Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Powerful Infostealer for Rent

Since late July, a Russian-speaking malware developer has been offering an extremely sophisticated info stealer, called Erbium, on a dark web forum. The author claims that it is the best on the market, having taken several months to develop, and this is perhaps reflected in the fact that the asking price for one year of the service has gone from $150 to $1,000, including technical support and updates (considerably less than any comparable infostealer).

Erbium has a vast range of capabilities, from system info enumeration to the ability to collect user credentials from web browsers, chat and email programs. It can also capture cryptocurrency wallet information (including login credentials and stored funds) and can collect multi-factor authentication information as well as the content of password safe programs.

The malware uses extensive antiforensic techniques to evade detection, being polymorphic and also using XOR encryption to obfuscate the ErbiumStealer.dll second stage, which it downloads from a C2 server. Its control panel communicates over a Telegram channel. Erbium has now been observed and analyzed by both Cluster25 and Cyfirma.

Cluster25 Threat Intel Team, Erbium InfoStealer Enters the Scene: Characteristics and Origins, blog post, 15 September 2022. Available online at https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer.

Uncredited, Erbium Stealer Malware Report, technical report, 25 September 2022. Available online at https://www.cyfirma.com/outofband/erbium-stealer-malware-report/.

Europol Hackathon Targets Human Trafficking Networks

A hackathon hosted by the Dutch Police Academy in Apeldoorn on behalf of Europol on 6 September brought together 85 experts from 20 countries to focus on combating criminal networks that use social media, the public web and the dark web to conduct human trafficking for sexual or labour exploitation. It is relatively easy to identify trafficking of drugs or weapons online, but the indicators of online activity in human trafficking are more subtle and challenging, so the investigators gathered criminal intelligence to determine these indicators and, in particular, to target human traffickers attempting to lure Ukrainian refugees.

The traffickers will attempt to hijack social media platforms, online dating apps, advertising and aid platforms, messaging apps, forums and private groups in order to lure their victims while evading detection by law enforcement. The hackathon was a success:

• 114 online platforms monitored in total, of which 30 were related to vulnerable Ukrainian refugees;
• 53 online platforms suspected of links to human trafficking checked, of which 10 were related to vulnerable Ukrainian refugees;
• Five online platforms linked to human trafficking checked, of which four were related to child sexual exploitation on the dark web;
• 11 suspected human traffickers identified, 5 of whom were linked to trafficking of human beings, and specifically to vulnerable Ukrainian citizens;
• 45 possible victims identified, 25 of whom were of Ukrainian nationality;
• 20 platforms with possible links to trafficking of human beings identified for further investigation and monitoring;
• 80 persons/user names checked, out of which 30 were related to possible exploitation of vulnerable Ukrainian citizens.

This is a useful reminder that our work in the online world often has deeper consequences for victims in the real world.

Belanger, Ashley, Hackathon finds dozens of Ukrainian refugees trafficked online, Ars Technical, 23 September 2022. Available online at https://arstechnica.com/tech-policy/2022/09/hackathon-finds-dozens-of-ukrainian-refugees-trafficked-online/.

Damned If You Do, Damned If You Don't

Illustrating the particularly nasty nature of ransomware extortions, the hackers who compromised systems at the Centre Hospitalier Sud Francilien hospital in Corbeil-Essonne near Paris have now responded to the authorities' refusal to pay a ransom demand by leaking patient information online.

The hospital was hit one weekend in August, with all their major systems disabled by LockBit ransomware, requiring patients to be sent elsewhere and major surgeries to be postponed. The attackers demanded payment of $US10 million to unlock the data, and threatened to release all the information they had exfiltrated - which they have now done.

The data includes the French equivalent to social security numbers as well as examination reports, test results and more, and could impact patients but also doctors, staff and employees of partners such as laboratories.

Stahie, Silviu, Hackers Release Stolen Data after French Hospital Refuses to Pay Decryption Ransom, Bitdefender HotForSecurity blog, 27 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/hackers-release-stolen-data-after-french-hospital-refuses-to-pay-decryption-ransom/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.