Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/17/2015
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Law Enforcement's Winning Week In Cybercrime

Russian hackers cop to Heartland breach and two men are arrested in connection with a major ransomware scheme -- but meanwhile, the hacking beat goes on.

It was a rare good week for law enforcement in the ongoing battle against cybercrime as officials broke open two high-profile cases:  first, two Russian nationals pleaded guilty to their role in the historic data breach in 2008 of Heartland Payment Systems and other companies, and then a pair of Dutch nationals were arrested for their alleged role in a massive ransomware attack campaign.

High-profile prosecutions and arrests of cybercriminals remain few and far between compared with the volume of cybercrime activity worldwide today. While the cases send much-needed signals to the bad guys that cybercrime doesn't always pay, security and law enforcement experts acknowledge that despite the wins, cybercrime remains very much alive and well.

The US Department of Justice announced this week that two Russian nationals who had been arrested in The Netherlands in June of 2012 in connection with the infamous hacking case of payment processor Heartland Payment Systems, NASDAQ -- as well as other processors and retail firms including 7 Eleven, JC Penny, JetBlue -- each separately pleaded guilty to their role in the attacks. The attacks resulted in the theft of some 160 million credit card numbers and over $300 million in losses.

Vladamir Drinkman, 34, of Syktyvkar, Russia, and Moscow, on Tuesday copped to his role in the massive breach campaign, pleading guilty to one count of conspiracy to commit unauthorized access to protected computers, and one count of conspiracy to commit wire fraud.

Assistant Attorney General Leslie R. Caldwell of DoJ's Criminal Division, credited international cooperation as key to Drinkman's ultimate conviction. "As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cybercriminals who attack America – wherever in the world they may be," Caldwell said. "As law enforcement around the world responds to the cyber threat that affects us all, I am confident that this type of international cooperation that led to this result will be the new normal."

Yesterday, Dmitriy Smilianets, 32, of Moscow, pleaded guilty to conspiracy to commit wire fraud in a manner affecting a financial institution. Drinkman and alleged cohort Alexandr Kalinin, 28, of St. Petersburg, Russia -- who remains at large -- did the hacking, and Smilianets sold the stolen financial information on behalf of the hacking ring. Smilianets allegedly charged $10 apiece for American credit card number and associated data; $50 for each European credit card number and associated data; and $15 for each Canadian credit card number and associated data. He also offered bulk discounts.

Roman Kotov, 34, of Moscow, who allegedly cased the victim networks for valuable data, and Mikhail Rytikov, 28, of Odessa, Ukraine, who provided anonymous Web hosting services to the attacks, also both remain at large.

[Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches. Read Heartland CEO On Why Retailers Keep Getting Breached.]

In the newest hacking case, Dutch police arrested two men from Amersfoot, The Netherlands, for their alleged roles in the CoinVault ransomware attacks that have infected some 1,500 Windows users worldwide. The Dutch Police's National High-Tech Crime Unit used research from Kaspersky Lab and Panda Security to help identify and locate the alleged hackers, ages 18 and 22, behind the attacks. They did not name the suspects publicly.

CoinVault, which attempted to infect tens of thousands of machines mostly in The Netherlands, Germany, France, the UK, and the US, locks victims out of their machines and demands payment in Bitcoins for the decryption of the files. According to Kaspersky's research, the attackers began their campaign back in May of 2014.

The arrests of the alleged ransomware hackers is "a start," says Tony Porras, a cyber security and compliance attorney, who has worked with clients victimized by ransomware infections. "It's good to see some movement" law enforcement-wise against ransomware, he says.

"So far, it's mostly been throwing your hands up in the air and saying 'you'd better have a good backup,'" Porras says.

Kaspersky Lab security researcher Santiago Pontiroli, who has been studying and researching CoinVault since it was first spotted in the wild, says he and his team haven't seen any additional activity since the bust. The CoinVault gang traditionally has been wise to researchers and others investigating them, however: "After the initial report we did" in November of 2014, the gang basically laid low and went into hiding, even removing traces of the Dutch language from their tracks, Pontiroli says. "They didn't release any more samples until April of 2015. It's like they knew someone was watching them."

The good news is that if indeed the CoinVault busts kill the ransomware, at least that one family will be history, according to Pontiroli. "But CoinVault isn't the only ransomware out there," he says. "Ransomware is a rising problem. This is not the end of it, but it shows" cooperation among private industry and law enforcement can help, he says.

It also sends a message to cybercriminals, he says: "This is a crime and you will be prosecuted," he says.

SQL Injection

The first hacker to go down in connection with the Heartland breach was the now-infamous Albert Gonzalez, of Miami, who is serving a 20-year sentence for his role in the breaches of Heartland and four other companies.

The hackers associated with the case -- considered the largest data breach case ever indicted -- hit NASDAQ, 7-Eleven, Carrefour, JC Penny, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore, and Ingeniecard. After infiltrating the victim networks, the attackers sole usernames and passwords, credit and debit card numbers, and other personal information. They disabled victims' security systems from logging their activity to cover their tracks.

Their most frequent first attack vector was a SQL injection attack and then planting backdoor malware. They also employed sniffers to capture data, and ultimately sold the card information to online forums or other individuals.

Jeremiah Grossman, founder of WhiteHat Security, says the hacking ring wasn't particularly innovative in their tactics, with SQL injection, for example, among their favorite hack. "Imagine how much infosec budget dollars in defense they bypassed using well-known techniques," he says.

Both the Heartland and CoinVault case breaks are good news, though, he says. "Less bad guys on the street, so to speak," Grossman says. "But I have to think this is a drop in the bucket, and if not, other groups will take their place rather quickly."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.