27 January 2023

Cyber security week in review: January 27, 2023


Cyber security week in review: January 27, 2023

Law enforcement authorities take down Hive ransomware

Europol announced that the Hive ransomware operation's Tor payment and data leak sites have been seized as part of an international law enforcement operation involving authorities from 13 countries.

The FBI revealed it had covertly hacked and disrupted the prolific Hive ransomware operation that had extorted around $100 million from over 1,500 companies since June 2021. The group had targeted hundreds of victims in over 80 countries worldwide, including hospitals, school districts, financial firms, and critical infrastructure.

The FBI infiltrated Hive’s computer networks in July 2022 and obtained over 300 decryption keys that allowed victims to recover encrypted files, preventing $130 million in ransom payments. The agency gained access to two dedicated servers and one virtual private server at a hosting provider in California that were leased using email addresses belonging to Hive members, and Dutch police also gained access to two backup dedicated servers hosted in the Netherlands.

In a related statement the US Department of State said it is offering a reward of up to $10 million for information on “links Hive or any other malicious cyber actors targeting US critical infrastructure to a foreign government.”

Google disrupts 50,000 accounts of pro-Chinese Dragonbridge influence operation

Google said it disrupted over 50,000 accounts in 2022used by a China-linked spammy influence network known as Dragonbridge or Spamouflage Dragon. The network has a presence across multiple platforms, including YouTube, Blogger, Facebook, and Twitter, primarily disseminating narratives critical of the US and pushing pro-China views. In 2022 Dragonbridge narratives spanned a wide range of news topics, ranging from China’s Covid-19 response to the war in Ukraine. The actor has primarily targeted Chinese speakers, but some narratives were in English and other languages.

Google noted that despite the operation’s extensiveness and high volume of content production, it has minimal to no engagement from real viewers.

Riot Games suffers social engineering attack

Riot Games, the studio behind popular games like Valorant and League of Legends, fell victim to a social engineering attack that affected systems in its development environment. According to the company, the League of Legends source code was stolen during the intrusion. Riot Games said that the attackers demanded a $10 million ransom, which it doesn't intend to pay. After the video game maker refused to pay the ransom the hackers began selling the League of Legends source code for $1 million.

GoTo says hackers stole encrypted backups, an encryption key

LastPass' parent company GoTo (formerly LogMeIn) revealed that a threat actor stole encrypted backups and an encryption key for a portion of that data as part of a 2022 LastPass breach that also impacted GoTo. The compromised information may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.

Apple ships zero-day patch for older iPhones, iPads

Apple has issued security updates for macOS, iOS, iPadOS, and WatchOS, to address a zero-day vulnerability affecting older devices running iOS v12.

Trackers as CVE-2022-42856, the zero-day is type confusion issue in the WebKit web browser engine that allows a remote attacker to achieve remote code execution by tricking the victim into visiting a malicious website.

PoC exploit for Windows CryptoAPI vulnerability released

Security researchers released a proof-of-concept (PoC) exploit code for a now-patched security flaw in the Windows CryptoAPI discovered by the US National Security Agency last year.

The vulnerability (CVE-2022-34689) exists due to incorrect processing of user-supplied data in the Windows CryptoAPI. A remote attacker can manipulate an existing public x.509 certificate, spoof page content and and perform actions such as authentication or code signing as the targeted certificate.

FBI confirms North Korean hackers behind $100M Harmony hack

The US Federal Bureau of Investigation (FBI) has concluded that a North Korea-linked state-sponsored hacker group known as the Lazarus Group is the perpetrator behind the $100 million Harmony Bridge hack that took place in June 2022. The agency said that in the Harmony case the attackers used the Railgun privacy protocol to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A portion of the stolen funds was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC). Unrecovered funds were subsequently sent to 11 Ethereum addresses.

Hackers increasingly abusing RMM software for nefarious purposes

Threat actors are increasingly misusing legitimate remote monitoring and management (RMM) software to conduct phishing scams and other malicious activity, the CISA, NSA and MS-ISAC warned. While the observed attacks appear to be financially motivated, threat actors could weaponize the unauthorized access for other nefarious purposes, including selling that access to other hackers.

Russian cyberspies use multi-stage Telegram scheme to target Ukrainian orgs

A Russia-linked cyber-espionage group known as Gamaredon (Armageddon) is abusing the infrastructure of the popular messaging service Telegram to fly under radar and deliver malicious payloads to its victims. In the latest campaign the threat actor was observed exploiting the remote template injection vulnerability (CVE-2017-0199) to bypass Microsoft Word macro protections and gain initial access to victim systems.

UK warns of increased phishing attacks launched by Russian, Iranian hackers

The UK National Cyber Security Centre (NCSC) released a security advisory detailing TTPs used by the Russia-based SEABORGIUM (Callisto Group, TA446, COLDRIVER, TAG-53) and Iran-linked TA453 (APT42, Charming Kitten, Yellow Garuda, ITG18) threat actors that have been increasingly targeting the UK entities with spear-phishing attacks. Throughout 2022, SEABORGIUM and TA453 targeted sectors included academia, defense, governmental organizations, NGOs, think-tanks, as well as politicians, journalists and activists.

North Korean TA444 APT is testing new methods to increase revenue

Proofpoint released a new report highlighting cyber tactics of a North Korean hacker group tracked as TA444 whose activity overlaps with public activity called APT38, Bluenoroff, and Stardust Chollima. The researchers say that recently the group, which is very likely tasked with generating revenue for the North Korean government, has turned its attention from banks to cryptocurrency, and has been observed testing several infection methods in the wild involving new file types in phishing emails and new payloads.

Chinese hackers adopt SparkRAT open-source tool

SentinelLabs has a report out on recent cyberattacks by a China-linked threat actor called DragonSpark against East Asian organizations that used the little known open source tool SparkRAT. The DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.

Back to the list

Latest Posts

Cyber Security Week in Review: April 12, 2024

Cyber Security Week in Review: April 12, 2024

In brief: Microsoft and Palo Alto fix zero-days, Sisense suffers data breach, and more.
12 April 2024
TA547 threat actor targets German orgs with Rhadamanthys info-stealer

TA547 threat actor targets German orgs with Rhadamanthys info-stealer

The group appears to have incorporated LLM-generated PowerShell scripts in their attacks.
11 April 2024
Apple enhances spyware threat notifications

Apple enhances spyware threat notifications

The company will alert users who are individually targeted by mercenary spyware attacks.
11 April 2024