Risky Biz News: Russia orders Google to remove Tor Browser from Russian Play Store

In other news: Ukrainian ISP accused of hijacking Russian traffic, Portland falls to BEC scam, and Mirror Protocol gets hacked.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Roskomnadzor, Russia's telecommunications watchdog, has ordered Google to remove the Tor Browser Android app from the Russian version of the Play Store, the agency said in a message posted on its official Telegram channel on Tuesday.

The agency said that the Tor Browser allows users to access the Tor network, which it had previously ruled that it contains "content prohibited in Russia."

Yesterday's decision comes after Roskomnadzor previously ordered Russian internet service providers (ISPs) to block access to the Tor network and its official website in December 2021.

While the Tor Project is currently fighting last year's ruling in a Moscow court, arguing that the ban was issued without giving Tor representatives an opportunity to participate and hence broke Russian law, the writing is already on the wall.

Coupled with another December 2021 decision to block access to half-a-dozen popular VPN services and with recent rumors that ISPs are testing blocks of several VPN protocols at the lowest level, it is very apparent that Roskomnadzor is on a crusade to limit Russians' access to censorship-evading tools.

Unless you've been living under a rock for the past three months, Roskomnadzor's actions are driven by the Russian state's need to control its online space and what information Russians can access online during its illegal and genocide-abundant invasion of Ukraine. Since February 24, when Russian troops officially crossed the border into Ukraine, Roskomnadzor has banned access to foreign news websites that report on the invasion and don't toe its state-mandated propaganda "denazification" line or websites for western companies that have pulled out of Russia as a sign of protest or because of sanctions.

Roskomnadzor's decision to go after the Tor Project makes sense since Russia is the country with the second-most users on the Tor network, with more than 300,000 daily users, or 15% of all Tor users; the Tor Project said last year.

Breaches and hacks

Mirror Protocol hack #1: A threat actor exploited a bug in the Mirror Protocol DeFi platform to steal almost $90 million worth of cryptocurrency last year in October 2021. The hack exploited a vulnerability in one of the Mirror Protocol's smart contract mechanisms that allowed the attacker to generate large sums of cryptocurrency via blockchain betting transactions. The incident went completely undetected for almost seven months until last week, when a Twitter user discovered the vulnerability and its aftermath.

Mirror Protocol hack #2: ...and then the same person who found the first attack found a second one.

Portland falls to BEC: The US city of Portland, Oregon, said it lost $1.4 million to a BEC scammer last month, in April 2022. In a press release last week, city officials said they identified that they sent city funds to the wrong bank account after the threat actor attempted to scam the city a second time.

Hackers-for-hire: Reuters is reporting on a court case where independent journalist Scott Stedman testified that Israeli jailed private detective Aviram Azari worked to hire Indian hackers to carry out espionage operations on behalf of several Russian oligarchs. Azari pleaded guilty last month to working for BellTroX, a New Delhi-based hacker-for-hire company.

AON incident: AON, one of the largest providers of insurance, pension administration, and health insurance plans, has disclosed a security breach [PDF]. The company said in February this year, it found that a threat actor accessed some of its servers several times between December 29, 2020, and February 26, 2022, from where it downloaded documents containing sensitive data on some of its customers. AON did not say how many customers had data exposed in the incident.

365 Data Centers lawsuit: 365 Data Centers, a major data center operator on the US East Coast, was sued last week by one of its customers after a ransomware attack appears to have permanently destroyed some of its customers' data. The incident took place on May 14, and the data center operator has yet to publicly acknowledge it besides some private emails sent to its customers. Plaintiffs in the class -ction lawsuit claim they have suffered "damages amounting to hundreds of thousands, if not millions, of dollars in lost revenue and profit."

General tech and privacy

Chinese FOSS censorship: Thousands of Chinese developers complained last month that Gitee—a Chinese version of the GitHub platform—has started censoring open-source projects they were hosting on the platform. According to MIT Technology, developers said they had projects locked or hidden from view. Responding to user criticism, Gitee said in a statement posted earlier this month that, going forward, all code posted on the platform will need to be manually reviewed before being published. The company didn't confirm it was implementing this manual review process at the request of the Chinese government, but let's face it, who else has the desire and power to force Gitee to do this?

Microsoft Entra: Microsoft launched on Tuesday a new product called Microsoft Entra. According to the company, the Entra product family will include all of Microsoft's identity and access services, such as Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity.

PSP protocol: Google has open-sourced PSP, a security protocol that uses cryptography to offload and distribute traffic across multiple servers and which Google has used internally for its intra- and inter-data center traffic. The GitHub repo is here, and below is a Twitter thread from an AWS exec discussing Google's technical design.

Ukrainian BGP hijack: Qrator Lab, a Russia-based DDoS mitigation provider, disclosed today that Lurenet, a Ukraine-based internet service provider, has hijacked BGP routes for several Russian companies at the start of March, after Russia's invasion of Ukraine, and in April. The company told Russian news outlet Vedomosti that Lurenet hijacked traffic for Beeline, Megafon, and MTS, three Russian telcos.

Government, politics, and policy

Romania: Romanian lawmakers have proposed a new bill this week that would make the Romanian Intelligence Service (SRI) the official telecommunications interception agency. The new bill will also grant the agency the right to operate internationally, would force local companies and Romanian citizens to cooperate with its investigations, and introduce special rules for investigating SRI agents.

Cybercrime and threat intel

New HelloXD ransomware: Security researcher MalwareHunter has spotted a new ransomware strain in the wild, named HelloXD, and targeting VMWare ESXi servers.

Android malware ecosystem: According to the ThreatFabric Mobile Threat Landscape for H1 2022, the operators of mobile banking trojans are switching their focus from Account Take-Over (ATO) attacks to adding more On-Device Fraud (ODF) capability to their malware toolkits. Android banking trojans that support ODF features include strains like Alien, Anatsa, Medusa, Hydra, Exo/Octo, Gustuff, and SharkBot.

Operation KillerBee: Interpol reported on Monday that Nigerian law enforcement arrested three locals on charges of cybercrime. Officials said the suspects distributed the Agent Tesla remote access trojan. Once they infected victims, the group would engage in business email compromise (BEC) schemes. Their campaigns primarily targeted corporate organizations, such as oil and gas companies in South East Asia, the Middle East, and North Africa.

FBI alert: The FBI has warned US organizations about a rise in fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine. The Bureau says that criminal actors are taking advantage of the war in Ukraine by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts, including monetary and cryptocurrency donations.

WSO2 exploitation: Trend Micro has a report out on the recent attacks targeting CVE-2022-29464, a remote code execution vulnerability in WSO2 servers.

Malware technical reports

XLoader: Check Point published a technical report on XLoader, an infostealer malware and the successor of the Formbook malware, abandoned last year.

SocGolish: The Walmart security team has a very technical blog post on the operations of SocGolish, a cybercrime group that relies on fake software updates to infect users with malware.

Amadey Loader: OALABS has published a report on Amadey Loader, a malware loader botnet that was first seen in 2018 and is currently being advertised on Russian-speaking cybercrime forums.

WarzoneRAT: Uptycs published a report on new updates in the WarzoneRAT malware, which now uses process hollowing to avoid detection.

Mars Stealer: Security researcher Mohamed Ashraf has published a deep dive into the Mars Stealer malware.

APTs and cyber-espionage

TA413: Cybersecurity firm Proofpoint said on Tuesday that it discovered that at least one state-sponsored group has already weaponized the recent Office zero-day that was disclosed over the weekend. Per the company, a threat actor tracked as TA413 (or Keyboy) has used this technique to target individuals in the Tibet region.

Vulnerabilities and bug bounty

Office zero-day mitigation: Microsoft published official guidance for the Office zero-day that was discovered being exploited in the wild over the weekend. The zero-day is now tracked under the CVE-2022-30190 identifier.

Infosec industry

UPnProxyChain: Finnish security researcher Valtteri Lehtinen released a new tool called UPnProxyChain. The tool creates a network of SOCKS proxy servers out of devices vulnerable to the UPnProxy vulnerability [PDF].