The Council of Europe’s Cybercrime Convention Committee (T-CY) has adopted a guidance note (GN) on ransomware, which outlines how the Budapest Convention and its Second Additional Protocol could be used to criminalise, investigate, and prosecute ransomware-related offences. The GN follows statements from the Convention’s Parties and Observers regarding the surge of major ransomware attacks in recent months.
Cybercrime
Belgian police faced with major data leak
The RagnarLocker ransomware has been linked to an incident in which a ransomware organisation began leaking highly sensitive data stolen from a Belgian police force in Antwerp, in what is being characterised as one of the country’s largest breaches.
‘This is a case of human error, and this is how crime reports and fine notices, but also photographs of child abuse have been leaked’, stated Chief Commissioner of Police Zwijndrecht, Marc Snels.
The number of citizens affected by the breach is unknown, but they include victims, perpetrators, witnesses, and those under surveillance, with potentially serious implications if their identities are revealed.
Spoofing services website causing worldwide loss has been taken down
In an internationally coordinated action led by the UK and supported by Europol and Eurojust, 142 suspects have been arrested for allegedly running a website that offered spoofing services. These services allowed cybercriminals to impersonate trusted corporations such as banks, retail companies, and government institutions and then access sensitive information. Evidence shows that the estimated worldwide loss has been more than EUR 115 million. National authorities from the EU, Australia, and Canada supported the investigation. At the same time, Europol’s European Cybercrime Centre (EC3) provided a secure platform and was thus able to identify additional users of spoofing services.
Killnet hits EU Parliament website with DDoS attack
The European Parliament website has been taken down by a DDoS attack claimed by Anonymous Russia, a member of the pro-Russian hacktivist group Killnet.
The President of the European Parliament confirmed the event, saying that the Parliament’s ‘IT experts are pushing back against it and protecting our systems’.
The attack occurred after the European Parliament designated Russia a state sponsor of terrorism and members advocated that Russia be more isolated internationally.
Study conducted in Australia shows strong links between data breaches and cybercrime victimisation
An extensive survey conducted in Australia in 2021 revealed that one in ten respondents had been notified of a data breach within the previous twelve months, with roughly 28% of those respondents reporting that they had been a victim of identity theft. Data breaches were mainly due to data custodians being targeted by malicious actors, or to information held by these custodians being released due to human error. Significant relationships were also discovered between data breaches and online scams and fraud, and ransomware.
Singapore-based Group-IB identified 34 Russian cybercrime groups
The Singapore-based research team, Group-IB, has identified 34 Russian cybercrime groups responsible for distributing info-stealing malware under the stealer-as-a-service model. The cybercriminals use this type of malware to target users of Steam, Roblox, and Amazon in 111 countries, obtaining user credentials stored in browsers, bank card details, and crypto wallet information from infected computers and selling them on the dark web. Group-IB estimates that more than 890,000 devices in 111 countries in the first seven months of 2022 have been infected. The five most attacked countries are the USA, Brazil, India, Germany, and Indonesia, while the estimated value of stolen credentials is around $5.8 million.
Australian Children’s charity falls victim to cyberattack
Australian children’s charity The Smith Family suffered a cyberattack, with hackers stealing confidential information about donors including their credit card details. While no evidence points to misuse of donor information as yet, similar breaches in recent times have proven early indications to be unreliable. Supporters have been told not to click on unknown links and to check with the Australian Cyber Security Centre (ACSC) for further advice. The incident has been reported to both the ACSC and the Office of the Australian Information Commissioner.
Australia to consolidate approach to cyber defence in light of a wave of ransomware attacks
According to Clare O’Neil, Australian Home Affairs Minister, the country will adopt a more muscular approach to cyber defence in response to a wave of ransomware attacks against Australian firms. Measures will include ‘hacking the hackers’ as part of the country’s offensive cyber capability (OCC), and the general use of strategic ambiguity to strike at cybercriminals while crafting responses to attacks on government and business, especially those demanding a ransom. The government is reportedly considering outlawing the payment of ransoms to disrupt the cybercriminals’ business model.
CISA and FBI issue joint advisory on Iranian government-sponsored APT actors compromising federal network
In the USA, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) have issued a cybersecurity advisory regarding an incident at a Federal Civilian Executive Branch (FCEB). Having assessed that the FCEB network was compromised by Iranian government-sponsored advanced persistent threat (APT) actors, the two entities provided details on the actors’ tactics, techniques, and procedures. One of the findings was that the cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. As such, organisations with affected VMware systems that did not immediately apply available patches or workarounds were advised toto assume compromise and initiate threat-hunting activities.
DTrack activity detected in countries in Europe and Latin America
Kaspersky, a cybersecurity company, has detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the USA. The Lazarus group uses DTrack as a backdoor against a wide range of targets, allowing attackers to upload, download, launch, or delete files on the victim host. Education, chemical manufacturing, government research centres and policy institutes, IT service providers, power providers, and telecommunications are among the targeted industries.