Police pounce on 'pompompurin' – alleged mastermind of BreachForums
Crypto laundering service gets cleaned up by police and SVB mess draws in more criminals
In Brief A man accused of being the head of one of the biggest criminal online souks, BreachForums, has been arrested in Peekskill, New York.
Conor Brian FitzPatrick, believed to operate the forum under the name pompompurin, was reportedly arrested on Wednesday afternoon and according to court documents [PDF] Fitzpatrick confessed to running the forum.
"When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian FitzPatrick; b) he used the alias 'pompourin,' and c) he was the owner and administrator of 'BreachForums,' the data breach website referenced in the Complaint," FBI special agent John Longmire testified.
- Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs
- Here's how Chinese cyber spies exploited a critical Fortinet bug
- UK.gov bans TikTok from its devices as a 'precaution' over spying fears
BreachForums appeared on the dark web shortly after the demise of RaidForums – a site which specialized in selling purloined data. It quickly grew to become a massively popular site for data thieves to announce their exploits.
FitzPatrick was charged with one count of conspiracy to commit access device fraud and bail was set at $300,000 – paid for by his parents.
The SVB scams just keep on coming
Silicon Valley Bank account holders are already being battered by the collapse of their financial institution, and cyber criminals have been quick to add insult to injury by jumping at the opportunity to prey on those whose cash has been caught up in the bank run.
We've already warned readers about online scams cropping up to take advantage of the collapse of Silicon Valley Bank, and at least one campaign has already emerged: security firm Inky reported what it claims is the first SVB-related scam to target Microsoft account credentials.
Per Inky's report, the attack starts with fake DocuSign notifications branded to appear as if they came from SVB's Know Your Customer Refresh Team, and asks the victim to fill out a pair of surveys to verify their identity as an SVB account holder.
When links in the email are clicked, however, it redirects users to a pair of different links that claim to be redirecting the user to their organizational sign in page – in this case spoofed to look like a Microsoft account login.
Of course, if one were clicking those links with a critical eye, a bit of confusion may arise from needing to sign in to a Microsoft account to access DocuSign documents. In case that doesn't tip users off it's a good idea to blacklist the domains that Inky flagged as part of the scam: serving-sys[.]com and docuonline[.]eu. Inky also warns of the use of web[.]app domains being used to host fake Microsoft login pages.
This campaign is different from SVB scams that have come before it, but only by degrees, as previously reported scams have also tried to fool people with fake DocuSign links.
Proofpoint also identified a campaign earlier this week targeting users of DeFi app Circle, which had a considerable stake in SVB, by tricking people into buying the cryptocurrency USDC – a "stablecoin" pegged to the value of the US dollar that lost its peg when SVB collapsed. Proofpoint said the scam was trying to lure customers to redeem USDC for US dollars at a 1:1 rate.
So, like other trending cyber crime scams, those surrounding SVB's collapse aren't particularly well crafted, nor uniquely dangerous. It's the same old phishing tricks: lures for the greedy and simple solutions for the frightened.
Proofpoint summed up how those with an interest in SVB should respond to the current threat environment well in a tweet: "Anyone involved in handling financial info or transactions [should] exercise additional caution and diligence as messages could emanate from fraudsters."
This week's actionable items
This week's list of cybersecurity issues that need immediate action is dominated by Patch Tuesday, which we already covered. If this list seems a bit short, that's because all of the big Microsoft, Adobe, Android, Chrome and SAP bugs reported this week are covered there.
That said, if you're in the industrial IT sector at all, it was a bad week for Siemens and AVEVA. If you're running any of these systems get patching:
- CVSS 9.8 – CVE-2023-1256: AVEVA Plant SCADA and AVEVA Telemetry Server both contain an improper authorization vulnerability that could allow an unauthenticated remote user to read data, cause denial of service and tamper with alarm states.
- CVSS 9.8 – multiple CVEs: In an update to a previous notification CISA said that AVEVA InTouchAccess Anywhere and Plant SCADA Access Anywhere software are affected by a trio of bugs that could allow an unauthenticated user to gain access to secured systems and execute arbitrary code. Interestingly enough, SCADA is advising customers in this case not to update the affected software, but to completely uninstall it and do a fresh installation of the updated version.
- CVSS 9.8 – multiple CVEs: Honeywell OneWireless Wireless Device Manager has a trio of vulnerabilities that could allow an attacker to escalate their privileges and execute remote code.
- CVSS 9.1 – CVE-2023-0811: Omron's CJ1M PLCs have a whole bunch of vulnerable components that could allow an attacker to bypass user memory protections, overwrite passwords and lock engineers from reading their own memory regions.
- CVSS 9.8 – LOTS of CVEs: 65 separate CVE numbers are included in this warning that more than a dozen Siemens Scalance and a pair of Ruggedcom devices contain vulnerabilities that could let an attacker inject code and cause denial of service. You might wanna check that list.
- CVSS 9.1 – CVE-2023-25957: Several versions of Siemens Mendix SAML software contain an incorrectly implemented authentication algorithm that could allow an unauthenticated remote attacker to bypass authentication.
- CVSS 8.8 – 2 CVEs: All versions of Siemens Ruggedcom Crossbow prior to version 5.3 are missing authorization checks that allow an attacker to launch SQL injection attacks.
Before we return you to more security news, it's worth pointing out a couple of stories that didn't make the cut this week, but are still important to be aware of.
First, CISA has launched a Ransomware Vulnerability Warning pilot program through which it will track and notify organizations in critical sectors if it determines some of the systems they run are vulnerable to ransomware attacks. CISA said it will do this by leveraging existing services and data sources, including open source intelligence gathered from the web. There's no mention of needing to sign up to get these notifications, so it seems CISA is just going to assume you want these notices.
Of course, this could easily raise the hackles of many a cybersecurity pro – as who's to know if the real CISA is calling – but the agency seems to be aware of the potential for spoofing. It said anyone who is contacted by a CISA office under the pilot program should reach out to CISA Central to verify the legitimacy of a notice.
Second, Microsoft's Digital Threat Analysis Center has warned that it's seeing signs Russia could be regrouping for another round of cyber attacks that could involve new forms of ransomware and new targets, too. "Cyberthreat actors with known or suspected ties to Russia's intelligence services have attempted to gain initial access to government and defense-related organizations not only in Central and Eastern Europe but also in the Americas," Microsoft warned.
Between bank scams and cyber wars, it's probably not a bad week to do some security auditing.
Cryptocurrency launderer wrung out by US, German law enforcement
ChipMixer, a cryptocurrency "mixer" used extensively by cybercriminals, has been taken down thanks to a joint effort led by the US Justice Department and German authorities, who in the process seized nearly 2,000 Bitcoins ($50.7 million), four servers and seven terabytes of juicy crime-adjacent data.
Until its takedown on March 15, ChipMixer was used to launder cryptocurrency by converting all deposited crypto – primarily Bitcoin – into its own virtual asset called chips. Those chips were then mixed into one large pool before being redistributed, hiding all blockchain trails in the process.
The service was set up in 2017 by Vietnamese national and resident Minh Quốc Nguyễn, whom the US DoJ has charged with money laundering, operating an unlicensed money transmission business and identity theft. Nguyễn is currently at large and faces up to 40 years in prison if convicted.
According to the DoJ, Chipmixer laundered money for the cyber criminals behind 37 ransomware strains, more than $700 million in Bitcoin linked to stolen wallets, more than $200 million associated with darknet markets – including $60 million that belonged to Hydra, and millions more associated with dark web forums where bad actors could buy stolen account credentials and the like.
ChipMixer allegedly counted among its clientele the Russian General Staff Main Intelligence Directorate, or GRU, and its subsidiary units, which includes APT 28, North Korean actors behind the Axie Infinity hack, and the individuals behind the Horizon Bridge hack. European officials said that ransomware actors including Mamba and Lockbit have also used the service.
Of the idea that cryptocurrency – or laundering services such as ChipMixer – can anonymize crime, the FBI said technology won't protect anyone.
"Technology has changed the game … In response, the FBI continues to evolve in the ways we 'follow the money' of illegal enterprise," said FBI special agent in charge Jacqueline Maguire of the Philadelphia Field Office. ®