This week’s cybersecurity news highlights the LockBit ransomware attack on the Port of Lisbon, Google Home eavesdropping, stolen API keys of the Crypto platform, disguised Google ads deploying malware, Twitter’s data leak, and $3 million stolen from BTC. Let’s look at these in detail.
LockBit Ransomware Attack on Port of Lisbon
The third largest port in Portugal, the Port of Lisbon, was the victim of a cyberattack on Christmas day, the responsibility for which has been claimed by the LockBit ransomware gang.
The Port of Lisbon is one of the most critical infrastructures. The ransomware attack did not halt any of the port’s operations, as all safety protocols and responsive measures were rapidly activated to thwart the efforts of the threat actors.
The LockBit ransomware group added the name of APL to its extortion site, claiming the attack and outlined stolen data compromising financial reports, contracts, cargo information, audits, ship logs, crew details, port documentation, email addresses, and customer PII (Personally Identifiable Information).
LockBit has made a ransomware demand and has threatened to publish all the stolen files on 18 January of this year if the ransom is not paid. The threat actors demand $1,500,000 and say they are also open to delaying the publication of the data by 24 hours for $1000. What’s more outrageous is that the LockBit ransomware gang actors are also willing to sell the stolen information for $1000 immediately to interested individuals.
Meanwhile, the Port of Lisbon Administration (APL) is working with competent entities to guarantee system and data security.
Hackers Using Google Home Speakers to Eavesdrop
Google Home smart speaker has a bug that allows threat actors to install backdoors to control the device remotely and access its microphone feed.
The bug was discovered by a researcher, Matt Kunze, who received $107,500 for reporting it to Google. Matt disclosed the details this year and shared how new accounts added to the Google Home applications were allowed to send remote commands using the cloud API (Application Programming Interface).
By setting up a proxy to capture encrypted HTTP (Hyper Text Transfer Protocol) traffic from the local port, anyone could add a new rogue user to target the Google Home device using a linking process to automate the exfiltration of all device data.
Any threat actor could spy on an individual using the device by sending de-auth packets to the device, connecting to the setup network to gain information, and using the obtained device info to link an account to the device and start spying on them.
Google discovered the issue with the researcher’s help and added a new patch that introduced an invite-based system to block any attempts for account linking not added to Google Home.
Crypto Platform API Keys Stolen by Hackers
An anonymous Twitter user published 10,000 API keys obtained from the cryptocurrency trading platform 3Commas. The keys are utilized by 3Comma bots to generate profits via automated investing.
The threat actors claim that the API keys are only 10% of his stolen data set, meaning they have 100,000 API keys which they plan to release in the coming days. 3Commas has identified the leaked data and highlighted that the API keys are indeed legitimate and that all supported exchanges, such as Coinbase, Binance, and Kucoin, should revoke all key access.
Furthermore, 3Commas urges users to reissue their keys and contact the exchange for individual support. The platform has investigated the prospect of an inside job, but it looks different from one. 3Commas announced on Twitter and highlighted that only a handful of technical employees had access to the keys, and their entry was revoked on November 19.
The first reports about the leaked information came in October, but 3Commas took time to confirm the data breach. During that time, multiple users lost funds in the neighborhood of $6 million, and the platform was accused of leaking credentials.
Google Ads Leveraged to Spread Malware Disguised as Legitimate Software
Malware operators have been leveraging the Google Ads platform to spread malware to users searching for legitimate software.
The threat actors have been disguising the malware as legitimate applications such as Grammarly, Slack, Dashlane, Audacity, OBS, Ring, MSI Afterburner, Brave, and more. By cloning the official websites of these, the threat actors distribute trojanized versions of these to users. The malware delivered or downloaded to the systems includes Racoon Stealer malware, a customized Vidar Stealer, and the IcedID malware.
The Google Ads platform promotes popular applications by placing them among the top results, which means any user looking for genuine software without an ad blocker will likely be a victim of the campaign as they appear like genuine search results. The threat actors behind the campaign are a significant threat as Google’s automated checks are not easily bypassed since Google removes any malicious ads if the landing site is questionable.
Guardio Labs, who analyzed the campaign, has made it clear that these can cause harm as the payload comes in ZIP or MSI forms from GitHub, Dropbox, or Discord’s CDN, ensuring that the payload does not raise anti-virus flags. TrendMicro also analyzed the IcedID malware campaign and shared how threat actors abuse the Keitaro Traffic Detection System for their malicious purpose.
Massive Data Leak for Twitter, 5.4 Million Affected
The Irish DPC (Data Protection Commission) launched an inquiry following the massive Twitter data leak that affected over 5.4 million individuals.
The leak that affected the individuals included public information scraped from Twitter’s website and the private email address and phone numbers of said individuals. The threat actors could get the data by exploiting the API vulnerability that Twitter fixed back in January.
The DPC released a statement and claims, “one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed concerning Twitter Users’ personal data. The stolen data was available for purchase on hacking forums for $30,000, and the entire database of 5,485,635 Twitter users was shared for free in the months of September and November. The DPC serves as the EU’s watchdog and determines if Twitter has fulfilled all obligations for processing user data.
On the other hand, security expert Chad Loder revealed further details on the Twitter data leak and claimed that the breach occurred in 2021 and the extent of the breach might be beyond 5.4 million.
$3 Million Stolen During a Cyberattack on BTC.com
BTC, one of the world’s top crypto mining pools, suffered a significant cyberattack that led to a theft of nearly $3 million in crypto.
BTC stated that nearly $700,000 of crypto of its clients and nearly $2.3 million crypto asset value owned by the organizations were stolen. BTC detected the attack on 3 December and reported the incident to the Chinese law enforcement authorities.
BTC also launched an investigation on 23 December, where it collected evidence with assistance from multiple agencies and has been making considerable efforts to recover the stolen crypto funds. The platform might be conducting usual business, but its digital asset services are still on halt since there is no information on who the threat actors are or how they made away with millions in crypto funds.
There is no clarification on whether any personal data was stolen by the threat actors either. Cybercriminals have been continually targeting cryptocurrencies since they came into existence since these digital funds are harder to get a hold of and promise high returns.