Hacker Tracker: December 2022
There’s no shortage of cybercrime for us to report on this month. We’ve seen breaches, including the access to sensitive health data (AstraZeneca), cybercriminals bribing their way into customer accounts (Meta), and a Russian state-sponsored attack on an elected assembly (the European Parliament).
Read on for our analysis of these high-profile attacks, and more, that took place during the past month.
AstraZeneca
When it happened
A period of over a year up until November 4.
What happened
Sensitive patient data relating to AZ&Me, a prescription savings program, was accessible for over a year until AstraZeneca was made aware of this by TechCrunch. The company quickly rectified the breach.
Method of attack
A developer at pharma giant AstraZeneca left the credentials to one of their internal servers exposed on GitHub. Apparent reuse of this password provided access to a Salesforce instance containing real and sensitive patient data. We don’t know yet if this breach has been exploited, as AstraZeneca has not disclosed whether they’ve determined if the data was accessed or stolen by malicious actors.
The fallout so far
The potential theft of sensitive patient data is always a serious matter, and one that can entail significant financial, reputational, and legal costs.
Dropbox
When it happened
The company discovered the breach on October 14.
What happened
Popular file hosting service Dropbox suffered a phishing attack, which it revealed in a statement. The attackers obtained employee credentials and used them to access a GitHub account and steal 130 code repositories. This stolen code, and the surrounding data, included several thousand names and email addresses.
Method of attack
The attackers sent phishing emails to Dropbox employees that mimicked the login page of CircleCI, the continuous delivery and integration application. They were able to trick at least one employee into first entering their GitHub credentials, and subsequently entering a one-time password as well, thus granting the attackers access.
The fallout so far
Dropbox has stated that the attackers didn’t gain access to code for their core apps or infrastructure, nor to the passwords, accounts, and payment details of any of their customers. So while this attack will no doubt cause embarrassment to the company, it was less damaging than many of those recently inflicted on other high-profile victims. Dropbox also indicated that they were already in the process of deploying more phishing-resistant MFA techniques; it stands to reason that such activities have likely been accelerated.
“Disneyland Team” Malware
When it happened
Ongoing.
What happened
An investigation by Hold Security analysts has revealed that a group of cybercriminals—who dub themselves the “Disneyland Team”—are tricking customers of large financial institutions like Charles Schwab, Ameriprise, and U.S. Bank into visiting cunningly-disguised phishing sites.
Method of attack
The “Disneyland Team” are using an internet standard called Punycode that renders non-Latin alphabet characters in domain names. For example, the domain used to trick customers of financial institution Ameriprise contains ‘xn--meripris-mx0doj’, but Punycode allows this to appear in browsers as ‘ạmeriprisẹ’, with the barely-distinguishable dots under the ‘a’ and ‘e’ the only way for customers to tell the difference.
Once victims visit these sites, their computers are injected with powerful, Windows-based malware known as Gozi 2.0/Ursnif. This collects the victim’s credentials and enables the hackers to connect to the website of the victim’s bank via the victim’s computer.
The fallout so far
We don’t have any data yet on how many people have been victims of the “Disneyland Team.” This is a striking example, however, of the increasingly advanced methods cybercriminals are adopting, underlining the importance of having multi-factor authentication (MFA) that doesn’t rely on phishable factors like passwords.
Whoosh
When it happened
The data leak started on November 11.
What happened
Whoosh, a major scooter-sharing service in Russia, suffered a breach of data affecting 7.2 million customers. The hackers have been selling this data—which includes payment details, user ID information, and promo codes—on an online forum.
Method of attack
Corporate transparency standards are low in Russia, meaning the company hasn’t disclosed how its IT systems were breached by the attackers.
The fallout so far
Whoosh released a statement saying that they’re working with the Russian authorities to prevent the distribution of the data, but unfortunately, it’s likely too late to stop the payment and personal data being purchased and abused by criminals. Unless the company is able to invalidate them, the promo code leak will likely mean a loss of revenue for Whoosh as well.
Meta employee bribery
When it happened
Over a period of several years.
What happened
According to documents and sources available to the Wall Street Journal, Meta has fired a number of its employees for abusing their powers to improperly enable access to Facebook and Instagram user accounts. In some cases, the employees have been accused of taking bribes from cybercriminals in return for granting them access to accounts.
Method of attack
If the allegations against the individuals in question are true, this is a shocking instance of a company’s employees actually helping hackers gain access to user accounts in exchange for large sums (tens of thousands of dollars in some cases).
The fallout so far
The discovered employees have been fired, but this incident illustrates the difficulty Meta has in managing access to billions of accounts. It is also another example of how IT systems that rely on passwords are vulnerable to all kinds of breaches.
Crypto phishing campaign
When it happened
Started in 2021 (just with Coinbase) but is ongoing. There has been a significant uptick in activity since the FTX collapse.
What happened
According to a PIXM report, a phishing campaign is underway to gain access to the accounts of users of popular cryptocurrency exchanges Coinbase, MetaMask, Crypto.com, and KuCoin and steal crypto assets from them.
Singapore police are also warning those impacted by FTX’s collapse to not engage with numerous phishing sites purporting to offer return of funds and asking for login information from users.
Method of attack
The attacks involve an elaborate defrauding process that begins with a phishing email to the targets, usually mimicking transaction confirmation or suspicious activity alerts. The cybercriminals then lure the victims to a fake customer support window, where they are taken through several further steps to steal their crypto assets. In the case of FTX, these scams are using deepfake videos, Twitter Blue Verified accounts, and sites impersonating law enforcement have been especially popular in the wake of some 1 million customers losing their funds.
The fallout so far
The cryptocurrency industry has been heavily targeted by hackers, who see an unparalleled opportunity to steal huge amounts of wealth stored in digital currencies. Phishing campaigns like these highlight the particular importance for crypto exchanges to take every measure available to remove phishable elements from their cybersecurity systems.
European Parliament
When it happened
November 21.
What happened
The European Parliament, the legislative branch of the European Union, was briefly hit by a sophisticated cyberattack from a pro-Russian hacking group, causing its internet system to be disrupted for roughly two hours.
Method of attack
European Parliament member Marcel Kolaja confirmed to Politico that the Russian hackers launched a distributed denial-of-service (DDoS) attack, which involves directing a large amount of traffic to the targeted servers, which overwhelms them and disrupts access for users.
The fallout so far
This attack came just after the European Parliament voted to declare Russia a state sponsor of terrorism. The DDoS attack successfully shut the European Parliament website down for only a few hours. So far, no other damage has been reported.
Cincinnati State Technical and Community College
When it happened
Early November (no exact date available).
What happened
Vice Society, who are prolific hackers of educational institutions, launched a ransomware attack against Cincinnati State Technical and Community College. They caused significant disruption to the college’s online services and leaked personally identifiable information belonging to current and former students.
Method of attack
We know from a recent Microsoft report that Vice Society has been using ransomware in their attacks against educational institutions. However, experts say that the methods Vice Society use are not especially sophisticated, relying heavily on widely available lateral movement tools and already published privilege escalation vulnerabilities.
The fallout so far
The documents made publicly available by Vice Society date back a number of years and contain a substantial amount of personal data. To make matters worse, as Bleeping Computer reports, the release of documents dated as late as November 24 implies that Vice Society possibly still has access to the organization’s IT systems. There are also wider implications, as Cincinnati State College is just the latest victim of Vice Society; LAUSD was also recently targeted, as we covered in November’s Hacker Tracker.
Other News
Venus ransomware warning
A United States Department of Health and Human Services (HHS) advisory has warned the healthcare sector against the threat of Venus ransomware, with the cybercriminals behind it having already successfully targeted one organization in the industry.
Robin Banks returns
Robin Banks, a phishing-as-a-service (PhaaS) provider that helps cybercriminals target customers of major banks like Santander and CitiBank, has been brought back online with the help of DDoS-Guard, a Russian internet provider.
Department of Defense releases zero-trust roadmap
The Department of Defense has released a strategy and roadmap document outlining its intention to move towards a zero-trust approach to cybersecurity. It states that, in light of evolving threats, they no longer consider a traditional perimeter-based approach to be adequate.
Lookout Government Threat Report
Lookout has released its 2022 Government Threat Report, which includes data showing an increased threat of phishing attacks against government employees, with the number of attacks aimed at them increasing sharply by 30% in 2021 compared to the previous year.
FTC action against Chegg
The Federal Trade Commission is taking action against education technology provider Chegg, alleging that the company’s negligent approach to cybersecurity led to four breaches since 2017, which resulted in the exposure of sensitive customer data.
NYDFS and EyeMed settlement
The New York Department of Financial Services (NYDFS) has reached a $4.5 million settlement with EyeMed Vision Care LLC over allegations that the latter took a lax approach to protecting its customer data from cyberattacks, subsequently leading to sensitive health data (including that of minors) being exposed.
Researchers fight back against Zepellin ransomware
Journalist Brian Krebs reports that researchers managed to crack the keys of the Russian ransomware strain Zeppelin, allowing almost two dozen companies to recover their data without having to pay a ransom.
Changing SEC cybersecurity regulations
The SEC is likely to bring in new regulations soon that require companies to show greater transparency over their cybersecurity capabilities. This Harvard Business Review article gives some excellent advice about how boards should prepare for this.
Preventing attacks with phishing-resistant MFA
Attacks like these aren’t inevitable. All too often they happen because organizations aren’t using the most comprehensive, up-to-date cybersecurity protection.
Beyond Identity’s phishing-resistant MFA removes vulnerable factors like passwords, replacing them with three secure factors:
- Local biometrics such as fingerprint and facial recognition.
- Cryptographic security keys that are only stored on trusted devices.
- Device-level security checks at the time of login.
To learn more about how Beyond Identity’s Zero Trust Authentication solution can prevent your organization from suffering credential-based breaches, book a demo today.