Road and AlphaBay were havens for potential buyers to compare and purchase whatever they had their eye on. Protected by a cloak of anonymity, a setup that allowed money to travel via escrow, and even a review system for the products offered, these dark web sites were the obvious choice for miscreants to lay low.
The Central Intelligence Agency has a secret data collection program that includes some information about Americans, according to two U.S. Senators with knowledge of the program. The nature of the collection, how it is conducted, and the extent to which it has occurred isn’t at all clear, though the senators have characterized the program as involving “bulk collection” and claim that the CIA spent years hiding it from the public and Congress. The congressmen in question, Sens. Ron Wyden (D-Oregon) and Martin Heinrich (D-New Mexico), both became privy to the program via their seats on the Senate Intelligence Committee. They previously urged top spy officials to declassify details of the secret program, which was originally authorized via Executive Order 12333, a broad legal mandate for intelligence powers that was originally signed by President Ronald Reagan in 1981.
The lead U.S. cyber defense agency released a broad national warning Friday night that Russia’s potential invasion of Ukraine could spill into hacks against American computer networks. The “Shields Up” advisory, issued by the Cybersecurity and Infrastructure Security Agency, said it was not responding to any specific threats, but acting as a general precaution that conflict with Russia could lead to cyberattacks. “While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for Russia to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine,” it reads.
The San Francisco 49ers NFL team has fallen victim to a ransomware attack that encrypted files on its corporate IT network, a spokesperson for the team has told The Record. The team confirmed the attack earlier today after the operators of the BlackByte ransomware listed the team as one of their victims on Saturday on a dark web “leak site” the group typically uses to shame victims and force them into paying their extortion demands. “Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident,” the team told us earlier today. “While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” it added.
Microsoft is enabling a Microsoft Defender ‘Attack Surface Reduction’ security rule by default to block hackers’ attempts to steal Windows credentials from the LSASS process. When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits. One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows. This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices. A demonstration of how threat actors can use the popular Mimikatz program to dump NTLM hashes from LSASS is shown below.
Twitter is transitioning away from from its two-factor authentication (2FA) provider, Mitto AG, a Swiss communications company. The social media giant broke the news to US Senator Ron Wyden of Oregon. It is noted that Twitter’s decision to move away from Mitto AG came after allegations that its co-founder and Chief Operating Officer, Ilja Gorelik, sold access to Mitto’s networks to surveillance technology firms. Talking to Bloomberg, an aide close to Wyden said that Twitter cited media reports as a significant factor for its decision. In December, Bloomberg reported that Gorelik had sold access to Mitto’s networks between 2017 and 2018. The companies that bought the access reportedly used it to help governments conduct secret surveillance against users through their phones. Mitto AG is a top provider in its industry and boasts a roster of big-named clients like Alibaba, Google, LinkedIn, Telegram, Tencent, TikTok, and WhatsApp. Representatives of the company have told its clients that Gorelik departed the company after these allegations arose. It isn’t clear if Gorelik left of his own accord or was pressured.