Threats Without Borders - Issue 206
Cybercrime Investigation Newsletter, week ending October 27, 2024
I often hear investigators talk about the Internet and the World Wide Web, or “the Web”, as if they’re the same thing. That doesn’t work since they are actually two different entities!
The Internet is the extensive physical network that connects millions of computers, devices, and servers worldwide. Think of it as the infrastructure that enables communication between devices, whether they’re on opposite sides of the world or right next to each other. It’s made up of physical components like cables, routers, and satellites, and it uses standardized protocols like TCP/IP (Transmission Control Protocol/Internet Protocol) to allow these devices to send and receive data.
The World Wide Web, often referred to as the Web, is a method of accessing information online. It organizes content through web pages and hyperlinks. Each web page, or resource, features a distinct URL (Uniform Resource Locator).
The Internet is the “highway” that data travels on, while the Web is a library of interconnected documents and resources that are stored on the Internet’s infrastructure.
You use the Internet to access the Web.
Conflating the two can quickly undermine your credibility in court, especially if the opposing attorney is knowledgeable about technology investigations.
The News…
Kudos to the Virginia State Police for creating a “Financial Crime Special Agent Development Program”. The 18-month program will include college-level classes and courses from the National White Collar Crime Center. Hopefully, subscribing to the Threats Without Borders newsletter is a requirement for graduation! https://www.wric.com/news/virginia-news/vsp-financial-crimes-program/
The watchers get checked. The Securities and Exchange Commission (SEC) has accused four cybersecurity-related public companies of making deceptive disclosures regarding cybersecurity threats and breaches related to the SolarWinds Orion breach. The companies charged include Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited. The SEC's investigation focused on companies that may have been affected by the SolarWinds Orion software compromise. It discovered that these companies downplayed their cybersecurity incidents in public announcements, even though they were aware that the attacker behind the SolarWinds Orion breach had infiltrated their systems. https://www.sec.gov/newsroom/press-releases/2024-174
This piece is technical but thoroughly reviews the IPV4 to IPV6 transition and why the process is so far behind schedule. https://blog.apnic.net/2024/10/22/the-ipv6-transition/
I was aiming for something cheeky here, but I'll cut to the cheese: fraudsters have made off with 22 TONS of artisan cheddar! Yes, these assholes will even steal cheese! https://www.bbc.com/news/articles/cje03dq2pyyo
The United States Postal Service is offering a $150,000 reward to anyone who can identify the person who robbed one of their letter carriers at gunpoint. https://www.cbs12.com/news/local/usps-offers-15000-reward-after-armed-robber-of-letter-carrier-postal-service-lake-worth-beach-via-vermilya-road-lantana-airport-friday-october-25-2025
Ah, can someone tell them Macs don’t get malware? Please. Researchers at SentinelOne have discovered a new macOS malware, 'macOS.NotLockBit,' which, unlike previous attempts, has credible file locking and data exfiltration capabilities, mimicking LockBit ransomware. Written in Go and distributed as an x86_64 binary, it gathers system information and uses an embedded public key for asymmetric encryption, rendering decryption impossible without the attacker's private key. The malware attempts to exfiltrate user data to a remote server using AWS S3 cloud storage. https://www.sentinelone.com/blog/macos-notlockbit-evolving-ransomware-samples-suggest-a-threat-actor-sharpening-its-tools/
Anti-Ransomware solutions company Halcyon has released its Q3 ransomware report, which is essential reading for those involved in threat intelligence. (Actual report link) https://20688644.fs1.hubspotusercontent-na1.net/hubfs/20688644/Website%20Collateral%20-%20Static/Halcyon%20Ransomware%20Malicious%20Quartile%20Q3-2024.pdf
A federal grand jury has indicted a Buffalo (NY) Police Detective for purchasing stolen account credentials from an illicit online marketplace called Genesis Market. The indictment alleges he used the stolen credentials for fraudulent activities and then lied to the FBI about his involvement. Unfortunately, he’ll probably get more time for lying to a federal agent than for fraud. https://www.justice.gov/usao-wdny/pr/federal-grand-jury-indicts-buffalo-police-detective-purchases-made-illicit-online
The country of Lebanon is added to the Financial Crime Watchlist. https://www.reuters.com/world/middle-east/lebanon-grey-listed-by-financial-watchdog-fatf-two-sources-say-2024-10-25/
What year is it?
The Cybersecurity & Infrastructure Security Agency (CISA) has introduced new security measures to safeguard sensitive personal data and government-related information against cybercriminal threats. This initiative aligns with Executive Order 14117, signed by President Biden earlier this year, which seeks to mitigate significant data security vulnerabilities that pose or heighten national security risks. The requirement encompasses:
Maintain and update a monthly asset inventory, including IP and hardware MAC addresses.
Remediate known exploited vulnerabilities within 14 days.
Remediate critical vulnerabilities (of unknown exploitation status) within 15 days and high-severity flaws within 30 days.
Maintain an accurate network topology to facilitate incident identification and response.
Enforce multi-factor authentication (MFA) on all critical systems, require passwords at least 16 characters long, and revoke access to any individual immediately after employment termination or a change of role in the organization.
Prevent unauthorized hardware, such as USB devices, from being connected to covered systems.
Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events)
Isn’t it a shame that we’re still considering these actions as “proposed”!
Reader Mail
“What’s up with your contempt for cybersecurity awareness month?” - Christine
While in law enforcement, I shuddered at the concept of "Law Enforcement Appreciation Month" or "National Police Officers Day," or any other honorary celebration of the job. I recognize the sentiment behind the effort, but how about appreciating law enforcement all year, not just one out of twelve months? Maybe "Love a Cop" every day, not just once a year.
And let’s consider cybersecurity every month. Better yet, every day! Imagine if security best practices and cybersecurity awareness were in the front of our minds every time we engaged with technology, not just in October?
Of course, we wouldn't get a line item special-event budget allotment and as much corporate press time as possible.
Cool Tool
Don’t sleep on the “About this image” functionality of Google Images. The tool lets you quickly know when the image and similar images were indexed by Google, where it may have first appeared, and where else it’s been seen online. https://blog.google/products/search/about-this-image-google-search/
Cool Job
Technical Support Manager, Financial Crimes Platform - Jack Henry. https://careers.jackhenry.com/job/united-states/technical-support-manager-financial-crimes-platform/42859/70692535168
Irrelevant
The Gish gallop, also known as an argument by verbosity or shotgun argumentation, occurs when someone overwhelms their opponent with as many arguments as possible, with no regard for their accuracy, validity, or relevance. https://effectiviology.com/gish-gallop/
Late Breaking News
International law enforcement agencies have disrupted the operations of two prolific infostealers, Redline and Meta. The Dutch National Police, leading the operation, gained full access to the servers used by these infostealers, effectively shutting down their operations. https://techcrunch.com/2024/10/28/police-operation-claims-takedown-of-prolific-redline-and-meta-password-stealers/
Sign Off
I’m so glad to have you back for another issue, and a warm welcome to our new subscribers! Every time I see a notification for a new subscriber, it brings a smile to my face. Thank you for taking a few minutes out of your week to spend with me!
Matt
“DON’T WORRY ABOUT BEING QUALIFIED. EVERYONE IS LEARNING AS THEY GO”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
cybercrime cyficrime financial fraud osint investigations cybersecurity