Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/17/2015
05:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Law Enforcement's Winning Week In Cybercrime

Russian hackers cop to Heartland breach and two men are arrested in connection with a major ransomware scheme -- but meanwhile, the hacking beat goes on.

It was a rare good week for law enforcement in the ongoing battle against cybercrime as officials broke open two high-profile cases:  first, two Russian nationals pleaded guilty to their role in the historic data breach in 2008 of Heartland Payment Systems and other companies, and then a pair of Dutch nationals were arrested for their alleged role in a massive ransomware attack campaign.

High-profile prosecutions and arrests of cybercriminals remain few and far between compared with the volume of cybercrime activity worldwide today. While the cases send much-needed signals to the bad guys that cybercrime doesn't always pay, security and law enforcement experts acknowledge that despite the wins, cybercrime remains very much alive and well.

The US Department of Justice announced this week that two Russian nationals who had been arrested in The Netherlands in June of 2012 in connection with the infamous hacking case of payment processor Heartland Payment Systems, NASDAQ -- as well as other processors and retail firms including 7 Eleven, JC Penny, JetBlue -- each separately pleaded guilty to their role in the attacks. The attacks resulted in the theft of some 160 million credit card numbers and over $300 million in losses.

Vladamir Drinkman, 34, of Syktyvkar, Russia, and Moscow, on Tuesday copped to his role in the massive breach campaign, pleading guilty to one count of conspiracy to commit unauthorized access to protected computers, and one count of conspiracy to commit wire fraud.

Assistant Attorney General Leslie R. Caldwell of DoJ's Criminal Division, credited international cooperation as key to Drinkman's ultimate conviction. "As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cybercriminals who attack America – wherever in the world they may be," Caldwell said. "As law enforcement around the world responds to the cyber threat that affects us all, I am confident that this type of international cooperation that led to this result will be the new normal."

Yesterday, Dmitriy Smilianets, 32, of Moscow, pleaded guilty to conspiracy to commit wire fraud in a manner affecting a financial institution. Drinkman and alleged cohort Alexandr Kalinin, 28, of St. Petersburg, Russia -- who remains at large -- did the hacking, and Smilianets sold the stolen financial information on behalf of the hacking ring. Smilianets allegedly charged $10 apiece for American credit card number and associated data; $50 for each European credit card number and associated data; and $15 for each Canadian credit card number and associated data. He also offered bulk discounts.

Roman Kotov, 34, of Moscow, who allegedly cased the victim networks for valuable data, and Mikhail Rytikov, 28, of Odessa, Ukraine, who provided anonymous Web hosting services to the attacks, also both remain at large.

[Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches. Read Heartland CEO On Why Retailers Keep Getting Breached.]

In the newest hacking case, Dutch police arrested two men from Amersfoot, The Netherlands, for their alleged roles in the CoinVault ransomware attacks that have infected some 1,500 Windows users worldwide. The Dutch Police's National High-Tech Crime Unit used research from Kaspersky Lab and Panda Security to help identify and locate the alleged hackers, ages 18 and 22, behind the attacks. They did not name the suspects publicly.

CoinVault, which attempted to infect tens of thousands of machines mostly in The Netherlands, Germany, France, the UK, and the US, locks victims out of their machines and demands payment in Bitcoins for the decryption of the files. According to Kaspersky's research, the attackers began their campaign back in May of 2014.

The arrests of the alleged ransomware hackers is "a start," says Tony Porras, a cyber security and compliance attorney, who has worked with clients victimized by ransomware infections. "It's good to see some movement" law enforcement-wise against ransomware, he says.

"So far, it's mostly been throwing your hands up in the air and saying 'you'd better have a good backup,'" Porras says.

Kaspersky Lab security researcher Santiago Pontiroli, who has been studying and researching CoinVault since it was first spotted in the wild, says he and his team haven't seen any additional activity since the bust. The CoinVault gang traditionally has been wise to researchers and others investigating them, however: "After the initial report we did" in November of 2014, the gang basically laid low and went into hiding, even removing traces of the Dutch language from their tracks, Pontiroli says. "They didn't release any more samples until April of 2015. It's like they knew someone was watching them."

The good news is that if indeed the CoinVault busts kill the ransomware, at least that one family will be history, according to Pontiroli. "But CoinVault isn't the only ransomware out there," he says. "Ransomware is a rising problem. This is not the end of it, but it shows" cooperation among private industry and law enforcement can help, he says.

It also sends a message to cybercriminals, he says: "This is a crime and you will be prosecuted," he says.

SQL Injection

The first hacker to go down in connection with the Heartland breach was the now-infamous Albert Gonzalez, of Miami, who is serving a 20-year sentence for his role in the breaches of Heartland and four other companies.

The hackers associated with the case -- considered the largest data breach case ever indicted -- hit NASDAQ, 7-Eleven, Carrefour, JC Penny, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore, and Ingeniecard. After infiltrating the victim networks, the attackers sole usernames and passwords, credit and debit card numbers, and other personal information. They disabled victims' security systems from logging their activity to cover their tracks.

Their most frequent first attack vector was a SQL injection attack and then planting backdoor malware. They also employed sniffers to capture data, and ultimately sold the card information to online forums or other individuals.

Jeremiah Grossman, founder of WhiteHat Security, says the hacking ring wasn't particularly innovative in their tactics, with SQL injection, for example, among their favorite hack. "Imagine how much infosec budget dollars in defense they bypassed using well-known techniques," he says.

Both the Heartland and CoinVault case breaks are good news, though, he says. "Less bad guys on the street, so to speak," Grossman says. "But I have to think this is a drop in the bucket, and if not, other groups will take their place rather quickly."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15734
PUBLISHED: 2021-04-12
An Origin Validation Error vulnerability in Bitdefender Safepay allows an attacker to manipulate the browser's file upload capability into accessing other files in the same directory or sub-directories. This issue affects: Bitdefender Safepay versions prior to 25.0.7.29.
CVE-2020-7924
PUBLISHED: 2021-04-12
Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions late...
CVE-2021-27486
PUBLISHED: 2021-04-12
The Fatek Automation WinProladder Versions 3.3 and prior are vulnerable to an integer underflow, which may cause an out-of-bounds write and allow an attacker to execute arbitrary code.
CVE-2021-3465
PUBLISHED: 2021-04-12
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-15942
PUBLISHED: 2021-04-12
An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.