In brief Cisco’s anti-spam service SpamCop failed to renew spamcop.net over weekend, causing it to lapse, which resulted in countless messages being falsely labeled and rejected as spam around the world.
From what we can tell, this is what happened. When the domain name expired, *.spamcop.net resolved to a domain parking service’s IP address. The way that SpamCop’s DNS-based blocking list works is that if you, for example, want to check that an email sent from a system with the IP address 220.127.116.11 is legit, you run a DNS query on 18.104.22.168.bl.spamcop.net. If SpamCop returns a valid DNS entry for that lookup, then it’s an IP address known to have sent out spam in the past and should be treated with suspicion.
Thus, after the domain name expired, every single *.bl.spamcop.net lookup would succeed, as it’s pointing to a parking service, meaning every email received by a server checking SpamCop for known spammers would be flagged up as spam and rejected. As such, mail server administrators saw what looked like a deluge of spam.
The good news is that the spamcop.net domain name was renewed, and by the time you read this, the service may be back to normal, though given the distributed nature of DNS, your mileage may vary. The SpamCop website is, right now, giving us errors when we try to visit it or look up IP address.
First Emotet, now second ransomware operation in the sights of Uncle Sam
The US government has claimed first blood in a battle with the operators of prolific ransomware extortion tool Netwalker, with one arrest and the recovery of nearly half a million dollars in Bitcoin.
Sebastien Vachon-Desjardins, a Canadian national living in the US, is accused [PDF] of spreading Netwalker and reaping $27,685,907 in ransom riches between April and December last year. Separately, the Feds sad they retrieved $454,530 in cryptocurrency thought to be the proceeds from three separate infections of the ransomware. Authorities in Bulgaria also seized a “dark web hidden resource,” shutting down the communications between the Netwalker operation and its victims.
“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas McQuaid.
According to security shop Chainalysis, Netwalker was a very minor player in the extortionware world until spring last year when it started to pull in big bucks. It’s estimated the code, which is offered as-a-service for criminals to rent, has extorted at least $46m in funds. It’s said the malware’s developers remain at large.
“NetWalker operates as a so-called ransomware-as-a-service model, featuring ‘developers’ and ‘affiliates’,” the Dept of Justice explained in a statement. “Developers are responsible for creating and updating the ransomware and making it available to affiliates. Affiliates are responsible for identifying and attacking high-value victims with the ransomware, according to the affidavit. After a victim pays, developers and affiliates split the ransom.”
This comes as the hammer was brought down on the Emotet botnet by Europe, the US, the UK, and others.
Payments from insurance industry fueling ‘out-of-control’ ransomware
And while we’re on the topic, the former head of Britain’s National Cyber Security Centre (NCSC) has warned that insurance companies are unwittingly contributing to the ongoing epidemic of ransomware.
Ciaran Martin told The Guardian the industry needs to rethink its approach to ransomware payouts. The growth of ransomware scams was “close to getting out of control,” he warned, and insurers that pay out are making the problem worse.
“I see this as so avoidable. At the moment, companies have incentives to pay ransoms to make sure this all goes away,” the former intelligence chief said. “You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry.”
The Association of British Insurers has defended the practice, saying that its customers must take “reasonable precautions” against attack and that without the payouts its members provide, some companies would face financial ruin. Meanwhile, crooks are getting very rich indeed.
The Go language team this month patched CVE-2021-3115, which can be exploited by malicious packages to perform arbitrary code execution at build time, and CVE-2021-3114, a flaw in its P-224 curve implementation.
Microsoft goes deep on this week’s security stars being hacked
Earlier this month Google broke the news that computer security specialists were hacked by North Korea using tainted Visual Studio files and at least one Chrome zero-day exploit on an infosec blog. Now Microsoft has more details.
Some of the malware involved was pretty advanced, and some not so. The suspected Pyongyang hackers tried installing a Viraglt64.sys driver from the Vir.IT eXplorer antivirus suite, which had a flaw that could be exploited to get kernel-level access on victims’ Windows PCs, but the code was buggy and would just crash systems. Overall the security community seems to have emerged largely unscathed, but that could just mean some folks are staying quiet out of embarrassment.
Website extortionist ‘fesses up
Last year Joshua Polloso Epifaniou earned the dubious honor of being the first Cypriot to be extradited to the US.
Epifaniou made a career out of hacking popular websites, stealing customer records and other personal information, and then threatening to publish it unless paid off. His victims are thought to have included sports news site Bleacher Report, games publisher Armor Games, computing hobbyist site Adafruit, and recruitment website Snagajob.
This week he pleaded guilty in America to a single charge of computer hacking, and agreed to forfeit $389,113 and nearly 70,000 euros, in addition to the almost $600,000 he has already coughed up. He’ll be expecting a reduced sentence as a result.
Make sure you have fully patched and secured your Atlassian and Oracle 10g servers. Hezbollah’s Cyber Unit is said to have hacked 250 vulnerable internet-facing instances worldwide – mainly in companies in the US, UK, Egypt, Jordan, Lebanon, Israel, and Palestine – in an operation dubbed Lebanese Cedar.
VIPGames.com database leak
Another day, another exposed database, but this one has an unpleasant twist.
The in-house security team at Wizcase said it found a 30GB database fully exposed to the internet on an ElasticSearch server containing 66,000 user profiles and 23 million records, including emails, IP addresses, social media and Google IDs, in-game transaction betting, and details regarding banned players. In some cases players were booted over claims of “potential pedophilia and exhibitionnism.” The data silo is said to have belonged to VIPGames.com.
“A player who was banned for possible pedophile behavior could be tricked into a physical meeting with vigilantes,” the team warned. “If a user was banned for exhbitionism, someone who knows their email address or social media accounts could threaten to expose them.”
Luckily no financial information was exposed and passwords were hashed though seemingly not salted. If you’re a player, a quick password change wouldn’t hurt. ®