Using a vulnerability in the portal, hackers accessed names, addresses, email addresses, and phone numbers.

The post Skoda Data Breach Hits Online Shop Customers appeared first on SecurityWeek.

Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.

Cookeville Regional Medical Center was targeted last year by the Rhysida ransomware group, which stole 500GB of data.

The post Data Breach at Tennessee Hospital Affects 337,000 appeared first on SecurityWeek.

The US government has warned that Iran-linked hackers are manipulating PLCs and SCADA systems to cause disruption.

The post Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday appeared first on SecurityWeek.

Iranian government hackers are launching disruptive cyberattacks on American energy and water infrastructure, U.S. government agencies “urgently” warned Tuesday.

The hackers are taking aim at devices and systems that control industrial processes, and have harmed victims in the last month following the onset of U.S.-Israel strikes against Iran, according to the joint alert from the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and Cyber Command.

“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the alert states. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.”

U.S. government agencies have warned before about Iranian hackers going after similar targets with those similar methods. The first such warning came after an Iranian government-linked group took credit for attacking a Pennsylvania water facility in late 2023.

Since March of this year, however, the agencies said they have seen new victims emerge from an advanced persistent threat group tied to Iran.

“The authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the alert reads. “These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”

The earlier campaign compromised at least 75 devices, the alert states.

The latest disruptions include “maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays,” according to the agencies’ warning.

After the U.S.-Israel conflict with Iran began, Tehran-connected hackers claimed victims including major medtech company Stryker, local governments and more.

The FBI warned last month that Iranian hackers were deploying malware over the Telegram app, although that campaign also predated the current Iran conflict.

The post Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn appeared first on CyberScoop.

Read more of this story at Slashdot.

Authorities from 14 countries shut down LeakBase, seized its domains and arrested multiple people allegedly involved in the cybercrime marketplace for stolen data and hacking tools, the Justice Department said Wednesday.

LeakBase had more than 142,000 members, ranking it among the world’s largest forums for cybercriminals. The site, which was available on the open web, contained a massive archive of hacked databases including hundreds of millions of account credentials, officials said. 

The stolen databases, which included data from U.S. corporations and individuals, were linked to many high-profile attacks, according to officials. Data seized by authorities revealed a trove of credit and debit card numbers, banking account and routing information, credentials for account takeovers, sensitive business records and personally identifiable information. 

“The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages and IP logs for evidentiary purposes,” Brett Leatherman, assistant director at the FBI’s cyber division, said in a statement. 

Law enforcement agencies involved in the globally coordinated takedown operation, which began Tuesday, executed search warrants, made arrests and interviewed people in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain and the United Kingdom.

Officials did not immediately name any suspects, but some of the activity occurred in San Diego and Provo, Utah. Officials said the FBI’s field offices in San Diego and Salt Lake City, which is investigating the case, participated in the operation domestically. The Provo Police Department was also involved.

“Hiding behind a screen does not shield cybercriminals from accountability,” Robert Bohls, special agent in charge at the FBI Salt Lake City field office, said in a statement.

Authorities identified multiple users who believed they were operating anonymously by seizing the forum’s database.

“This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people and organizations worldwide,” Bohls added. “Together, we will continue to identify, dismantle, and hold accountable those who seek to profit from cybercrime, no matter where they operate.”

Europol, which hosted the coordinated operation in The Hague, described LeakBase as a “central hub in the cybercrime ecosystem” that specialized in leaked databases and stealer logs. The English-language site, which has been active since 2021, contained more than 32,000 posts and more than 215,000 private messages. 

Authorities collectively engaged in around 100 enforcement actions globally and took measures against 37 of the platform’s most active users Tuesday, according to Europol.

The technical disruption phase got underway Wednesday and the site now displays a seizure page. Officials from Canada, Germany, Greece, Kosovo, Malaysia and The Netherlands also support the investigation.

“Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals,” Leatherman said. “The FBI will continue to defend the homeland by dismantling the key services that cybercriminals use to facilitate their attacks.”

The post Authorities from 14 countries shut down major cybercrime forum LeakBase appeared first on CyberScoop.

Microsoft announced Wednesday that it worked with international law enforcement to seize infrastructure used to run cybercrime subscription service RedVDS and organized civil actions in the United States and United Kingdom to disrupt its further use. 

RedVDS has enabled at least $40 million in fraud losses in the U.S. since March 2025, according to Microsoft. Victims that are joining Microsoft as co-plaintiffs in the civil action include Alabama-based H2 Pharma, a pharmaceutical company that lost more than $7.3 million, and Florida-based Gatehouse Dock Condominium Association, which was tricked out of nearly $500,000. 

“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable and difficult to trace,” Steven Masada, assistant general counsel at Microsoft Digital Crimes Unit, said in a blog post. “It provides access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to operate quickly, anonymously and across borders.”

Microsoft said a joint operation with Europol and authorities in Germany allowed it to seize RedVDS’s infrastructure and take the marketplace offline. Cybercriminals used the site, which included a loyalty program and referral bonuses for customers, to send high-volume phishing attacks, host infrastructure for scams and facilitate fraud such as business email compromise.

Microsoft customers were among those impacted by RedVDS’s tools and services. 

“Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations worldwide,” Masada said in the blog post. “These figures represent only a subset of the impacted accounts across all technology providers, illustrating how quickly this infrastructure increases the scale of cyberattacks.”

Over the course of a month, more than 2,600 RedVDS virtual machines sent Microsoft customers an average of one million phishing messages per day, Masada added. 

RedVDS facilitated payment diversion fraud against organizations like H2 Pharma and the Gatehouse Dock Condominium Association through business email compromise. The marketplace was also used to compromise the accounts of realtors, escrow agents and title companies to divert payments, according to Microsoft.

More than 9,000 customers, many in Canada and Australia, were directly impacted by real estate-related fraud aided by RedVDS. Microsoft Threat Intelligence said other scams enabled by RedVDS hit organizations in construction, manufacturing, healthcare, logistics, education and legal services.

Researchers said the marketplace’s user interface was loaded with features that allowed eager cybercriminals to purchase unlicensed and inexpensive Windows-based remote desktop protocol servers with full administrator control. RedVDS reused a single, cloned Windows host image across the service, which allowed researchers to find unique technical fingerprints.

The group that develops and operates RedVDS is tracked by Microsoft as Storm-2470. At least five additional cybercrime groups and cybercriminals who used the Racoon0365 phishing service prior to its takedown in October were also using RedVDS infrastructure, according to Microsoft Threat Intelligence.

RedVDS’s site first launched in 2019 and has remained in operation since providing servers in the U.S., U.K., Canada, France, the Netherlands and Germany. The marketplace “has become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks, including credential theft, account takeovers and mass phishing,” researchers said in a report.

RedVDS rented servers from third-party hosting providers, including at least five hosting companies in the U.S., Canada, U.K., France and the Netherlands. This allowed RedVDS to provision IP addresses in geolocations close to targets, allowing cybercriminals to evade location-based security filters and blend in with normal data center traffic, researchers added. 

“Cybercrime today is powered by shared infrastructure, which means disrupting individual attackers is not enough,” Masada said. “Through this coordinated action, Microsoft has disrupted RedVDS’s operations, including seizing two domains that host the RedVDS marketplace and customer portal, while also laying the groundwork to identify the individuals behind them.”

The post Microsoft seizes RedVDS infrastructure, disrupts fast-growing cybercrime marketplace appeared first on CyberScoop.

Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 

Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.

“The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.

“We remain determined to capture Stryzhak’s codefendant and partner in crime, Volodymyr Tymoshchuk, and bring him to justice in a U.S. courtroom,” Nocella added. Officials accuse Tymoshchuk of acting as an administrator of the Nefilim ransomware group and described him as a serial cybercriminal associated with multiple ransomware strains.

Attacks involving Nefilim ransomware caused millions of dollars in losses from extortion payments and damage to victim networks, officials said. Stryzhak and his co-conspirators allegedly customized executable ransomware files for each victim, creating unique decryption keys and unique ransom notes. 

The ransomware group primarily targeted companies located in the United States, Canada and Australia with more than $100 million in annual revenue, and extorted victims by threatening to publish stolen data. The crew researched companies after they broke into their networks to determine their net worth, size and contact information.

Stryzhak’s victims in the U.S. include an engineering consulting company based in France, an aviation industry company in New York, a chemical company in Ohio, an insurance company in Illinois, a company in the construction industry in Texas, a pet care company in Missouri, an international eyewear company and a company in the oil and gas transportation industry. 

Stryzhak and his co-conspirators also used Nefilim ransomware to encrypt victim networks in Germany, the Netherlands, Norway and Switzerland, prosecutors said. 

Officials said Stryzhak’s crimes began when he gained access to the Nefilim ransomware code in June 2021 in exchange for 20% of his ransom proceeds.

“Cybercriminals may hide behind screens, but they leave digital footprints everywhere,” Christopher Johnson, special agent in charge of the FBI’s field office in Springfield, Illinois, said in a statement. 

“The FBI follows these digital trails relentlessly — across networks, borders, and time — until those responsible are held accountable,” Johnson added. “Today is a remarkable accomplishment, but we will not stop until we have captured all those responsible for the Nefilim ransomware.”

The post Ukrainian national pleads guilty to Nefilim ransomware attacks appeared first on CyberScoop.

By Troy Wojewoda During a recent Breach Assessment engagement, BHIS discovered a highly stealthy and persistent intrusion technique utilized by a threat actor to maintain Command-and-Control (C2) within the client’s […]

The post The Curious Case of the Comburglar appeared first on Black Hills Information Security, Inc..

The Treasury Department, along with officials from the United Kingdom and Australia, imposed sanctions Wednesday against two bulletproof hosting providers and key people involved in their operations, in a globally coordinated effort aimed at thwarting the role these services have in enabling ransomware, phishing operations, and data extortion campaigns around the world. 

Authorities sanctioned Media Land, three of its leaders and three affiliated companies for allegedly supporting ransomware operations and other cybercrime. The Russia-based bulletproof hosting provider has provided services to ransomware groups, including LockBit, BlackSuit and Play, officials said.

Authorities imposed sanctions on Media Land’s general director Alexsandr Volosovik, Kirill Zatolokin, Yulia Pankova and subsidiaries ML Cloud, Media Land Technology and Data Center Kirishi. 

“Media Land has been impactful largely because of its longevity. Recorded Future can trace attackers using their infrastructure back to at least 2015 — 10 years of activity,” Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.

“Targeting this kind of infrastructure can have a disruptive effect on the ransomware ecosystem,” he said. “It’s not the same as a takedown, but it makes it much more difficult for these threat actors to operate and continue to provide services.”

Cyber authorities with the Five Eyes intelligence alliance and the Netherlands also released a mitigation guide Wednesday, which offers tips to help defenders thwart cybercrime made possible by this infrastructure. Efforts to impair these services “requires a nuanced approach because bulletproof hosting infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders may impact legitimate activity,” officials said in a mitigation guide released Wednesday.

Despite the sanctions, Media Land’s infrastructure will remain online until the organization’s peering partners cut off key services, said Zach Edwards, senior threat analyst at Silent Push. One of those partners, JSC RetnNet is also based in Russia, but its other peering partner, RETN Limited, is a U.K.-based ISP, he said.

“The bulletproof hosting ecosystem is thriving and growing,” Edwards said, adding “we still need law enforcement to put more pressure on the peering partners who help to get bulletproof hosting infrastructure online and accessible to the rest of the internet.”

Cybercriminals use bulletproof hosting infrastructure to obfuscate their activities, including malware delivery, phishing, and host content and services that support ransomware, data extortion and denial of service attacks, officials said. 

“Bulletproof hosting is one of the core enablers of modern cybercrime,” Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency, said in a statement.

Officials also took action against companies and individuals who helped the previously sanctioned Aeza Group evade sanctions and reconstitute operations under new infrastructure and leadership.

U.K.-based Hypercore, Maksim Vladimirovich Makarov, the new alleged director of Azea, and Ilya Vladislavovich Zakirov were targeted with sanctions for supporting Aeza Group’s ongoing activity. Officials also sanctioned Smart Digital Ideas DOO and Datavice MCHJ for providing technical infrastructure to Azea.

“Bulletproof hosting providers are hosting the majority of cybercrime infrastructure used by a wide range of global threat actors for ransomware attacks, phishing campaigns, malware delivery and everything in between,” Edwards said. 

“Focusing on these malicious hosts should be a top law-enforcement priority to ensure we’re not just playing Whac-A-Mole with individual threat actors for years to come.”

The post Five Eyes just made life harder for bulletproof hosting providers appeared first on CyberScoop.

Cybersecurity experts from multiple federal agencies released guidance to help organizations bolster their defenses against attacks on on-premises Microsoft Exchange Servers, resurfacing and building upon previously shared advice that generally applies to most technology.

The Cybersecurity and Infrastructure Security Agency said the security blueprint for Microsoft Exchange Server is a follow-up effort to an emergency directive the agency released in August for CVE-2025-53786, a high-severity defect affecting on-premises Microsoft Exchange servers. CISA jointly issued the guide Thursday with the National Security Agency and cyber agencies in Australia and Canada.

Nick Andersen, executive assistant director for cybersecurity at CISA, said the guidance isn’t in response to any specific vulnerability or attack, but rather reflects that organizations are under constant threat. “Many organizations depend on Microsoft Exchange to perform these critical communication functions, and that necessitates a strong degree of protection from malicious actors,” he said during a media briefing Thursday.

The recommendations aren’t particularly new and should come as no surprise to security and IT professionals. The guide synthesizes security advice shared by Microsoft, security experts and the industry at large. The majority of works cited in the guide, more than 60, link back to blogs and advice scattered around Microsoft sites. 

“The individual recommendations are known good practices. What stands out to me is the detailed implementation guidance and how the guide stitches the compilation of recommendations into a game plan for improved security,” Andrew Grotto, research scholar at Stanford University’s Center for International Security and Cooperation, told CyberScoop.

“It’s a practical and very usable guide,” he said. “It also begs the question of why Microsoft has never produced something quite like this.”

Microsoft declined to answer questions or provide additional information. 

The guide encourages on-premises Microsoft Exchange Server customers to restrict administrative access, implement multi-factor authentication, enforce strict transport layer security configurations and adopt zero-trust security principles. It also advises organizations to patch regularly and migrate off end-of-life Microsoft Exchange Servers. 

“The most effective defense is ensuring all Exchange Servers are running the latest version and cumulative update patches,” Andersen said. “Delaying or failing to apply security patches increases the risk of vulnerability exploitation and puts your entire network at risk, as well as the larger ecosystem.”

Microsoft’s level of involvement in the development of the guidance is unclear. Andersen did not address that directly, but said CISA is grateful to Microsoft and other vendors who participate in the vendor ecosystem with the federal government.

“We wanted to be able to have something, given both the criticality and sort of the level of participation that we have with this partner, to outline some of those best practices,” Andersen said.

Microsoft Exchange Server is heavily targeted by nation-state attackers and cybercriminals. The popular enterprise technology appears 16 times on CISA’s known exploited vulnerabilities catalog dating back to 2021, and 12 of those vulnerabilities are known to be used in ransomware attacks. That year, the U.S. government and its allies blamed China for exploiting an Exchange flaw that led to a rash of ransomware attacks affecting tens of thousands of victims. 

To Grotto, the recommendations in the guide underscore how complex Microsoft Exchange is, “and complexity is the enemy of security,” he said. “For Microsoft, complexity is the customer’s problem, not theirs.”

The federal and international agencies’ effort was likely driven by what they determined to be an unmet need, according to Grotto. 

“Governments do not normally step in to provide detailed guidance on behalf of private companies on how to safely operate their products,” he said. “The fact that a multilateral coalition of security and intelligence agencies felt that they needed to produce something like this is a devastating commentary on Microsoft’s security posture.”

The post CISA, NSA offer guidance to better protect Microsoft Exchange Servers appeared first on CyberScoop.

Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.

On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.

FINTRAC found that Cryptomus failed to submit suspicious transaction reports in cases where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion.

“Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action,” said Sarah Paquet, director and CEO at the regulatory agency.

In December 2024, KrebsOnSecurity covered research by blockchain analyst and investigator Richard Sanders, who’d spent several months signing up for various cybercrime services, and then tracking where their customer funds go from there. The 122 services targeted in Sanders’s research all used Cryptomus, and included some of the more prominent businesses advertising on the cybercrime forums, such as:

-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and PQHosting;
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store;
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.

Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus. The image from this website has been machine translated from Russian.

Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.

“These platforms were built for Russian speakers, and they each advertised the ability to anonymously swap one form of cryptocurrency for another,” the December 2024 story noted. “They also allowed the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.”

Reached for comment on FINTRAC’s action, Sanders told KrebsOnSecurity he was surprised it took them so long.

“I have no idea why they don’t just sanction them or prosecute them,” Sanders said. “I’m not let down with the fine amount but it’s also just going to be the cost of doing business to them.”

The $173 million fine is a significant sum for FINTRAC, which imposed 23 such penalties last year totaling less than $26 million. But Sanders says FINTRAC still has much work to do in pursuing other shadowy money service businesses (MSBs) that are registered in Canada but are likely money laundering fronts for entities based in Russia and Iran.

In an investigation published in July 2024, CTV National News and the Investigative Journalism Foundation (IJF) documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.

Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But the news outlets found none of the MSBs or currency dealers were paying for services at that co-working space.

The reporters also found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence any of these companies had ever arranged for any business services at that address.

This blog will be referencing the ICS/OT Backdoors & Breaches expansion deck created by BHIS and Dragos. We will be reviewing the ICS-focused Initial Compromise cards that are used to simulate a cyber incident and suggest potential mitigations to what is presented.

The post ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches appeared first on Black Hills Information Security, Inc..

Troy Wojewoda // In honor of Shark Week1, I decided to write this blog to demonstrate various techniques I’ve found useful when analyzing network traffic with Wireshark, as well as […]

The post Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark appeared first on Black Hills Information Security, Inc..

The post Webcast: How DNS can be abused for Command & Control w/ Troy Wojewoda appeared first on Black Hills Information Security, Inc..

The post Webcast: How to Detect and Respond to Business Email (M365) Compromise w/ the BHIS DFIR Team  appeared first on Black Hills Information Security, Inc..

Have you heard of Backdoors & Breaches, or even have a deck of your own, and yet… still don’t know how to use it? We created an incident response card […]

The post How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity appeared first on Black Hills Information Security, Inc..

Sally Vandeven // OR How to Pentest with AD Explorer! Mark Russinovich’s Sysinternals tools (Microsoft) are nothing new. They have been a favorite among system administrators for many, many years. […]

The post Domain Goodness – How I Learned to LOVE AD Explorer appeared first on Black Hills Information Security, Inc..