Infosec Round-Up Oct 1st
Payment Flaw, Crypto Crackdown & NK Arrest
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
Contactless Payment Flaw
Researchers have discovered an iPhone flaw which could allow payments of £1,000 to be made from a locked device.
Discovered by researchers from the Computer Science departments of Birmingham and Surrey Universities, the flaw pertains to Visa cards setup in ‘Express Transit’ mode within Apple Pay; Express Transit being a feature which enables commuters to make quick contactless payments without unlocking their phones.
Despite the exploit being demonstrated to BBC journalists, there is currently no evidence the flaw has been exploited by criminals.
With Visa responding that this type of attack was “impractical” outside of a lab, Dr Andreea Radu, of the University of Birmingham stated: “It has some technical complexity - but I feel the rewards from doing the attack are quite high”. Adding that if unaddressed "in a few years these [flaws] might become a real issue”.
China’s Crypto Crackdown
Continuing its crackdown on cryptocurrency, China’s central bank has announced that all transactions of crypto are illegal and that “virtual currency-related business activities are illegal”.
Warning that such transactions “seriously endanger the safety of people’s assets”, the trading of virtual currencies has been officially banned since 2019, though this announcement marks an escalation in the Chinese government’s crackdown.
In June of this year, the government told banks and other payment platforms to stop facilitating transactions, and banned the mining of such currencies, though this new announcement makes it clear that those involved are committing a crime and will be prosecuted.
Luisa Kinzius, a director at China-focussed consultancy Sinolytics, noted on the matter: “The announcement is also targeting any Chinese citizen working for crypto-related companies abroad, declaring their work as illegal and putting them at risk of being legally investigated.”
Adding, “China is very hesitant towards pure financial speculation due to financial stability concerns – and of course, cryptocurrency is very much driven by speculation.”
Ethereum Researcher Pleads Guilty
Virgil Griffin, a former special projects developer and researcher for the Ethereum Foundation, has this week pled guilty to charges of assisting North Korea in evading U.S sanctions.
Having travelled to North Korea in 2019 to attend the Pyongyang Blockchain and Cryptocurrency Conference, the crypto expert was arrested seven months later when re-entering the US for, what prosecutors describe as “[participating in] discussions regarding using cryptocurrency technologies to evade sanctions and launder money”.
Facing a maximum sentence of 20 years in prison, Griffin had been denied permission to travel to North Korea by the US Department of State and according to court documents, sought to obscure his activities from authorities.
U.S. Attorney Audrey Strauss stated on the case: “Griffin worked with others to provide cryptocurrency services to North Korea.” Adding, “In the process, Griffin jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
REvil steals loot from affiliate criminals. Lithuania warns of Chinese made phones. UK MoD exposes the data of Afghan interpreters.
Irish DPA investigates TikTok data collection. NSO Group flaw fixed. Microsoft announces passwordless future.
Ragnar Locker threatens victims with possible data leaks. UK student jailed for "cynical" cyber crime. ProtonMail faces criticism.
Insider threat destroys 21GB of credit union data. Hackers leak UK firearms marketplace data. Coinbase accidentally sends 125K warning emails.
Ethical hacker rewarded with $500K after returning stolen crypto. Japanese exchange attacked. US loses $2.3 million to BEC scam.
48 million T-Mobile customers' data breached. Secret 'no-fly' list exposed on internet. Brazil Government hit with another ransomware attack.
Apple responds to CSAM scanning criticism. Crypto hacker returns over $300 million worth of tokens. Crytek game developer confirms data leak hack.
Zoom to pay $86 million on privacy lawsuit. LockBit 2.0 cyber criminals recruiting insider threats. Isle of Wight schools hit with ransomware attack.
Israeli government raids NSO Group offices. Biden warns cyber breach could lead to "hot-war". Irish DoH data leak.
NSO responds to international criticism. Saudi Aramco hacked for a second time. Chinese government denies involvement with Microsoft Hack.