Hacker Tracker: April 2023
Welcome to Hacker Tracker, where we report on and analyze the past month’s most significant cyberattacks. As usual, ransomware and phishing have been popular methods used by cybercriminals. We’ve also seen several attacks from Chinese and Russian state-sponsored groups, a troubling trend that shows no sign of going away. Read on to learn how defenses were breached, and the impact it’s having on the organizations. Spoiler alert: it’s never good.
Microsoft AitM
When it happened
Ongoing; began in June 2022.
What happened
Microsoft's Threat Intelligence team revealed that a threat actor, DEV-1101, is selling high volumes of phishing kits that are used to carry out difficult-to-detect adversary-in-the-middle (AiTM) campaigns.
Method of attack
AiTM attacks involve intercepting and altering communications between two parties, usually a user and a website, in order to bypass multi-factor authentication (MFA) and steal sensitive financial and personal data. As AiTM doesn’t rely on imitation (or “spoofed”) websites, it’s harder to detect than other forms of phishing.
The fallout so far
According to Microsoft, this AiTM kit is being used widely, with attackers sending millions of phishing emails with it every day. The use of sophisticated phishing tactics like this on a vast scale underlines the urgent need for organizations to protect themselves with the most advanced phishing-resistant solutions available.
Ferrari
When it happened
The company disclosed the breach on March 20.
What happened
Ferrari suffered a cyberattack, informing its customers that hackers accessed a "limited number of systems" in its environment. The company discovered the breach after receiving a ransom demand.
Method of attack
While we know that the attackers breached some of Ferrari’s IT systems and demanded a ransom not to leak the stolen data, the company hasn’t said if this was a ransomware attack or just an attempt at extortion.
The fallout so far
Sensitive financial information wasn’t stolen, however, the breached customer data included names, addresses, email addresses, and telephone numbers, opening up the risk of phishing attacks on these individuals.
Latitude Financial
When it happened
March 16
What happened
The Australian loan giant disclosed a breach that was estimated to impact 328,000 customer records. Subsequent forensic investigations led to a revised estimate of 14 million affected individuals. Nearly 20 years of loan applicant records from Australia and New Zealand were stolen, including drivers’ licenses, passport numbers, phone numbers, and financial statements.
Method of attack
The source of the breach is suspected to be a compromised credential for an administrative user from DXC, an IT services giant that was likely providing some outsourced services to Latitude.
The fallout so far
Speculation on the role of DXC and their potential shared liability has run rampant since they issued a vague public statement that they were, “Australian Cyber Security Centre (ACSC), and we have advised them that our systems are secure and operating as normal.”
WH Smith
When it happened
The company disclosed the attack in a London Stock Exchange notice on March 2.
What happened
Attackers stole data belonging to both current and former employees of British retail giant WH Smith.
Method of attack
The company hasn’t disclosed how the attack happened, but Bleeping Computer reports that it’s suspected to be a ransomware attack. This is because it comes in the wake of numerous high-profile British companies, including Royal Mail and JD Sports, being targeted with ransomware.
The fallout so far
WH Smith has said that the attack hasn’t impacted its ability to trade, and that customer data was not accessed as it's stored separately. The current and former employees whose data was stolen will now be at risk of identity fraud.
Trezor
When it happened
The attacks are ongoing.
What happened
Trezor, one of the leading makers of hardware crypto wallets, has warned that cybercriminals are sending its customers phishing SMS messages that falsely claim the company has suffered a security breach.
Method of attack
The hackers are sending users phishing texts claiming that they may have been victims of a Trezor data breach, prompting them to click on a link to find out more. This link leads to a website where users are asked to enter their Trezor hardware wallet credentials, which would enable the attackers to access the victim’s cryptocurrency.
The fallout so far
It’s unclear how much success the attackers have had with this campaign, but this is just the latest in a string of high-profile attempts by hackers to steal cryptocurrency from hardware wallets. Indeed, this is not the first such incident Trezor has suffered—attackers targeted their customers in a similar phishing campaign just last year.
SonicWall
When it happened
The attacks are ongoing.
What happened
Hackers connected to the Chinese government are using malware to infect a popular security appliance manufactured by SonicWall, an American cybersecurity company—and alarmingly, the malware persists even after the device has undergone firmware updates.
Method of attack
The malware monitors for firmware updates every ten seconds, and responds to these in such a way that it maintains its presence within the security appliance. For a full technical breakdown of this malware, read the report that exposed it.
The fallout so far
The malware grants the attackers highly privileged access to the victims’ IT systems, enabling them to steal data like cryptographically hashed passwords. The ability of Chinese state hackers to gain this kind of access, and the difficulty in removing it, is concerning for the organizations impacted.
Stalker 2
When it happened
The hack was disclosed on March 12.
What happened
GSC Game World, the Ukrainian makers of the STALKER games, revealed that a Russian hacker has stolen and leaked development material from the company's systems. The hacker is threatening to release tens of gigabytes of additional data if ransom demands are not met, citing pro-Russian political motives for the attack.
Method of attack
The company said that an employee's account for a collective work-with-images application was breached. We don’t have further details yet, but it appears to be a ransomware attack.
The fallout so far
GSC Game World has spoken candidly about what their company has suffered, saying “This is not the first attempt to hack and leak our data… we have been enduring constant cyberattacks for more than a year now.” The company has also made it clear, however, that these attempts at intimidation will not work given their deep commitment to the Ukrainian cause.
Meta
When it happened
September to November 2021
What happened
Greece's national intelligence agency used spyware tool Predator to wiretap and hack the phone of a former Meta security policy manager, Artemis Seaford. This is the first example of a US citizen being involved in the wider scandal around illegal wiretapping engulfing the Greek government.
Method of attack
Predator spyware infects a victim’s phone after they click a malicious link, and can subsequently track activity on their phone, including texts, calls, photos, and videos.
The fallout so far
Greece is a democracy, but the seemingly random targeting of a US citizen exemplifies a wide-ranging and indiscriminate use of spyware surveillance that’s more characteristic of an authoritarian regime.
GoAnywhere
When it happened
Between late January and early February.
What happened
Dozens more organizations, including the City of Toronto and Hitachi Energy, have revealed to TechCrunch that they were victims of a wide-ranging ransomware attack that exploited a security flaw in GoAnywhere MFT, a popular file transfer software provider.
Method of attack
The ransomware attack, carried out by the Russia-linked Clop group, exploited a zero-day remote code injection vulnerability in the GoAnywhere software.
The fallout so far
While Clop is seeking to extort the victims, threatening to publish sensitive data stolen if ransoms aren’t paid, the gang apparently may not actually know exactly what data they’ve stolen in this attack. As such, the severity of the fallout is still unclear.
European transport sector
When it happened
Ongoing
What happened
Europe’s transport sector is being hit hard by cyberattacks, according to a new report from the European Union Agency for Cybersecurity (ENISA).
Method of attack
A sharp rise in ransomware and denial-of-service attacks targeting the European transport sector have been reported. The report links the rise of the latter to the war in Ukraine and the subsequent increase in “hacktivism” by Russia-linked groups.
The fallout so far
Attacks like these have negative financial, operational, and reputational consequences for their victims. This new report serves as a wake-up call for the European transport sector to invest more heavily in up-to-date cybersecurity protection.
Snipping tools
When it happened
Ongoing
What happened
Researchers have uncovered a serious security flaw in the Google Pixel and Windows 11 snipping tools. Dubbed “Acropalypse”, the bug allows original—and potentially sensitive—photo data that had been cropped or edited out to be recovered, in a blow to the privacy of users.
Method of attack
If a user opens a file in the snipping tools and overwrites the existing file with edits, the tools leave behind the old data rather than permanently deleting it. This would make it possible for malicious actors to at least partially recover the edited parts of the image.
The fallout so far
It’s unclear how extensively this bug has been exploited by hackers. However, if the recovered data is sensitive (for example, payment details edited out of a photo of a credit card), malicious actors could use it to blackmail or cause distress to victims. This prospect is concerning given how widely these snipping tools are used.
Other news
The changing face of cybercrime
- Despite a decline in reported ransomware attacks in 2022, experts warn that the threat is merely evolving, with non-ransomware extortion and data theft on the rise.
- In better news, a new decryption tool has been released that enables certain victims of a modified variant of the notorious Conti ransomware to retrieve their encrypted data without having to pay anything.
- The recent AT&T data breach—which affected nine million customers—should motivate users of mobile service providers to opt out of data collection, says cybersecurity analyst Brian Krebs.
Big tech names get ‘pwned’
At the Pwn2Own 2023 conference in Vancouver, security researchers successfully hacked Windows 11, Tesla, Ubuntu, and macOS products, and won six-figure cash prizes.
Russian cyberwarfare tactics exposed
A dissident whistleblower leaked the “Vulkan files,” which expose disturbing details of Vladimir Putin’s use of cyberwarfare at home and abroad.
Microsoft patches security hole - again
Microsoft has tried again to patch a vulnerability that was exploited by the Magniber cybercrime group to carry out ransomware attacks, after a previous attempt to fix the security hole was bypassed by attackers within a month.
Government agency news
It’s always a good idea to remain aware of government cybersecurity news and updates. Here are the key announcements this month:
- CISA issued a new Cybersecurity Advisory that provides network defenders with key recommendations for enhancing their organization's cybersecurity stance.
- The Biden administration released its new National Cybersecurity Strategy, which proposes measures such as legislation to hold software companies accountable for cybersecurity negligence and increased involvement by cloud providers and the military in disrupting cybercriminal infrastructure.
- In the wake of this announcement from President Biden, the US Transportation Security Administration (TSA) issued a new directive requiring airports and aircraft operators to meet higher standards for preventing the cyberattacks that have become all too common in the industry.
- According to the latest annual cybercrime report from the FBI, the amount of money lost through investment scams has surged from $1.45 billion in 2021 to $3.31 billion in 2022, surpassing business email compromise (BEC) as the leading cause of investment losses.
Generative AI is impacting cybersecurity
AI tools like ChatGPT are generating buzz but also causing some cybersecurity headaches:
- A journalist proved it’s possible to bypass banks’ voice ID checks using AI-generated voice.
- ChatGPT's privacy history has been disabled by OpenAI, most likely because of a security vulnerability that allowed users to view each other's histories.
- Guardio's security team has uncovered a new variant of “FakeGPT”, a Facebook Ad Accounts stealer posing as a Chat-GPT Chrome Extension, that is already affecting thousands of users daily.
Malware news
- The first known example of malware that takes control of a computer's boot process, even bypassing advanced protections, has been uncovered. The malware, dubbed "BlackLotus,” can execute its attack even on fully updated Windows systems.
- Mac users attempting to download Final Cut Pro from The Pirate Bay via torrents are unwittingly downloading cryptojacking malware instead, researchers have revealed.
- Google has suspended the app belonging to Pinduoduo, a major Chinese e-commerce company, due to the presence of malware in certain versions of its software.
Hackers caught
- Mario Zanko of NetWire, Conor Brian Fitzpatrick of BreachForums, DEA hackers Sagar Steven Singh and Nicholas Ceraolo, and serial scammer Solomon Ekunke Okpe are among the cybercriminals charged and/or sentenced this month.