Fears grow for smaller nations after ransomware attack on Costa Rica escalates

It’s been a rough start for the newly-elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.

“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and impact the country’s foreign trade.

In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly, and the Irish healthcare service.

But Conti has picked up its pace in recent months: in January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.

Why Costa Rica?

Some believe that Conti’s campaign against Costa Rica is motivated for siding with Ukraine. Experts say all signs point to money.

Brett Callow, a ransomware expert and threat analysis at Emsisoft, told TechCrunch that “there’s no reason to believe that the attack on Costa Rica is other than financially-motivated.” And Maya Horowitz, the vice president of research at Check Point Software, said based on their research, Conti’s extortion planning is “very focused and based on the ability of the victim to pay.”

Read more on TechCrunch

Chaves has repeatedly blamed the attack on his predecessor, former president Carlos Alvarado, for not investing in cybersecurity. While it’s unclear exactly what measures the country had implemented to protect against cyberattacks, Jorge Mora, the country’s director of digital governance recently said that four million hacking attempts were recently blocked thanks to “protection systems” installed across institutions.

But it’s more likely that Costa Rica was just unlucky and targeted as part of a wider operation rather than due to any perceived weakness.

“Situations like this reflect the asymmetric realities of attack and defense where attackers only need to be lucky once,” Jamie Boote, a software security consultant at the Synopsys Software Integrity Group, told TechCrunch. “If one in one hundred targets becomes a victim that can pay out millions in ransom, then it pays to target hundreds.”

Callow adds that it’s also possible that Conti targeted Costa Rica due to the increased success U.S. and European law enforcement have seen in disrupting their operations.

“They may not make as much money off attacks in countries like Costa Rica and Peru, but they’re not going to end up with a multi-million dollar bounty on their heads or with U.S. Cyber Command in their servers,” said Callow. “Less gain, less risk. Or, at least, that’s what they may believe.”

An inside job?

In a message posted to its dark web blog over the weekend, Conti claimed it had “insiders in [the Costa Rican] government,” which could go some way to explaining why the country became a target, or why the attack had such a devastating impact. This claim was echoed by  President Chaves earlier this week, saying “there are very clear indications that people within the country are collaborating with Conti.”

However, security experts tell TechCrunch that Conti’s claims should be treated with a heavy dose of skepticism.

“Dark web records reveal a user by this moniker has only been active on a popular cybercrime forum since March 2022 — around a month before the attacks on Costa Rica started,” Louise Ferrett, threat analyst from Searchlight Security, tells TechCrunch. “So, while it’s possible Conti could have bribed or socially engineered insiders within the country’s government, it seems unlikely they would have amassed so much influence so quickly.”

“It is a known tactic for ransomware gangs to make exaggerated and outlandish threats in order to instill a sense of urgency in the victim and obtain a ransom payment,” Ferrett said.

What — or who — is next?

“The success of these attacks should concern smaller governments around the world,” Allan Liska, an intelligence analyst at Recorded Future tells TechCrunch. He added:

While many ransomware groups won’t touch national governments, others, like Conti feel they are untouchable and will go after whatever victim they want because they assume there will be no consequences. This is going to be an increasingly bigger problem and governments have to take firm action against ransomware actors. These are non-nation-state groups engaging in essentially nation-state-style attacks and there should be appropriate repercussions for these actions.

This is a viewpoint shared by Callow, who tells TechCrunch that we can expect to see organizations in countries outside of the U.S. receive more attention from ransomware gangs, particularly in low-income countries where cybersecurity spending is lower. “The U.S. public and private sectors are vulnerable to cyberattacks, and may be even more vulnerable in other countries,” he said.

Conti’s attack against Costa Rica is ongoing. In a post on Friday, Conti said it will delete the encryption keys used to lock Costa Rica’s government systems on May 23. As of the time of writing, Costa Rica’s government has refused to give in to Conti’s ransom demands.

But we are already seeing the emergence of similar attacks on smaller nation states. Greenland’s government this week confirmed that the island’s hospital system was “severely” impacted by a cyberattack, which has meant that hospital workers cannot access any patient medical records.

DOJ says it will no longer prosecute good-faith hackers under CFAA

The U.S. Justice Department announced Thursday it will not bring charges under federal hacking laws against security researchers and hackers who act in good faith.

The policy for the first time “directs that good-faith security research should not be charged” under the Computer Fraud and Abuse Act, a seismic shift away from its previous policy that allowed prosecutors to bring federal charges against hackers who find security flaws for the purpose of helping to secure exposed or vulnerable systems.

The Justice Department said that good-faith researchers are those who carry out their activity “in a manner designed to avoid any harm to individuals or the public,” and where the information “used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The Computer Fraud and Abuse Act, or CFAA, was enacted in law in 1986 and predates the modern internet. The federal law dictates what constitutes computer hacking — specifically “unauthorized” access to a computer system — at the federal level. But the CFAA has long been criticized for its outdated and vague language that does little to differentiate between good-faith researchers and hackers, and malicious actors who set out to extort companies or individuals or otherwise cause harm.

Last year the Supreme Court took its first look at the CFAA since the law came into force, and for the first time determined precisely what the CFAA’s reading of “unauthorized” access means under the law, and subsequently limited its scope, effectively eliminating an entire class of hypothetical scenarios — like violating a web service’s privacy policy, checking sports results from a work computer, and more recently scraping public web pages — under which federal prosecutors could have brought charges.

Now the Justice Department is ruling out, albeit a year on from the court’s ruling, bringing federal charges over these kinds of scenarios and instead focusing on cases where malicious actors deliberately break into a computer system.

The policy shift is not a legislative fix and could, just as the Justice Department did today, change in the future. It also does not protect good-faith hackers — or anyone else accused of hacking — from state computer hacking laws.

In a statement, U.S. deputy attorney general Lisa O. Monaco said: “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

Some critics may not accept that claim so willingly following the death of Aaron Swartz, who died by suicide in 2013 after he was charged under the CFAA for downloading 4.8 million articles and documents from academic subscription service JSTOR. Although JSTOR declined to pursue the case, federal prosecutors still brought charges accusing him of theft.

Since Swartz’s death, campaigners and lawmakers alike have pushed “Aaron’s Law,” to reform and codify changes to the CFAA in law to better protect good-faith hackers.

Texas exposed 1.8 million residents’ data for almost 3 years

The personal information of 1.8 million Texas residents who filed insurance claims with the Texas Department of Insurance was exposed and publicly accessible for almost three years, according to a recently published state audit.

News of the security lapse was first disclosed by the department in March, almost three months months after it first became aware of the exposed data in January during the course of a preplanned data management audit.

The department said that it became aware of a security issue with the web application that manages workers’ compensation information and took the site offline to fix, and said it was notifying residents who filed claims between March 2019 and January 2022 that their names, addresses, dates of birth, phone numbers, their Social Security numbers and details of their claims were affected by the exposure.

The state did not provide details of the security incident. But a state audit published this month revealed that residents’ personal information was inadvertently exposed to the internet because of “programming code that allowed internet access to a protected area of the application.”

The department said in an updated post that a forensic investigation “could not conclusively rule out that certain information on the web application was accessed outside of TDI.” The department did not name the forensics company that carried out the investigation.

The Texas Department of Insurance oversees and enforces the insurance industry in Texas, and serves as an arbitrator in disputes between an employee, their employer and insurance carriers, according to The Texas Tribune, which first reported the news.

In 2018, TechCrunch reported that over 14 million detailed Texas voter records were left online on an unprotected web server. The data was originally compiled by Data Trust, a Republican-focused data analytics firm created by the GOP to provide campaigns with voter data.

Dig emerges from stealth to help organizations secure their data in public clouds

Dig, a Tel Aviv-based cloud data security startup, has emerged from stealth with an $11 million investment to help organizations protect data stored in public cloud environments.

It’s no secret that data is often the ultimate target for some cybercriminals, yet so many organizations don’t have visibility, context or control over data stored in public cloud environments — like the ones run by Amazon, Google and Microsoft — according to Dig. That’s why the startup has developed a data detection and response (DDR) solution, which it claims can help enterprises to discover, protect and govern their cloud data in real time.

“Companies don’t know what data they hold in the cloud, where it is, or most importantly how to protect it. They have tools to protect endpoints, networks, APIs but nothing to actively secure their data in public clouds,” Dan Benjamin, Dig’s co-founder and chief executive, tells TechCrunch. Prior to founding Dig in October last year, Benjamin led multi-cloud security at Microsoft and mentored CTOs at Google Cloud for Startups.

“If you speak to data security teams in large organizations today, most of them work with manual reports and run manual scans. We help organizations analyze and understand how that data is being used,” he added.

Dig claims, like unlike existing solutions, it analyzes and responds instantly to threats to cloud data, triggering alerts on suspicious or anomalous activity, stopping attacks, data exfiltration and employee data misuse. The solution — a software-as-a-service app — discovers all data assets across public clouds and brings context to how they are used, and also tracks whether each data source supports compliance like SOC2 and HIPAA.

“Just the other week, we integrated with a large financial public American company, and after five minutes, we had alerts. What we discovered is that they had all financial reports being copied to an external AWS account that doesn’t belong to them,” Benjamin says. “We see stuff like this all of the time because no-one has real visibility into how this data is being used.”

Benjamin, who founded the startup alongside veteran entrepreneurs Ido Azran and Gad Akuka — the first letters of the co-founders’ names spell “Dig” — tells TechCrunch that Dig currently works with Microsoft Azure and AWS, with support for Google Cloud Platform coming soon. His ultimate goal, however, is to expand beyond public clouds to provide a solution to protect data wherever it sits within an organization.

“Data sits in five main locations for a typical enterprise; endpoints, email, on-premise, SaaS, and public clouds,” Benjamin says. “We only cover public clouds, but I believe that, eventually, customers will want a single platform that protects data wherever it is.”

With its $11 million seed round led by Team8, with participation from CrowdStrike, CyberArk and Merlin Ventures, Dig plans to grow its headcount from 30 to 50 by the end of the year, including in the U.S. It also plans to expand the product, with Benjamin noting that the startup “still has a lot to do” across discovery, context and threat protection.

New Relic enters the security market with its new vulnerability management service

New Relic, which has long been known for its observability platform, is entering the security market today with the launch of a new vulnerability management service. Aptly named New Relic Vulnerability Management, the service aggregates data from botth its own native vulnerability detection system and third-party tools, giving security, DevOps, SecOps and SRE teams a single service for monitoring their sotware stack for vulnerabilities.

“Minimizing security risk across the entire software development life cycle is imperative — and we are seeing more pressure on DevOps to manage risk while making sure it doesn’t become a blocker to the pace of innovation,” said New Relic CEO Bill Staples. “New Relic Vulnerability Management delivers more value to engineers harnessing the power of observability with our platform approach, and accelerates our mission to help every engineer do their best work with data, not opinions.”

The company argues that one if its major differentiators is that this new tool can integrate with third-party security tools. This in turn should help teams prioritize which security risks to focus on (because there are always more than any team can handle), with the new service also helping them to identify which actions to take to remediate those risks).

The new service is part of a series of announcement New Relic made at the CNCF’s KubeCon + CloudNativeCon conference and its own FutureStack event today. Other announcements include enhancements to the company’s application performance monitoring service (which now collects logs in context), new partners in its Instant Observability ecosystem (which now features more than 470 integrations), and a major new partnership with Microsoft, allowing Azure users to use New Relic as their default observability platform natively inside the Azure Portal.

New Bluetooth attack can remotely unlock Tesla vehicles and smart locks

Security researchers have demonstrated a new Bluetooth relay attack that can remotely unlock and operate some Tesla vehicles.

The vulnerability lies in Bluetooth Low Energy (BLE), the technology used by Tesla’s entry system that allows drivers with the app or key fob to unlock and operate their car from nearby. Most devices and vehicles that rely on this kind of proximity-based authentication are designed to protect against a range of relay attacks, which typically work by capturing the radio signal used for unlocking a vehicle, for example, and replaying it again as if it were an authentic request, by using encryption and introducing checks that can make relay attacks more difficult.

But researchers at U.K-based NCC Group say they have developed a tool for conducting a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically enabling attackers to remotely unlock and operate vehicles.

Sultan Qasim Khan, a senior security consultant at NCC Group, said in a blog post that it tested the attack against a 2020 Tesla Model 3 using an iPhone 13 mini running a recent but older version of the Tesla app. The iPhone was placed 25 meters away from the vehicle, according to the researchers, with two relaying devices between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely. The experiment was also replicated successfully on a Tesla Model Y from 2021, which also uses “phone-as-a-key” technology.

While the attack was demonstrated against Tesla vehicles, Khan notes that any vehicle that uses BLE for its keyless entry system could be vulnerable to this attack. In a separate advisory, NCC Group warns that the attack could also be used against the Kwikset and Weiser Kevo line of smart locks, which support BLE passive entry through their “touch-to-open” functionality.

“Our research shows that systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware,” said Khan.

The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group (SIG), an industry group that oversees the development of the Bluetooth standard, which acknowledged the issue but said that relay attacks were a known problem with Bluetooth. Tesla officials also said that relay attacks were a known limitation of the passive entry system. Tesla did not respond to TechCrunch’s request for comment. (Tesla scrapped its public relations team in 2020.)

“NCC Group recommends that the SIG proactively advise its members developing proximity authentication systems about the risks of BLE relay attacks,” Khan added. “Moreover, documentation should make clear that relay attacks are practical and must be included in threat models, and that neither link-layer encryption nor expectations of normal response timing are defenses against relay attacks.”

The researchers encourage Tesla owners to use the PIN to Drive feature, which requires a four-digit pin to be entered before the vehicle can be driven, and to disable the passive entry system in the mobile app.

Tesla is no stranger to security flaws. Earlier this year, a 19-year-old security researcher said he was able to remotely access dozens of Teslas around the world because security bugs found in an open source logging tool popular with Tesla owners exposed their cars directly to the internet.

CipherMode Labs launches open source solution to protect data without encryption expertise

CipherMode Labs CEO and co-founder Sadegh Riazi has been working with encryption his entire career. He studied it as part of his PhD. He was part of the Microsoft SEAL team that worked on improving homomorphic encryption and making it more efficient.

What he found was that while homomorphic encryption allows you to work with encrypted data, it does so at an extremely high resource cost, one that’s so high, it is bad for the environment. He spent much of the first part of his career working to make it more efficient, but he found that even with custom chips, he and his fellow researchers could only move the needle so much.

That’s when he decided to go in a different direction and take an encrypted road less traveled. He teamed up with Ilya Razenshteyn, who had studied encryption at MIT, and they began looking at a method that previously hadn’t been taken very seriously in the encryption community.

“So first of all, it’s very different from homomorphic encryption. It’s based on a completely different paradigm in cryptography. It’s not a better version of it. It’s not a variant of it. I worked on both. So our field is called Secure Multiparty Computation,” Riazi said.

He said that when he began studying SMPC, he saw an area that was largely untapped and perhaps with more possibilities for secure encryption without the computational overhead inherent in homomorphic encryption.

“We have our own challenges, but at least, to put it very simply, it’s a more fertile ground for innovation. We have more room for improvement. We have more dimensions for improvement. And that’s why we’re working on this,” he said.

To be clear, there was a lot of skepticism in the community on whether this particular technology could be put to work to protect encrypted data at scale. “At the beginning of my PhD, when I went to security conferences, and I said that I’m working on this topic, Secure Multiparty Computation, people said ‘oh, that’s a cute cryptographic toy, but it’s never going to be used [widely],’” he said.

But he and Razenshteyn saw the potential and they went against conventional thinking and began building a set of tools to put SMPC to work. They created an open source library, called CipherCore, which they are launching today. This new tool allows researchers to protect data without cryptographic expertise by simply pointing to the data source by writing some code. CipherMode takes care of the encryption for you on the back end by building the appropriate protocol to protect the data.

“We essentially decouple the application layer from the protocol layer, which means users can write very simple programs. And then we are able to create the corresponding protocol that they need to run and to process encrypted data,” he said.

The solution provides a similar set of benefits to homomorphic encryption without the same overhead offering 2-3 orders of magnitude improvement compared to the state-of-the-art homomorphic solutions. It also offers fast computation times and provable security, but in a way that’s easy to implement, and secure even against quantum computers, according the company.

The startup is working on a commercial version they expect to be ready some time later this year.

In addition to launching the open source library today, the startup also announced that it has closed a $6.7 million in seed investment led by Innovation Endeavors with participation from Pillar VC, the National Science Foundation and several industry luminaries.

Google Cloud launches new software supply chain and zero trust security services

Google Cloud is holding its annual Security Summit this week and unsurprisingly, the company used the event to launch a few new security features. This year, the announcements focus on software supply chain security, Zero Trust and tools for making it easier for enterprises to adopt Google Cloud’s security capabilities.

It’s no surprise that software supply chain security makes an appearance at this year’s event. Thanks to recent high-profile attacks, it’s been the focus of White House summits and, just last week, an industry group that includes Google, Amazon, Ericsson, Intel, Microsoft and VMware pledged $30 million to work with the Linux Foundation and Open Source Security Foundation to improve the security of open-source software.

At today’s Summit, Google Cloud announced the launch of its Assured Open Source Software service, which gives enterprises and government users access to the same vetted open-source packages that Google itself uses in its projects. According to the company, these packages are regularly scanned, analyzed and fuzz-tested for vulnerabilities and built with Google Cloud’s Cloud Build service with evidence of SLSA-compliance (that’s ‘Supply-chain Levels for Software Artifacts,’ a framework for safeguarding artifact integrity across software supply chains). These packages are also signed by Google and distributed from Google’s secured registry. “Assured OSS helps organizations reduce the need to develop, maintain, and operate a complex process for securely managing their open source dependencies,” Google explains in its announcement today.

Also new today is BeyondCorp Enterprise Essentials, a new edition of Google Cloud’s BeyondCorp Enterpirse Zero Trust solution that promises to “help organizations quickly and easily take the first steps toward Zero Trust implementation.” The company says it includes features like context-aware access controls for SaaS applications and other SAML-connected services, as well as threat and data protection capabilities, in addition to data loss prevention, malware and phishing protection in Chrome.

Finally, Google is also launched a new Security Foundation solution for enterprises that aims to make it easier for them to adopt Google Cloud’s security capabilities. It joins Google’s other ready-made solutions, which so far have focused on specific industries (retail, media and entertainment, financial services, etc.) as opposed to this more general security-centric package. “This solution is aligned to the prescriptive guidance from our Google Cloud Cybersecurity Action Team, and codified in our Security Foundations Blueprint, so that you get the controls you need for data protection, network security, security monitoring, and more to help make your deployments secure from day one–and to do it more cost-effectively,” Google explains.

US names and shames Venezuelan doctor as notorious ransomware maker

The U.S. has named a Venezuelan cardiologist as the alleged mastermind behind the notorious Thanos ransomware.

According to the U.S. Justice Department, Moises Luis Zagala Gonzalez, 55, created and distributed the Thanos software, a ransomware-as-a-service (RaaS) operation that allowed its users to create and deploy their own ransomware variants.

Zagala allegedly sold and rented out the ransomware tools to cybercriminals starting in 2019 and even taught cybercriminals how to use the tools, according to the indictment, coaching threat actors on how to design a ransom note, steal passwords from victim computers, and set a bitcoin address for ransom payments. “Zagala provides extensive customer service along with his software, counseling his customers about how most effectively to use his software against their victims,” the indictment says. The FBI said that at least 38 copies of the Thanos tool were sold.

Zagala also publicly discussed how his customers used his tools in ransomware attacks, even posting links to news stories about the use of Thanos by an Iranian-state sponsored hacking group to attack Israeli companies. One of the linked reports detailed how the ransomware was used by the MuddyWater hacking group, which U.S. Cyber Command earlier this year linked to Iranian intelligence.

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” said Breon Peace, the U.S. attorney for eastern New York, where the case was filed.

In addition to creating Thanos, Zagala is accused of creating “Jigsaw v. 2,” a ransomware tool that included a so-called “Doomsday counter” that kept track of how many times victims had tried to remove the malware. “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” Zagala wrote, according to the DOJ, adding that 1,000 files would be deleted every time a victim reboots their system.

Zagala’s products were well-regarded among cybercriminals, from which he would request reviews. The DOJ said it found several reviews for his products that touted their effectiveness. One reviewer said they used Zagala’s products to “infect a network of approximately 3,000 computers” and another user wrote in Russian that they had made “good profit” after a month of using the ransomware tools.

The FBI was able to identify Zagala after interviewing a relative whose PayPal account was used to receive illicit profits.

Zagala — who remains in Venezuela — faces up to ten years in prison for attempted computer intrusions and conspiracy charges if brought to justice in the United States. The indictment is part of the Justice Department’s efforts in recent years to “name and shame” cyberattackers who are outside of U.S. jurisdiction.

Tech giants pledge $30M to boost open source software security

Tech giants including Amazon, Google and Microsoft have pledged millions of dollars to bolster the security of open source software.

The pledge was made during a meeting in Washington DC last week, which saw open source leaders, headed up by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), share their plans for enhancing the security of the software supply chain.

The industry gathering, which was attended by government leaders and over 90 executives from 37 companies, is a follow up to the historic White House summit in January convened in the wake of the Log4Shell zero-day vulnerability in January. The flaw affected the Apache’s Log4j library, a ubiquitous logging software, which put millions of devices worldwide at risk. But according to a study from March, almost a third of instances remain unpatched.

During last week’s meeting, companies including Amazon, Ericsson, Google, Intel, Microsoft, and VMware pledged a collective $30 million to fund a 10-point plan that aims to boost the security of open source software. Designed by the Linux Foundation and OpenSSF, the first-of-its-kind initiative aims to secure the production of open source code, improve vulnerability detection and remediation, and shorten patching response time. This will include the creation of a software bill of materials, known as an SBOM, allowing companies to gain visibility of the software that they are using in their tech stack.

The so-called Software Supply Chain Security Mobilization Plan also calls for security education for everyone working in the open source community, the elimination of non-memory safe programming languages like C+ and COBOL, and for annual third-party code reviews of 200 of the most critical open source software components.

The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.

“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started.  We are eager to get further input and commitments that move us from plan to action.”

Google Cloud also announced during the summit that it would launch an open source maintenance crew, a team of dedicated engineers that will work with upstream maintainers in order to boost the security of various open source projects.