Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds.

What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately?

Blacklisted Exchanges and Mixers

Between 2014 and 2017, the BTC-e crypto exchange allegedly cashed out nearly 95% of all ransomware payments worldwide. Feds asserted that BTC-e ringleader Alexander Vinnik also played a role in the theft of about 800,000 bitcoin (about $400 million at the time) from the Japanese Mt. Gox exchange. Eventually, the U.S. government indicted Vinnik, who was sentenced to five years in jail. BTC-e eventually shut down, along with all its accounts. Meanwhile, many legitimate BTC-e customer account holders remained stuck in limbo.

Then came SUEX, the OTC cryptocurrency broker reportedly receiving $160 million from ransomware and other scammers. In 2021, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) placed the Russia-based broker on the Specially Designated Nationals and Blocked Persons (SDN) List. Americans are prohibited from doing business with any company on the SDN list.

More recently, the virtual currency mixer Tornado Cash was sanctioned. According to the U.S. Treasury, the mixer “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.” A State Department spokesman said the mixer had provided “material support” to the Lazarus Group — an organization believed to work on behalf of the North Korean government. As of August 2022, the platform was also on the SDN List.

Given these incidents, how can you tell if a crypto platform is being used for nefarious purposes? What signs indicate that criminals could use your exchange, too?

Putting Things In Perspective

The reality is that malicious actors can use any financial entity for fraudulent purposes. In 2021, the illicit share of all cryptocurrency transaction volume reached an all-time low of 0.15%. Meanwhile, the UN estimates the amount of fiat money laundered globally in one year is 2 to 5% of the global GDP, or $800 billion to $2 trillion.

It’s not unheard of for criminals to use multinational banks to launder money. But if you invest in crypto and your platform gets sanctioned overnight, you might not be able to recover your coins the next day.

How Crypto Platforms Deter and Detect Illicit Activity

Three key policies can help crypto businesses to deter money laundering and ransomware payouts. When evaluating the platform you use, ask if they implement:

1. Know Your Customer (KYC). This means requiring customer verification when establishing a business relationship when a customer carries out a transaction and if required by law. Verification can include collecting customer data such as their name, address and date of birth.
2. Travel Rule. According to the Financial Action Task Force’s “Travel Rule,” crypto platforms must collect and share data on parties in transactions. The data collection threshold (transaction size) differs between countries.
3. Transaction monitoring. This includes a system for ongoing transaction monitoring to detect signs of money laundering. For example, exchanges can analyze wallet addresses and transaction hashes.

Some red flags crypto businesses look out for that might indicate money laundering include:

• Transactions of unusual size, location or pattern. For example, a sudden, large transaction between two parties with no prior connection.
• Sending cryptocurrency to darknet marketplaces, mixing services, questionable gambling sites, fraudulent exchanges and platforms with lax anti-money laundering (AML) standards. Blockchain analysis can detect the use of mixing services.
• Structuring several transactions, all just below reporting thresholds. This is how criminals break down large payouts into smaller sums.

Cryptocurrency Business Regulation

Given the ongoing cryptocurrency scams, many are calling for regulatory action. A recent DIFC Fintech conference outlined the current cryptocurrency regulatory scenario. Some of the highlights include:

• Approximately 95% of regulators have a team working on crypto regulations now.
• The crypto industry is lobbying for clear regulatory action. Regulations can have a positive effect on cryptocurrency business development.
• When global cryptocurrency exchange Binance introduced KYC verifications, more than 96% of its customer base complied.
• The SEC imposed approximately $2.35 billion in total monetary penalties against digital asset market participants in 2021.

Complex Cryptocurrency Jungle

In a recent executive order and strategy documents, President Biden pledged to support the development of cryptocurrencies and to restrict their illegal uses. But regulation often hinders innovation speed. Meanwhile, the United States continues to develop cryptocurrency policies with a global impact. These policies include sanctioning cryptocurrency exchanges, recovering ransomware payments and improving collaborative security efforts with other countries.

KYC and AML policies have been applied to U.S. cryptocurrency exchanges for years. Still, this can’t prevent actors from pivoting to exchanges in other less regulated countries that enable illicit transactions. For now, the only way to combat this is to continually monitor for platforms involved in illegal activity.

In November 2021, less than two months after the SUEX sanctions, the Treasury Department followed up with sanctions on Chatex, another Russian platform, as well as three of Chatex’s suppliers. Then, in April 2022, the Treasury Department added a third exchange operating in Russia, Garantex, to the SDN List.

Looking Ahead

So far, the efforts to fight cryptocurrency crime are all a step in the right direction. Still, no in-depth analysis has measured the overall impact of these actions on levels of crypto crime.

Sanctions and policing efforts have also been accompanied by a call to develop a U.S. central bank digital currency (CBDC). However, a CBDC collides with privacy and sovereignty issues that largely gave rise to cryptocurrencies in the first place.

Undoubtedly, no simple solutions exist for cryptocurrency-related crimes. But easy answers never existed with paper money either.

The post How to Spot a Nefarious Cryptocurrency Platform appeared first on Security Intelligence.

Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking.

Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up.

How Caffeine PhaaS is Different

PhaaS vendors advertise and sell their products as phishing kits. A phishing kit includes everything required to launch a successful phishing attack, such as email templates and even templates for rogue websites to send victims to. Some phishing kits also include lists of potential targets.

As per Mandiant, what makes Caffeine different from most other PhaaS offerings is its low barrier of entry. To sign up for Caffeine services, only an email is required. Unlike Caffeine, other PhaaS platforms typically only communicate through referrals, underground forums or encrypted messaging. Also, Caffeine provides email templates directed at Russian and Chinese targets, which is unusual for PhaaS.

Other Caffeine features include:

• Tools to orchestrate and automate phishing campaigns
• Self-service phishing kit customization
• Capability to manage intermediary redirect pages and final-stage lure pages
• Dynamic URL generation for hosted malicious payloads
• Ability to track campaign email activity
• Caffeine news feed: announces feature updates and expansions of accepted cryptocurrencies.

According to Mandiant, the average PhaaS platform costs from $50 to $80, making Caffeine relatively expensive. Caffeine may be pricier due to its unlimited customer service support options and its extensive anti-detection and anti-analysis features.

Rise of Commercialized Attack Services

Caffeine represents a continued trend of Cyber-Crime-as-a-Service, which makes it easy for non-technical adversaries to launch massive attacks. Like legitimate subscription-based software, the programming and business organization behind these attack platforms is highly sophisticated. Caffeine even offers three service tiers (Basic, Professional and Enterprise at $250, $450 and $850 per month, respectively).

Undoubtedly, security professionals wince when they compare the low cost of phishing services versus the $4.35 million average cost of a data breach.

Phishing Attack Protection

Given the ease of access to phishing attack kits, companies must implement effective anti-phishing security. Training employees to be aware of these scams is a key starting point. Some organizations will even send out internal bogus phishing emails to keep team members on their toes. Still, even with the best training, attacks can slip through the cracks. For this reason, more comprehensive strategies are required.

Solutions, such as security information and event management (SIEM), have evolved to include advanced analytics such as user behavior analytics (UBA), network flow insights and artificial intelligence (AI) to accelerate detection. SIEM also integrates with security orchestration, automation and response (SOAR) platforms for incident response and remediation.

Other approaches, such as zero trust, manage privileged access to ensure that users are only granted access to data essential to their jobs.

The growth of nefarious services like Caffeine makes us jittery. Solid, well-developed security can help keep us calm.

The post Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery appeared first on Security Intelligence.

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services.

Nearly anything from popular consumer and enterprise platforms to critical infrastructure and IoT devices was exposed. Over 35,000 Java packages were impacted by Log4j vulnerabilities. That’s over 8% of the Maven Central repository, the world’s largest Java package repository.

When Log4j was discovered, CISA Director Jen Easterly said, “This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious.”

Since Log4j surfaced, how has the security community responded? What lessons have we learned (or not learned)?

Significant Lingering Threat

Log4Shell is no longer a massive, widespread danger. Still, researchers warn that the vulnerability is still present in far too many systems. And actors will continue to exploit it for years to come.

Log4Shell was unusual because it was so easy to exploit wherever it was present. Developers use logging utilities to record operations in applications. To exploit Log4Shell, all an attacker has to do is get the system to log a special string of code. From there, they can take control of their victim to install malware or launch other attacks.

“Logging is fundamental to essentially any computer software or hardware operation. Whether it’s a phlebotomy machine or an application server, logging is going to be present,” said David Nalley, president of the nonprofit Apache Software Foundation, in an interview with Wired. “We knew Log4j was widely deployed, we saw the download numbers, but it’s hard to fully grasp since in open source you’re not selling a product and tracking contracts. I don’t think you fully appreciate it until you have a full accounting of where software is, everything it’s doing and who’s using it. And I think the fact that it was so incredibly ubiquitous was a factor in everyone reacting so immediately. It’s a little humbling, frankly.”

According to Nalley, they had software fixes out within two weeks. Alarmingly, Apache still sees up to 25% of downloads involving non-patched versions of Log4j.

Continued Log4j Attack Incidents

Threat actors continue to exploit the Log4j vulnerability to this day. CISA has released alerts regarding Iranian and Chinese actors using the exploit. From Iran, cyber threat actors took advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server, installed crypto mining software, moved laterally to the domain controller, compromised credentials and implanted reverse proxies on several hosts to maintain persistence. Meanwhile, the top Common Vulnerabilities and Exposures (CVEs) most used by Chinese state-sponsored cyber actors since 2020 is Log4j.

Given the danger and ongoing threat, why do so many vulnerable versions of Log4j still persist? Could it be that some IT pros don’t really know what’s in their software?

The Risk of Open-Source Software

The problem isn’t software vulnerability alone. It’s also not knowing if you have vulnerable code hiding your applications. Surprisingly, many security and IT professionals have no idea whether Log4j is part of their software supply chain. Or even worse, they choose to ignore the danger.

Part of the challenge is due to the rise of open-source software (OSS). Coders leverage OSS to accelerate development, cut costs and reduce time to market. Easy access to open-source frameworks and libraries takes the place of writing custom code or buying proprietary software. And while many applications get built quickly, the exact contents might not be known.

In a Linux Foundation SBOM and Cybersecurity Readiness report, 98% of organizations surveyed use open-source software. Due to the explosion of OSS use, it’s clear that supply chain cybersecurity may be impossible to gauge for any given application. If you don’t know what’s in your supply chain, how can you possibly know it’s secure?

Security Starts With SBOM

The threat of vulnerabilities (both known and zero-day) combined with the unknown contents of software packages has led security regulators and decision-makers to push for the development of software bills of materials.

According to CISA:

A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components.

If you have a detailed list of individual software components, you can assess risk exposure more accurately. Also, with a well-developed SBOM, you can match your list against CISA’s Known Exploited Vulnerabilities Catalog. Or, if you hear about an emerging mass exploit like Log4j, you can quickly confirm if your stack is at risk. If you don’t have an SBOM, you’re in the dark until you are notified by your vendor or until you get hacked.

Finding Millions of Vulnerabilities

If you were to scan your systems for software vulnerabilities, you might discover hundreds of thousands of weaknesses. Also, if you merged with another company recently, you inherit their risk burden as well. For larger enterprises, detected vulnerabilities can number in the millions.

Trying to patch everything at once would be impossible. Instead, proper triage is essential. For example, vulnerabilities nearest to mission-critical systems should be prioritized. Also, an organization should audit, monitor and test its software vulnerability profile often. And since IT teams might add applications at any moment, an up-to-date network inventory and scheduled vulnerability scanning are critical. Automated software vulnerability management programs can be a great help here.

Many companies don’t have the time or qualified resources to identify, prioritize and remediate vulnerabilities. The process can be overwhelming. Given the high risk involved, some organizations opt to hire expert vulnerability mitigation services.

Still More to Learn

While Log4j sent some into a frenzy, others didn’t even seem to notice. This gives rise to the debate about cyber responsibility. If my partner hasn’t patched a vulnerability, and it affects my operations, should my partner be held responsible?

In one survey, 87% of respondents said that given the level of cyber risk posed by Log4j, government regulatory agencies (such as the U.S. Federal Trade Commission) should take legal action against organizations that fail to patch the flaw.

Only time will tell how far the security community will take responsibility for vulnerabilities — whether by being proactive or by force.

The post Log4j Forever Changed What (Some) Cyber Pros Think About OSS appeared first on Security Intelligence.