Here is catching up on news and events that happened this week in the world of cybersecurity.
Estonian National Charged in U.S. for Acquiring Hacking-Tools
An Estonian was prosecuted for buying U.S. military and government equipment for Russia. On March 28, 2023, Tallinn detained 45-year-old Andrei Shevlyakov. He faces 18 conspiracy charges and others. If convicted, he may serve 20 years. Shevlyakov is accused of importing critical technology from U.S. corporations through front companies. Russia got them without export restrictions.
Defense-system analog-to-digital converters, low-noise pre-scalers, and synthesizers were purchased. Rapid7 Metasploit Pro, a legitimate penetration testing and adversary simulation application, was allegedly sought by Shevlyakov. Shevlyakov was placed on the U.S. Entity List in 2012 for acting as a procurement agent for Russia, but he used “false names and a web of front organizations” to dodge the law and conduct a “intricate logistics operation involving multiple smuggling trips across the Russian border.” Read more
Military Intel Leak Investigated By US Officials
A military intel leak, which Pentagon officials are trying to locate, might disrupt Ukraine’s spring offensive against Russian forces. The Economist said that Telegram and Discord hosted many January-dated slides. The Military oversees a cross-government body assessing harm, reports said. Senior officials appear to be reassuring partners. The documents reveal each Ukrainian brigade’s armor and artillery, air defense condition, and missile battery placements, which the Russian military may find important.
Defense specialists validated and authenticated the slides. Some are grouped into briefing packets, while others have marks indicating how they were obtained, according to J2. These include “SI-G” data from wiretaps. According to sources, most Telegram records were not altered to overstate Ukrainian casualties and understate Russian ones. But, the military intel disclosures could exacerbate rifts between the US and its allies at a key point in the Ukraine war, despite showing Russia’s weak military. For example, French and British special forces are training Ukrainian troops. Read more
Yum! Brands Report Data Breach After Ransomware Attack
KFC, Pizza Hut, and Taco Bell owner Yum Brands confirmed a January 2023 ransomware attack compromised PII. Yum halted 300 UK restaurants on January 18 to counteract the hack and took systems offline. The firm claimed only corporate data was stolen. However, a Maine Attorney General’s Office complaint showed personal information was compromised. Yum’s notification letter states the ransomware attack seized names, driver’s license numbers, ID numbers, and other sensitive information.
Yum claims it has “no sign of identity theft or fraud” involving the stolen Information, but such data is regularly traded or shared on underground hacker portals and used in phishing and other attacks. The company assured the SEC in a January 8-K filing that the incident would not harm operations or financial performance. The event will cost the company. Read more
Cybercriminals To Add Android Malware On Google Play Up To $20,000
Malicious loader programs that trojanize Android apps sell for up to $20,000 on the dark web to bypass Google Play Store protection. Kaspersky found that “the most common program categories to hide malware and undesirable software include cryptocurrency trackers, banking apps, QR-code scanners, and even dating apps” based on forum posts from 2019 to 2023.
Dropper apps are the major way threat actors sneak malware into the Google Play Market. After passing review and gaining a large user base, these programs issue harmful upgrades. Loader apps inject malware into clean apps before uploading them to the app store. Users must grant invasive rights to install the modified software. Apps with anti-analysis features can detect when they are being debugged or deployed in a sandbox and stop running on infected devices. Threat actors can also buy a Google Play developer account for $60 to $200, depending on how many apps have been created and downloaded. Read more.
Finding ChatGPT Vulnerabilities May Pay Hackers Up To $20,000
OpenAI, an AI research company, launched a bug bounty program that allows registered security researchers to uncover ChatGPT Vulnerabilities in its products and get paid for reporting them via Bugcrowd, a crowdsourced security platform. The business said today that awards range from $200 for low-severity security faults to $20,000 for outstanding breakthroughs.
OpenAI’s Bug Bounty Program “acknowledges and rewards the valuable ideas of security researchers who contribute to maintain the security of our technology and company.” “Please report any system problems, security gaps, or vulnerabilities. Disseminating your insights can help make our technology safer.” Bounty hunters are interested in the OpenAI Application Programming Interface (API) and ChatGPT artificial intelligence chatbot, but the company urged researchers to report model problems via a different form unless they affect security. Read more.
Lazarus Hacker Group Evolves Means In DeathNote Campaign
Kaspersky’s “DeathNote” campaign has seen the North Korean Lazarus hacker Gang switching targets and improving their tactics. In an advisory, Kaspersky senior security researcher Seongsu Park revealed the discovery. He said the team has monitored Operation DreamJob or NukeSped since 2019. “The malware creator employed decoy materials relevant to the cryptocurrency business, like a questionnaire about purchasing particular cryptocurrencies, an introduction to a particular cryptocurrency, and a bitcoin mining company,” Park said. Kaspersky found a major target shift and new infection routes in April 2020.
“Our study found that the DeathNote cluster targets the car and academic industries in Eastern Europe, both of which are related to the defense industry,” the alert said. The actor then modified the employment descriptions on all the fake documents to defense contractors and diplomatic services. In addition to remote template injection, trojanized open-source PDF viewer software was employed to improve the infection chain. In May 2021, DeathNote targeted several South Korean targets and a European IT company that provided network device and server monitoring solutions. Read more.
Hyundai Data Breach In France & Italy Reveals Car Owners
Hyundai warns hackers have personal data. This affected car owners and test drivers in Italy and France. Hyundai sells almost 500,000 cars in Europe, with a 3% market share in France and Italy. Twitter reports and Troy Hunt’s “HaveIBeenPwned” announcement revealed the following data: (Email, physical, call-in, and car chassis numbers were in the Hyundai Data Breach.)
The letter also states that the Hyundai database hacker did not steal money or personal data. Hyundai recruited IT professionals to take down the affected systems until additional security measures are introduced in response to the incident. The South Korean carmaker warns consumers to be aware of unsolicited emails and SMS texts that claim to be from them since they may be phishing and social engineering attempts. Read more.
Superyacht-Maker Lürssen, Targeted By Ransomware Attacks
Over the Easter break, a ransomware attack was launched against a German Superyacht-Maker and military boats. According to the local news source Buten un Binnen, which broke the news of the attack first, a significant portion of Bremen-based Lürssen’s shipyard operations was halted as a result. The company is well-known in the shipbuilding industry for building the largest superyachts in the world, including Azzam, Blue, and Dilbar. The late Khalifa bin Zayed Al Nahyan, Russian industrialist Alisher Usmanov, and Ukrainian businessman Rinat Akhmetov were all owners of Lürssen yachts.
The business has a contract to design and construct 12 offshore patrol vessels for Australia and build ships for the German Navy. Lürssen stated that it is working with internal and outside experts to manage the cyber crisis, according to several German media publications. The German police have opened a criminal inquiry, according to Buten un Binnen. In Germany, Lürssen operates five shipbuilding sites and employs up to 1,600 people. Read more.
WhatsApp Improves Defense Against Malware-Based Account Takeover
WhatsApp launched a new account verification function Thursday. This feature prevents mobile malware from compromising user accounts. The Meta business stated, “mobile device malware is one of the greatest hazards to people’s privacy and security nowadays since it may take advantage of your phone without your awareness and use your WhatsApp to send unsolicited messages.” Device Verification prevents account takeover (ATO) assaults by cutting off the threat actor while letting app users keep using it.
The purpose is to prevent attackers from using malware to takeover victim accounts and obtain WhatsApp authentication keys to send spam and phishing links to contacts while posing as the victim. We give a security token that is locally stored on the device, an authentication challenge that functions as a “invisible ping” from the server to a user’s device, and a cryptographic nonce to check whether a WhatsApp client is contacting the server to retrieve incoming messages. The client must submit the security token while connecting to the server to detect suspicious connections. Fetching an offline message from the server updates the security token. Read more.
Kodi Data Breach Hits 400,000 Users’ Records & Private Messages
After threat actors stole the MyBB forum database containing user data and private communications. Open-source media player developer Kodi reported a data breach. The anonymous threat actors attempted to sell the 400,635 Kodi user data leak on the now-defunct BreachForums cybercrime black market. MyBB admin logs show that a trusted but inactive forum admin team member used the web-based MyBB admin interface on February 16 and 21. Threat actors misused the account after downloading and deleting database backups. Database nightly complete backups were downloaded. Disputed account disabled.
The nightly backups contained all team and public forum posts, user-to-user messages, user data such forum usernames, email addresses used for notifications, and MyBB’s encrypted (hashed and salted) password. The Kodi data breach shows no evidence that threat actors could access the MyBB software server. Again, the genuine account owner did not commit any evil on the admin interface, raising the risk of credential theft. For safety, the maintainers announced a global password reset. If their passwords have been used elsewhere, users should change them. The firm disabled the Kodi forum and is commissioning a new server, which will take “many days.” The forum will also use the latest MyBB software. Read more.
Darktrace Research Reveals No Proof Of LockBit Compromise
The cybersecurity company claims it has not uncovered evidence that the LockBit ransomware group accessed its network after adding an entry to its dark web leak platform claiming to have stolen data from its servers. DarkTrace investigated when the group named it a victim on its data leak website but found no system vulnerability. Darktrace responded, “Our security specialists have done a thorough review of our internal systems and can find no indicators of compromise.”
On Friday, the company’s Chief Information Security Officer Mike Beck reached the same conclusion after evaluating their systems. Beck added, “We have finished a thorough security review. “We can confirm that neither our systems nor affiliates have been affected.” LockBit tweeted yesterday claiming they have infiltrated Darktrace’s internal networks. Our client service is fine. LockBit mistaken Darktrace for threat intelligence firm DarkTracer, which tweeted about the leak site of the gang being besieged with phony victims. Read more.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.