Business

Boiler room raid uncovered hidden documents and spy cameras

Six jailed for £2.8m fraud following the City watchdog’s Operation Tidworth

By Hannah Murphy

They might be called “boiler room scams”, but one of the biggest examples of organized investment fraud in the UK took place inside an office building in east London. Back in March 2014, staff from the UK’s financial watchdog launched a search operation at the Docklands Business Centre. Several floors up, Jeannine Lewis, 50, was caught on CCTV sweeping up a stack of glossy brochures and standing on a table to remove a ceiling tile to store the documents in the roof. Minutes later, she did this again — though this time moving a large black computer system. According to the Financial Conduct Authority, Ms. Lewis was hiding evidence from authorities concerning a sprawling London-based boiler room scam that cost 170 unsuspecting victims a total of £2.8m. The FCA, which has now brought its second-largest criminal prosecution to date against Ms. Lewis and five others for the scam, had made an unannounced visit to the office, catching the defendants off guard. Ms. Lewis claimed at Southwark Crown Court that she had merely been adhering to her company’s clean desk policy. But the group has now been found guilty of charges including fraud, money laundering and perverting the course of justice. In a coup for a regulator keen to shake off accusations of being too “soft”, sentencing on Friday confirmed the defendants would be jailed for a total of nearly 29 years. Dubbed Operation Tidworth by the FCA, the case shines a harsh spotlight on the shady world of boiler rooms— unauthorized brokerages that use cold calling and other high-pressure sales tactics to push worthless or overpriced investments to members of the public. The court heard that the defendants set up five different boiler room operations between July 2010 and April 2014 to persuade people to invest in a company that owned land on the Portuguese island of Madeira. Investors were told the land — and therefore the company’s shares — would increase in value to give returns of as much as 228 percent, thanks to the proposed development of a prestigious golf course nearby. However, investors never saw their money again. Instead, it funded the lavish lifestyle of the group’s ringleader, former bouncer Michael Nascimento. According to prosecutors, the 41-year-old spent £23,000 on VIP Arsenal football club season tickets and £46,000 a year renting a six-bedroom property. Mr. Nascimento was portrayed by prosecutors as paranoid and controlling. Ironically, it was he who installed the CCTV cameras — that captured Ms. Lewis, his personal assistant, stowing away the documents and computer hardware — in order to secretly monitor his staff.

On Friday, he was the last of the group to be sentenced, receiving 11 years. On the same day, he and his chief salesman Charanjit Sandhu, 28, were also sentenced in another case involving the mis-selling of £2.4m of carbon credits to 130 victims. Here, the court heard, the proceeds were used to buy items such as an Aston Martin and a Rolex. At an earlier hearing, the court found the defendants guilty of offenses of conspiracy to defraud, fraud, money laundering and perverting the course of justice, as well as breaches of markets legislation.

Charanjit Sandhu was sentenced to five and a half years’ imprisonment. Hugh Edwards, 36, and Stuart Rea, 50, who both recruited sales brokers, were sentenced to three years and nine months each. Jeannine Lewis, Mr. Nascimento’s personal assistant, received two and a half years while Ryan Parker, 25, described as the “office dogsbody”, was jailed for two years. Operation Tidworth has been presented as a win for the FCA, which has recently sought to flex its muscles as an investigator and prosecutor of financial crime. As part of its prosecution, the watchdog seized more than 100 computers, trawled through 4m documents and analyzed 65 bank accounts — both in the UK and overseas. In terms of the amount of evidence sifted through by investigators, the case comes second only to the sprawling insider dealer case named Operation Tabernula. Indeed, Mr. Nascimento and his associates went to great lengths to deceive their victims. In convincing investment brochures seized by the FCA, one of the boiler room companies boasted of being “one of the UK’s largest wealth advisory firms”. Documents were forged under the name of the Four Seasons and Hilton Hotels to con investors into thinking the hotel chains were interested in buying the Madeira development. Website content was copied from banks such as Commerzbank and Citibank. One investor was even flown with his wife to Madeira to meet Mr. Nascimento and Mr. Sandhu who were using fake names. The couple were shown land that was not the land they were said to be investing in. The investor, who lost about £923,000, told the court that he felt like he had been “a fool” and would have to “live with that for the rest of [his] life”.

Hannah Laming, a partner at law firm Peters & Peters with a focus on business crime, said: “There’s been a lot of focus on insider dealings and the headline fines that you get from banks. But I think it’s important for [the FCA] to focus on cases like this. The people who’ve lost the money — it’s their life savings.” Still, questions have been raised as to how the same perpetrators were able to continue to operate over a four-year period, reinventing themselves even after the FCA was made aware of the first iteration of a boiler room operation involving Mr. Nascimento in 2011.

Mark Steward, the FCA’s director of enforcement and market oversight, said this was because Mr. Nascimento used numerous tactics to avoid detection. “He deliberately hid his identity, used other people like the directors and signatories on the bank accounts, [and] avoided having his name on any documentation,” he said. Others urge more transparency around what happens when the public, or businesses, report these types of scams and fraud. One expert in the sector, who did not wish to be named, said that it was unclear how the FCA handled complaints. “It would be good to know what they do with these sorts of reports from the public and how they pursue them,” the expert said. Regulators will be hoping that the publicity surrounding the case will open the eyes and ears of more unsuspecting investors, and give them the confidence to hang up on any cold callers who are offering a seemingly hot deal.

 

£10bn a year netted in increasingly sophisticated frauds

Boiler rooms operations, immortalized in films such as Leonardo DiCaprio’s The Wolf of Wall Street, have long been a bugbear for police and regulators. Often, vulnerable and elderly people are targeted. “Fraudsters will prey on an individual’s anxiety about the future,” said Mark Steward, the FCA’s director of enforcement and market oversight, citing as examples concerns about building an adequate pension or paying for a child’s education. But more experienced investors can also fall victim: the biggest individual loss recorded by the police stands at £6m. The scams tend to focus on “flavor of the month” investments, according to Detective Inspector Andy Thompson of City of London Police fraud squad. These have included land, diamonds, art, wine and, lately, cryptocurrencies, he said. Typically, salespeople known as “openers” call people on a list bought from marketing companies dubbed a “suckers list”. But it is so-called “closers” — those who set up the scam and tend to be the ones closing the deals — who are often the beneficiaries. During a recent raid on a boiler room scam, the police found framed photographs of Ferraris on the desks of closers, Det Insp Thompson said. This type of fraud is becoming increasingly sophisticated. Keith Brown, a professor of social work at Bournemouth University who is also involved in research into scams for the Chartered Trading Standards Institute, warned that most people were unaware of the scale of financial fraud in the UK, which he estimated at about £10bn worth a year. “A lot of the new data protections and [some] new cold-calling regulations are very important and very helpful,” he said, referencing rules that came into force this month, banning unsolicited nuisance calls. “[But] there’s a lot of money to be made and criminals have a lot of resources to develop new tactics.” Det Insp Thompson said many boiler rooms “sail close to legality”, often seeking out legitimate legal advice. Others move money offshore and create unnecessary layers of bureaucracy to frustrate the authorities. “It’s Darwinian,” he said. “You always catch the ones who are less sophisticated, but then they learn from that.”

Copyright The Financial Times Limited 2018. All rights reserved.

Former NASCAR driver must pay ex-wife $1 for secret recordings in bedroom, jury rules

A jury awarded the ex-wife of former NASCAR driver Greg Biffle $1 for secretly recording her in her bedroom and bathroom for two years, the woman’s lawyer told The Charlotte Observer on Monday night.

BY JOE MARUSAK

Greg Biffle’s actions “were found to be an unlawful invasion of privacy,” Nicole Biffle’s lawyer, Amy Simpson, told the Observer in a reply email seeking comment about Monday’s verdict in Mecklenburg County Civil Court.

During the nearly two-week trial, Greg Biffle “denied doing anything inappropriate,” and testified that his wife knew about the cameras, WSOC-TV reported.

“What the jury said sends a loud message that they don’t believe there was wrongdoing,” Biffle told the station. Attempts by the Observer to reach Greg Biffle on Monday night were unsuccessful.

In their lawsuit against the former driver, Nicole Biffle and her mother said that Greg Biffle secretly videotaped them in their bedrooms at the couple’s $2.7 million mansion on Lake Norman in Mooresville, North Carolina.

 

Nicole Biffle and her mother said in their lawsuit that Greg Biffle “has shown images captured by the hidden cameras to third persons,” the Observer reported.

In her email to the Observer on Monday night, Simpson said the case “has never been about money for Ms. Biffle. It’s been about holding Mr. Biffle accountable for the complete violation of her dignity and right to privacy that should be afforded all persons. And for that she’s proud of the verdict against him.”

Yet, Goodwin said in her email, “the $1 in damages is perplexing given the gravity of Mr. Biffle’s actions and the lengths he went to invade her privacy. But that is the verdict.”

Simpson said Nicole Biffle and her mother hope the jury will award punitive damages during the second phase of the trial that “adequately reflect the true severity of his actions.”



Nicole Biffle and her mother say in their lawsuit that Greg Biffle “has repeatedly asserted under oath that the Hidden Cameras were installed for ‘security purposes’ because he believed his maids were stealing from him.”

Nicole Biffle says in the lawsuit that she “has suffered loss of appetite, loss of sleep, pain in her abdomen, emotional distress, worry, humiliation, fear … and other anxiety-related conditions” as a result of the alleged secret filming.

Her mother suffered similar health problems, according to the lawsuit, “and was prescribed a drug for anxiety and tension in January 2016 as a result of the stress from being filmed.”

The lawsuit sought at least $100,000 in damages. The figure was closer to $9 million, WSOC-TV reported, citing unnamed sources.

The Biffles legally separated in March 2015, and Greg Biffle moved from their mansion in Mooresville to an apartment, Nicole Biffle’s lawsuit says. They married in 2007.

Greg Biffle still owns the Lake Norman home, which sits on 10 acres, Iredell County property records show. 

Are millennials keeping their data safe?

Norton reports one in three millennials use the same password for all accounts; 53 percent have shared passwords with friends or family.

By DECCAN CHRONICLE

While the awareness level in millennials is high about the latest trends in technology and gadgets, it is alarming to see how the knowledge is not being translated well into practice, making them an easy prey for hackers. According to the Norton Cybersecurity Insights Report, one in three millennials use the same password for all accounts; approximately 53 percent of millennials have shared desktop passwords with friends or family members. These trends, witnessed amongst millennials, seem to have put them in a vulnerable position and a common victim of cybercrime.

“Despite a steady stream of cybercrime sprees reported by media, millennials appear to feel invincible and skip taking even basic precautions to protect themselves,” said Ritesh Chopra, Director, Norton business for India.  “This disconnect highlights the need for consumer cyber safety and the urgency for consumers to get back to basics when it comes to doing their part to prevent cybercrime.”

This International Youth Day, Norton would like to share tips on how millennials and consumers can take a few steps towards building a more secure online presence.

Craft a strong, unique password using a phrase that consists of a string of words that are easy for you to memorize, but hard for others to guess. Don’t tie your password to publicly available information as it makes it easier for the bad guys to guess your password. The longer, the better! Additionally, if your account or device enables it, consider two-factor authentication for an extra layer of security. Finally, once you’ve created a strong password, stick with it until you’re notified of a security breach. If you feel overwhelmed, use a password manager to help!
Using unprotected Wi-Fi can leave your personal data vulnerable to eavesdropping by strangers using the same network so avoid anything that involves sharing your personal information when connected to an open Wi-Fi network. If you do use public Wi-Fi, consider using a Virtual Private Network (VPN) to secure your connection and help keep your information private.
Make it a habit to change default passwords on all network-connected devices, like smart thermostats or Wi-Fi routers, during set-up. If you decide not to use Internet features on various devices, such as smart appliances, disable or protect remote access as an extra precaution. Also, protect your wireless connections with strong Wi-Fi encryption so no one can easily view the data traveling between your devices.
Think twice before opening unsolicited messages or attachments, particularly from people you don’t know, or clicking on random links.
Protect your devices with a robust, multi-platform security software solution to help protect against the latest threats.

Spy camera fury: Staff walk out after discovering hidden lenses in Glasgow shop

STAFF at a city center health food store have gone on strike after discovering secret cameras in rooms where staff changed, just four weeks after opening.

Exclusive by Niall Christie

Workers at Harvest Stores, some under 18, were horrified and alerted police after findings the lenses hidden in a network modem and air detector.

The Union Street store, which has been closed since Monday’s walk out, houses nearly 70 cameras but, as the room is not a designated changing area, legal lines have not been crossed by managing director Amin Din.

The row emerged amid claims that Mr Din owes four staff thousands in unpaid wages.

Store manager Karen Nicholson, who led the walk out, said: “We shut the shop as soon as we found the cameras and got the police in.

“That is where staff got changed and nobody knew about these until Monday. We uncovered the cameras in the office on Sunday, where staff also get dressed, and then checked the staff room as we knew the number of cameras and microphones in the shop already.

“We might have suspected this but it was still a massive shock. He monitors the cameras from home.

“Police said that while it was morally questionable, legally he was in the clear.

“I am very upset. The staff are predominantly young women, some of them are just young girls under 18. Now they are worried about what has happened to the footage.”

She added that officers were “amazed” at the number of cameras in the shop.

Staff have also been left in the lurch as some are owed hundreds in unpaid wages from June. In total, four staff are yet to get just under £2,000 from the shop’s owner.

They now face an anxious wait to see whether they will be paid this week.

Despite being paid in full, supervisor Robert Taylor also walked out.

With three young children to support, he may have to sell belongings to afford food.

He said: “I’m putting together a list of things that I can afford to sell to pay rent.

“We’re doing this so new staff don’t have to deal with the secrets and lies like us.

“I will be looking for other work but I’m worried I won’t get my next pay this week.”

After walking out, staff approached the Baker’s Union and Better than Zero who are now supporting them through an industrial action.

A spokesperson for Better than Zero said: “It takes real courage to do what the workers at Harvest Stores are doing – standing together as union members, against a boss who has run his business with a toxic mix of control and intimidation.”

“Karen, Robert and their co-workers will go all the way to get the pay they’re due. But this is about more than settling a wage dispute – by speaking out and joining the BFAWU union en masse, they are lighting a beacon for everyone in Glasgow whose pay and conditions are set at the mercy of the boss.

 
“Precarious work is becoming the norm in Glasgow, and Better than Zero is ready to support all workers who are prepared to join unions and take on those who profit from low pay and insecurity.”

Police also confirmed that they had attended the store on Monday morning over a problem with security cameras.

They added: “Police provided assistance and advice was given to staff on the matter. No crime was identified.”

When asked to comment, Mr Din said that the matter was a “stupid oversight” on his part.

He said: “I hold my hands up and admit that I should have put signs up sooner.

“Basically the staff entered and found cameras in the staff kitchen area and office.

“It was not a changing area. The police confirmed that no law has been broken. They were installed by a reputable company. I can monitor these from home but they have not been working.

“They were purely for security purposes so that if there were any issues I could look back. I just never got around to putting them up. There is a separate area for changing for staff in the toilet facility, with a separate sink. This was made clear. There are cleaning products everywhere.

“The pay issue was resolved by the accountant and staff would have been paid in full on Monday. As the company is new, it hadn’t worked out.

“Staff were not paid in full or on time. Every single staff member was asked before hand. We were late getting details to the accountant so there was a delay.

“It was an oversight and they were there for security only.”

Hidden Cameras Targeting Female Workers at South Bay Tech Company

Hidden Cameras Targeting Female Workers at South Bay Tech Company

Many of the women working at the South Bay location are upset with how the company handled things

Women at a South Bay technology company are upset that they weren’t notified earlier about someone using hidden cameras to target female workers.

Two cameras were found hidden under the desks of two female employees at Rohr Inc., a subsidiary of United Technologies Corporation, one of the world’s biggest suppliers of aerospace and defense products. The company has a large campus in Chula Vista.

One employee, who didn’t want to be identified, told NBC 7 many of the women working at this location are upset with how the company handled things.

She said management became aware of the first camera roughly four months ago but didn’t notify employees until a second camera was discovered last week.

She said employees only found out when the company sent out a notice about an internal investigation to find the person or persons responsible for putting small cameras beneath the desks of female co-workers.

She feels like women working there deserved to know immediately so they could’ve been on the lookout themselves.

Laurie Chua, a local human resources consultant and expert witness, said it’s not surprising the company’s management waited to notify employees until a second camera was found.

“From an HR standpoint you want to think that this was just a one-off type of situation the first time it happened, and they would hope they get the camera, they’re probably doing an investigation to find out who did it,” Chua said. “The second time it happened, then I would think more than likely they’re going to tell the employees to be on the lookout for it.”

In a statement to NBC 7, Rohr said it is working with local law enforcement to investigate the incidents and catch the person or persons “responsible for this unacceptable conduct.”

“We take any situation involving employee well-being seriously and this is why we decided to inform our Chula Vista employees in a site-wide communication,” the statement said. “At the same time, we are working to protect the integrity of the investigation.”

Chula Vista Police Department said it has been notified and is working with the company to determine the source but didn’t elaborate on its role in the investigation.

Source: NBC San Diego

Man wanted for voyeurism after hidden camera found in Scarborough restaurant washroom

Hidden camera

WATCH ABOVE: Two spy cameras have been discovered inside public washrooms in two Toronto restaurant locations in the past week. Spy camera detectors can be used if you feel your privacy is in question. Tom Hayes reports.

Toronto police are looking to identify a man wanted for allegedly placing a hidden camera in a Scarborough restaurant washroom.

Police said the suspect entered the business located at Midland Avenue and Silver Star Boulevard on May 9 around 6:27 p.m. and affixed a fake wall socket with a hidden camera inside the washroom.

Authorities released a security image of the suspect on Monday.

He is described as Asian, between 25 and 40 years of age, clean-shaven, short black hair and thin-to-medium build.

He was last seen wearing a red sweatshirt/jacket with blue stripes on the sleeves, tan pants and blue shoes.

Police are also investigating a similar incident inside a Starbucks washroom at the corner of Yonge and King streets in downtown Toronto earlier this month.

In that case, police said a camera was discovered in one of the coffee shop’s two unisex bathrooms on the wall behind an electrical outlet, under the sink and facing the toilet.

Anyone with information is asked to contact police at 416-808-4200 or Crime Stoppers anonymously at 416-222-TIPS.

Source: Global News

 

Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers

goo.gl Public Analytics

• We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng District of Beijing.

• A number of Chinese state intelligence operations from 2009 to 2018 that were previously unconnected publicly are in fact linked to the Winnti umbrella.

• We assess with high confidence that multiple publicly reported threat actors operate with some shared goals and resources as part of the Chinese state intelligence apparatus.

• Initial attack targets are commonly software and gaming organizations in United States, Japan, South Korea, and China. Later stage high profile targets tend to be politically motivated or high value technology organizations.

• The Winnti umbrella continues to operate highly successfully in 2018. Their tactics, techniques, and procedures (TTPs) remain consistent, though they experiment with new tooling and attack methodologies often.

• Operational security mistakes during attacks have allowed us to acquire metrics on the success of some Winnti umbrella spear phishing campaigns and identify attacker location with high confidence.

• The theft of code signing certificates is a primary objective of the Winnti umbrella’s initial attacks, with potential secondary objectives based around financial gain.

Report Summary

The purpose of this report is to make public previously unreported links that exist between a number of Chinese state intelligence operations. These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about previously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade. Based on our findings, attacks against smaller organizations operate with the objective of finding and exfiltrating code signing certificates to sign malware for use in attacks against higher value targets. Our primary telemetry consists of months to years of full fidelity network traffic captures. This dataset allowed us to investigate active compromises at multiple organizations and run detections against the historical dataset, allowing us to perform a large amount of external infrastructure analysis.

Background

The Winnti umbrella and closely associated entities has been active since at least 2009, with some reports of possible activity as early as 2007. The term “umbrella” is used in this report because current intelligence indicates that the overarching entity consists of multiple teams/actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlap. We assess that the different stages of associated attacks are operated by separate teams/actors, however in this report we will show that the lines between them are blurred and that they are all associated with the same greater entity. The Winnti and Axiom group names were created by Kaspersky Lab and Symantec, respectively, for their 2013/2014 reports on the original group. The name “Winnti” is now primarily used to refer to a custom backdoor used by groups under the umbrella. Multiple sources of public and private threat intelligence have their own names for individual teams. For example, LEAD is a common alias for the group targeting online gaming, telecom, and high tech organizations. Other aliases for groups related include BARIUM, Wicked Panda, GREF, PassCV, and others. This report details how these groups are linked together and serve a broader attacker mission. The many names associated with actors in the greater intelligence mission are due to the fact that they are built on telemetry of the intelligence provider which is typically unique and dependent on their specific dataset. This report focuses heavily on networking related telemetry.

We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus. This assessment is based on attacker TTPs, observed attack infrastructure, and links to previously published intelligence. Their operations against gaming and technology organizations are believed to be economically motivated in nature. However, based on the findings shared in this report we assess with high confidence that the actor’s primary long-term mission is politically focused. It’s important to note that not all publicly reported operations related to Chinese intelligence are tracked or linked to this group of actors. However, TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organizations. We assess with medium to high confidence that the various operations described in this report are the work of individual teams, including contractors external to the Chinese government, with varying levels of expertise, cooperating on a specific agenda.

In 2015 the People’s Liberation Army of China (PLA) began a major reorganization which included the creation of the Strategic Support Force (SSF / PLASSF). SSF is responsible for space, cyber, and electronic warfare missions. Some of the overlap we observed from groups could potentially be related to this reorganization. Notably, key incident details below include attacker mistakes that likely reveal the true location of some attackers as the Xicheng District of Beijing.

Tactics Techniques and Procedures (TTPs):

Though the TTPs of the attacking teams vary depending on the operation, their use of overlapping resources presents a common actor profile. Key interests during attacks often include the theft of code signing certificates, source code, and internal technology documentation. They also may attempt to manipulate virtual economies for financial gain. While unconfirmed, the financial secondary objective may be related to personal interests of the individuals behind the attacks.

Initial attack methods include phishing to gain entry into target organization networks. The group then follows with custom malware or publicly available offensive tooling (Metasploit/Cobalt Strike), and may use a number of methods to minimize their risk of being detected. Such techniques include a particular focus on “living off the land” by using a victim’s own software products, approved remote access systems, or system administration tools for spreading and maintaining unauthorized access to the network.

We have observed incidents where the attacker used other victim organizations as a proxy for unauthorized remote access. In these cases, organization 1 had been compromised for a long period of time, and the attacker accessed victim organization 2 via the organization 1 network.

Delivery and C2 domains routinely have subdomains which resemble target organizations. Additionally, their C2 domains are used across many targets, while subdomains tend to be created and removed quickly and are unique to a particular target or campaign. Also noteworthy is that the actors set their domains to resolve to 127.0.0.1 when not in use, similar to what was originally reported on by Kaspersky Lab (see below).

The actor often uses TLS encryption for varying aspects of C2 and malware delivery. As noted in the “Infrastructure Analysis” section of this report, the actor primarily abuses Let’s Encrypt to sign SSL certificates. We also observed many cases in which self-signed certificates were used in attacks.

Overall, the Winnti umbrella and linked groups are lacking when it comes to operational security. However, some activities linked to these groups follow better operational security and infrastructure management approaches. This may be a clue to the division of responsibilities by team and skill level within the broader organization.

Targets:

The Winnti umbrella and linked groups’ initial targets are gaming studios and high tech businesses. They primarily seek code signing certificates and software manipulation, with potential financially motivated secondary objectives. These targets have been identified in the United States, Japan, South Korea, and China.

Based on the infrastructure, links to previous reporting, and recently observed attacks, the broader organization’s main targets are political. Historically this has included Tibetan and Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent international technology organizations.

One example of a politically focused lure by the Winnti umbrella and linked groups is an end of 2017 document titled “Resolution 2375 (2017) Strengthening Sanctions on DPR of KOREA” which is a malicious file associated with the C2 infrastructure described here – see MD5: 3b58e122d9e17121416b146daab4db9d.

Some Key Public Reports:

2013:
Kaspersky Lab publicly reported on the original Winnti group, technical details around the Winnti samples, and various honeypot analysis methods. Most noteworthy is the Winnti umbrella’s targeting of gaming organizations in search of code signing certificates, virtual currencies, and updating mechanisms which could potentially be used to attack victims’ clients. Interestingly, this was the first identified trojan for the 64-bit Microsoft Windows operating system with a valid digital signature as noted by the author. The abuse of signed applications is a very effective attack approach that the entity continues to use.

2014:
Novetta released an outstanding report detailing “Operation SMN,” in which they collaborated with a number of private organizations on a large scale malware eradication operation which is linked to the original Winnti group by the malware being delivered. In the report, the actor is named Axiom. Novetta reported links to publications from as far back as 2009 that also link the group to the Chinese state intelligence apparatus with high confidence. Links exist to various known attacks and actor groups, such as “Operation Aurora,” Elderwood Group’s successful 2010 attack against Google and many other organizations. Another link exists to the successful compromise of the security organization Bit9 in 2013, where their own product was used to sign and spread malware to their customers. In addition, FireEye’s “Operation DeputyDog” detailed attacks on Japanese targets from the same attacker infrastructure. Many other incidents are detailed in the Operation SMN report. Following all of these details back in time, we can see an overlap in TTPs and targets from the APT1 report by Mandiant, which serves as a great historical example of Chinese intelligence cyber operations in their most basic form.

2016:
Cylance released a blog post reporting on digitally signed malware used in targeted attacks against gaming organizations in China, Taiwan, South Korea, Europe, Russia, and the United States. Cylance refers to the attacking entity as “PassCV” in their reporting. Cylance successfully identified a large quantity of malware binaries which were signed with valid certificates stolen from a number of gaming studios in East Asia. In addition to detailing the individual certificates and signed malware, they identified a significant amount of network infrastructure which contain various interesting links to our own findings.

2017 – March/April:
Trend Micro reported on attacks that abused GitHub for use in malware command and control, which they attributed to the original Winnti group. Amusingly, Trend Micro later reported on an individual linked to the group and the attacks who happens to be a fan of pigs.

2017 – July 5th:
Citizen Lab reported on attacks against journalists by an actor mimicking China-focused news organizations HK01, Epoch Times, Mingjing News, and Bowen Press. As Citizen Lab noted, these news organizations are blocked in China for their political views. The report notes that malware used in these attacks was linked to a stolen code signing certificate mentioned in the Cylance PassCV post. That overlap, in addition to infrastructure links from a Palo Alto Unit 42 blog post, strongly links this attack to the previously mentioned reports as well as to our own. As Unit 42 reports, the attacks against entities in the government of Thailand used the “bookworm” trojan.

2017 – July/October:
ProtectWise 401TRG published our own findings and an update on LEAD using open source and public tooling in attacks against Japanese gaming organizations. These attacks are linked with high confidence to ongoing operations in the United States and East Asia.

Other Noteworthy Events:
In 2017, multiple supply-chain attacks occurred which had some similarities to the Winnti umbrella and associated entities. For example, Kaspersky reported on ShadowPad, a large-scale compromise of NetSarang, which resembles the Winnti and PlugX malware. In addition, Kaspersky and Intezer identified notable code similarities to the Winnti umbrella and APT17 in the compromise of Piriform, which allowed attackers to sign and spread altered versions of the CCleaner software to a large customer base.

Analysis of Attacks on Initial Targets

Throughout 2017 and 2018, ProtectWise 401TRG was involved in a number of detection and incident response engagements with our customers that linked back to the Winnti umbrella and other closely associated entities. Through the analysis of public and private intelligence, we have successfully identified similar attacks, which allow us to assess with high confidence that the details below follow a global attack trend as the Chinese intelligence operations have evolved over time.

2017 Operations:
One of the most common tactics used by the Winnti umbrella and related entities is phishing users whose credentials may provide elevated access to a target network. We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective.

In 2017 the entity focused most of its efforts around technical job applicant email submissions to software engineering, IT, and recruiting staff, which we originally reported on at our 401trg.pw blog. The phishing lures used multiple languages, including Japanese as in the below example:

The approximate translation is as follows:

I saw your job posting. My main languages are Object-C, JAVA, and Swift, and I have 7 years experience with Ruby and 6 years experience with PHP. I have 5 years experience developing iOS apps, as well as Android apps, AWS, Jenkins, Microsoft Azure, ZendFramework, and smartphone application payment processing. I also have 5 years experience with MSSQL, Mysql, Oracle, and PostgreSQL. Please see here: [malicious link]


The process that followed a target clicking the malicious link evolved as the attacker progressed through the campaigns. The links consistently sent the victim to a fake resume, but the exact format of that resume changed over time; we have observed resumes being delivered as DOC, XLS, PDF, and HTML files. Once opened, the fake resumes performed various actions in an effort to download malware onto the victim host. During the same time period, we also observed the actor using the Browser Exploitation Framework (BeEF) to compromise victim hosts and download Cobalt Strike. In this campaign, the attackers experimented with publicly available tooling for attack operations. During this infection process, the actor was known to check the target operating system and deliver malware, signed by a previously stolen key, for the appropriate host environment. In some cases, valid Apple certificates stolen from victims were used in this process, which linked the attack to additional victim organizations.

Post-compromise actions by the attacker followed a common pattern. First they attempted to spread laterally in the network using stolen credentials and various reconnaissance efforts, such as manually examining shares and local files. The primary goal of these attacks was likely to find code-signing certificates for signing future malware. The secondary goals of the attackers depended on the type of victim organization, but were often financial. For example, gaming organizations tended to fall victim to manipulation or theft of in-game virtual currencies. Non-gaming victims may have experienced theft of intellectual property such as user or technology data.

2018 Operations:
More recently, various attack campaigns from the Winnti umbrella and associated groups have been very successful without the use of any exploits or malware. Phishing remains the initial infection vector but the campaign themes have matured. In 2018, the campaigns have largely been focused on common services such as Office 365 and Gmail.

It is important to note that attackers likely have additional information on their target organizations’ preferred email solutions based on previous incidents or open source intelligence.

In more recent phishing campaigns conducted by the Winnti umbrella and associated groups, URL shortening services have been used. For example, Google’s URL shortening service goo.gl was used over the past weeks, allowing us to gain insight into the scale of this campaign using publicly available analytics.

As you can see from the above screenshot, this particular phishing campaign ran from March 20th to March 28th, 2018. Notably, the link was created on February 23rd, 2018, indicating roughly three weeks of preparation for the attacks. These metrics allow us to gain insight into who clicked the link in a phishing email and was directed to a phishing or malware delivery landing page. According to Google analytics, there were a total of 56 clicks. 29 were from Japan, 15 from the United States, 2 from India, and 1 from Russia. 33 of the clicks were from Google Chrome, and 23 were from Safari. 30 were from Windows OS hosts, and 26 were macOS hosts.

In general, the attackers phish for credentials to a user’s cloud storage, and would be expected to later attempt malware delivery in the cases of a failed credential phish or valueless cloud storage.

In cases where the victim uses O365 and/or G-suite for enterprise file storage, the attackers manually review the contents for data of value. If code signing certificates are stored here, the primary mission has been accomplished, as they may be easily downloaded. In other cases, the attackers attempt to use other files and documentation in the cloud storage to help them traverse or gain privileges on the network. The targets in 2018 include IT staff, and commonly sought out files include internal network documentation and tooling such as corporate remote access software.

Once the attackers gain remote access to the network via malware or stolen remote access tooling and credentials, the operation continues as we’ve seen, though their post-compromise actions have become more efficient and automated. Internal reconnaissance is performed by scanning the internal network for open ports 80, 139, 445, 6379, 8080, 10022, and 30304. The choice of ports by the attacker indicates a strong interest in internal web and file storage services. An interesting addition is the use of 30304, which is the peer discovery port for Ethereum clients.

In the attackers’ ideal situation, all remote access occurs through their own C2 infrastructure, which acts as a proxy and obscures their true location. However, we have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the net block was 221.216.0.0/13, the China Unicom Beijing Network, Xicheng District.

Visualizing Attacker Infrastructure

Based on the various incidents we have been involved in, in addition to past public reporting and open-source intelligence, we can construct a map representing the infrastructure most closely associated with the Winnti umbrella and closely related entities. For the sake of producing an accurate representation of the infrastructure, we are excluding any shared infrastructure (such as hosting provider IPs used for many unrelated domains) and low confidence indicators. Please note this is not an exhaustive list of all active infrastructure in use by the group.

As detailed below, this infrastructure spans at least eight years of activity by the Winnti umbrella and related groups. Please note, as this section heavily references the “Some Key Public Reports” section, above, we recommend reading that first. Indicators are provided in Appendix A of PDF (see top of page).

1. The area of the map labeled #1 is the phishing, malware delivery, fake resume, and C2 infrastructure. This includes domains, IPs, malware hashes, SSL certificates, and WHOIS information. In this section of the infrastructure, we primarily observe the network and file indicators which would be used against targets valued for code signing certificates, software manipulation, and potential financial manipulation. The indicators detailed in the 2017 & 2018 Initial Target section of this report are located in #1. Infrastructure in this area is currently in use and not entirely historical.

2. This area is a network that we assess is associated with the umbrella with low confidence. The most interesting findings here are the large number of Let’s Encrypt SSL certificates in use and the overlap with attacker exclusive infrastructure. This proposed relationship is generated by infrastructure links alone, as no malicious activity has been confirmed to or from region #2. Infrastructure in this area is currently in use and not historical.

3. Area #3 is linked to the initial attack infrastructure (#1) by domain WHOIS details, likely from operational security mistakes. We assess with high confidence that these infrastructures are linked. Based on the lax structure and naming of this section, it is highly probable that it is used for attacker experimenting and development. Some examples include domains such as “nobody.will.know.whoami[.]la”, “secret.whoami[.]la”, and “no.ip.detect.if.using.ipv6[.]la”. Infrastructure in this area is currently in use and not historical.

4. This area has various links to #3 in which an individual software developer is identified. We asses this connection with low to medium confidence and will refrain from publicly sharing details in this report. This area contains many personally operated domains and SSL certificates. Infrastructure in this area is currently in use and not historical.

5. Area #5 of the map is part of what Novetta reported on as Operation SMN in 2014. Infrastructure in this area is purely historical and based on Novetta’s reporting, which we can link to area #1 via known umbrella infrastructure. The vast majority of indicators in this area are the many associated hashes, combined with their C2 destination domains and IPs.

6. This area of the map is what Cylance reported on as PassCV in 2016. The vast majority of infrastructure and indicators here are stolen code signing certificates, malware signed with the certificates, and C2 domains. This area contains information on many victims of campaigns related to area #1. Infrastructure in this area is historical. We assess that this area is linked to the Winnti umbrella with high confidence.

7. This section represents infrastructure identified by Citizen Lab in their July 5th 2017 reporting on attacks against journalists. As they originally identified, one of the NetWire binaries was signed with a stolen certificate linked to #6, the Cylance PassCV report. We were able to further expand this section by pivoting off of additional domain WHOIS information.

8. Lastly is area #8, which links back with high confidence to #7 (Citizen Lab reporting) and #6 (PassCV). This area consists of domains, IPs, MD5 file hashes, and further WHOIS operational security mistakes. This area is similar in functionality to #1 and #3, serving as infrastructure for both high-value politically focused attacks and developer personal use. This section links to the online identities of an individual we asses to be associated with the Winnti umbrella or a closely related group at a medium to high confidence. Infrastructure in this area is currently in use and not historical. One example of malicious activity in this area was the document detailing the strengthening of sanctions against North Korea, above. These activities are similar to the type of politically motivated targeted attacks Citizen Lab reported on. Some infrastructure in this area is currently in use and is not completely historical.

Investigative Findings

Based on incident response engagements, research into the associated attacker infrastructure, and previously reported research, we can summarize our findings as follows:

1. The Chinese intelligence apparatus has been reported on under many names, including Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF.

2. The overlap of TTPs and infrastructure between the Winnti umbrella and other groups indicates the use of shared human and technology resources working towards an overarching goal. Operational security mistakes allow the linking of attacks on lower value targets to higher value campaigns. Reuse of older attack infrastructure, links to personal networks, and observed TTPs play a role in this overlap.

3. The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13.

4. Initial attack targets are commonly software organizations in the United States, Japan, South Korea, and China. Later stage high profile targets tend to be political organizations or high-value technology companies.

5. The attackers grow and learn to evade detection when possible, but lack operational security when it comes to the reuse of some tooling. Living off the land and adaptability to individual target networks allow them to operate with high rates of success.

Conclusion

We hope the information we’ve shared in this report will help potential targets and known victims in addition to the greater information security community. Though they have at times been sloppy, the Winnti umbrella and its associated entities remain an advanced and potent threat. We hope that the information contained within this report will help defenders thwart this group in the future.

We’d like to extend a special thank you to all the victims, targets, researchers, and security vendors who have shared their own findings over the years.

Indicators

Indicators can be found in the PDF version of this report and our GitHub Detection IOC repository. Enjoy!

Source: 401 TRG

Spy agency NSA triples collection of U.S. phone records – official report

An aerial view of the National Security Agency (NSA) headquarters in Fort Meade, Maryland, U.S. January 29, 2010. REUTERS/Larry Downing/File Photo

WASHINGTON (Reuters) – The U.S. National Security Agency collected 534 million records of phone calls and text messages of Americans last year, more than triple gathered in 2016, a U.S. intelligence agency report released on Friday said.

The sharp increase from 151 million occurred during the second full year of a new surveillance system established at the spy agency after U.S. lawmakers passed a law in 2015 that sought to limit its ability to collect such records in bulk.

The spike in collection of call records coincided with an increase reported on Friday across other surveillance methods, raising questions from some privacy advocates who are concerned about potential government overreach and intrusion into the lives of U.S. citizens.

The 2017 call records tally remained far less than an estimated billions of records collected per day under the NSA’s old bulk surveillance system, which was exposed by former U.S. intelligence contractor Edward Snowden in 2013.

The records collected by the NSA include the numbers and time of a call or text message, but not their content.

Overall increases in surveillance hauls were both mystifying and alarming coming years after Snowden’s leaks, privacy advocates said.

“The intelligence community’s transparency has yet to extend to explaining dramatic increases in their collection,” said Robyn Greene, policy counsel at the Washington-based Open Technology Institute that focuses on digital issues.

The government “has not altered the manner in which it uses its authority to obtain call detail records,” Timothy Barrett, a spokesman at the Office of the Director of National Intelligence, which released the annual report, said in a statement.

The NSA has found that a number of factors may influence the amount of records collected, Barrett said. These included the number of court-approved selection terms, which could be a phone number of someone who is potentially the subject of an investigation, or the amount of historical information retained by phone service providers, Barrett said.

“We expect this number to fluctuate from year to year,” he said.

U.S. intelligence officials have said the number of records collected would include multiple calls made to or from the same phone numbers and involved a level of duplication when obtaining the same record of a call from two different companies.

Friday’s report also showed a rise in the number of foreigners living outside the United States who were targeted under a warrantless internet surveillance program, known as Section 702 of the Foreign Intelligence Surveillance Act, that Congress renewed earlier this year.

That figure increased to 129,080 in 2017 from 106,469 in 2016, the report said, and is up from 89,138 targets in 2013, or a cumulative rise over five years of about 45 percent.

U.S. intelligence agencies consider Section 702 a vital tool to protect national security but privacy advocates say the program incidentally collects an unknown number of communications belonging to Americans.

 

Source: Yahoo News
(Reporting by Dustin Volz; editing by Grant McCool)

Eavesdropping devices found in Central Bank

Central Bank of Curaçao

WILLEMSTAD – Equipment to eavesdrop was detected inside the Central Bank of Curaçao and St. Maarten (CBCS) main building in Willemstad, confirmed management.

News of the possible presence of such devices was reported by local media on April 5.

It turns out the matter was first checked after personnel reported a sense that they had been listened into. The bank also does a regular security assessment.

Based on early indications, further investigation followed. It concluded that there was indeed equipment that could be used for eavesdropping and recording conversations, but also to prevent such.

None of the devices were active and they have since been removed.

Source: The Daily Herald

Prince George’s Co. police investigating hidden camera found inside school administrative office

PALMER PARK, Md. – Prince George’s County police and school officials said an investigation is underway after a hidden video recording device was discovered inside an administrative office at a school.

Prince George’s County Public Schools CEO Dr. Kevin Maxwell said police were notified after the camera was found Monday morning by the person who works in the office.

Police believe the camera could be accessed remotely and was there for several months. Investigators are now completing a forensic analysis of the device to determine what may have been recorded.

Prince George’s County Police Chief Hank Stawinski emphasized that it’s unlikely the camera was there to film children. Stawinski said he believes the device was being used to gather information.

“It is entirely unclear at this point as to what the goal of gathering that information was, but I want to reassure parents and the community that it wasn’t in public place or a locker room or a bathroom where young people might have images captured of them,” the police chief said. “Beyond that, I want to be very judicious in what I say because it is an active investigation by our Public Corruption Squad.”

Police would not name the school where the camera was found because they do not want to identify the victim.

“We do not believe it was intended for criminal purposes, but at this point of the investigation, we are unclear as to who authorized the placement of that device,” Stawinski said.

“In this case, I have asked the chief to investigate a matter in the school system and we thought together that it was best for us to make sure we came forward in a transparent way,” said Dr. Maxwell.

By: fox5dc.com staff , Lindsay Watts

Source: Fox5