French Agency Breach, PixPirate's Stealth Technique, Fake Wallet Scam - Cybersecurity News [March 11, 2024]
Here we are again with the latest inside scoop on the cybersecurity highlights of the week. We’ll share details of the data leak in France’s job-seeking portal, the latest advancements of PixPirate Android malware, the fake “Leather” wallet crypto drainer application on the App Store, the Russian attack on Microsoft, and the arrest of a former Google employee who stole cutting-edge AI tech from the organization. Stay tuned!
Data Leak at French Job Agency Affects 43 Million Individuals
Hackers breached the systems of France Travail (formerly Pôle Emploi) and made away with the personal information of nearly 43 million people.
France Travail is an official government agency that registers unemployed individuals, assists them in finding jobs, and gives them financial aid. This week, the agency shared a notice that threat actors stole the data of job seekers on its portal in a cyberattack between 6 February and 5 March 2024. France’s cyber-surveillance portal also shared a notice outlining how the affected individuals would receive notifications from the agency.
The threat actors made away with the data of the individuals who had applied for jobs in the last 20 years. The data includes their full names, birth dates, hometowns, social security numbers, emails, postal addresses, and phone numbers. Such data could cause a lot of havoc in the wrong hands as threat actors could use it for identity theft and spear phishing attacks.
The threat actors were not named, but the attack is indirectly attributed to Clop ransomware. The threat actor gang exploited a zero-day in the MOVEit transfer software. However, installing spear phishing prevention solutions can help prevent identity theft and evade spear phishing attacks.
New Stealth Technique Employed by PixPirate Android Malware
A new version of PixPirate is floating around Android devices, allowing the banking trojan to hide on the phones even if the dropper is removed.
Image sourced from itworldcanada.com
The novel malware was documented last month by Cleafy TIR’s researchers. It has been targeting Latin American banks and has a separate dropper application that loads the malware into the devices. IBM shared a new report this week that PixPirate does not follow the suite of traditional Android malware and does not hide its launcher icon. Instead, it uses different applications to load and function malware.
The first is a downloader distributed via malicious APKs (Android Package Files) that asks for critical permissions on the device. It then downloads and installs the second application, the actual PixPirate banking malware, in its encrypted form. Even if the former is removed from the device, the latter would still launch the malware on multiple device events and avoid detection by the user.
The dropper application is shared via phishing emails and WhatsApp messages, so it’s best to avoid APKs arriving with unsolicited emails and messages. Furthermore, consider implementing effective malware protection solutions to enhance security.
Counterfeit Leather Wallet Application Drains Cryptocurrency on Apple’s App Store
A fake Leather cryptocurrency application on Apple’s App Store has been draining the platform user’s wallets.
The official account of the Leather wallet application shared news of the fake version of the wallet, confirming that the platform does not have any iOS application at all. They also asked the individuals who had already entered their seed phrases into the fake application to move their cryptocurrencies to new wallets for safety.
Once the passphrase is entered, it is likely sent to the threat actors behind the phony application, which they use to steal all the assets in the account. The application was taken down after Leather reported it to Apple. It was published by the account “LetalComRu” and even used the platform’s official logo. It even had a rating of 4.9 out of 5 to make it appear genuine, but most reviews were from fake accounts and had similar comments using ChatGPT.
The App Store does not report the count of downloads, so it’s still unknown exactly how many individuals had the application on their phones. However, it was live for two weeks before it was removed.
Russian Cyber Intrusion into Microsoft Results in Source Code Access
Microsoft also shared the news this week that it suffered a Midnight Blizzard hack attack where the threat actors could access its internal systems and source code repositories.
The Russian threat actor group hacked Microsoft in January of this year, where they made away with authentication secrets and used the same to get into their systems. Microsoft did not explain precisely the nature of the data stolen this time. Still, they have contacted individuals whose data was exposed during the breach and are helping them mitigate it. They also outlined how the threat actor group has developed its password spray attack tactics against targeted systems, and such attacks have been a massive increase.
Microsoft summarized the report, sharing that it has increased its “security investments, cross-enterprise coordination and mobilization” and is conducting investigations of Midnight Blizzard.
AI Technology Theft by Google Engineer for Companies in China
In other news, the US DoJ (Department of Justice) announced the indictment of Linwei Ding—the ex-employee who stole Google’s AI trade secrets and supplied them to Chinese enterprises.
Linwei Ding stole proprietary information about AI technologies of the tech giant Google and sent it to two organizations in China. The man worked for the organizations secretly and shared information that contained data about crucial technology and Google’s advanced supercomputing data centers for AI.
The DoJ outlined how Ding started working as a software engineer for Google in 2019 and started stealing data, uploading it to a personal cloud server in May 2022. The theft continued for a year, and the man copied source files into Apple Notes and then converted these to PDFs to evade detection.
The data was supplied to an AI organization where he assumed the role of a “Chief Technology Officer” and another one, “Shanghai Zhisuan Technology Co.” where he was listed as a founder. Ding made multiple visits to China, where he met with investors and did not disclose any of these to Google. Furthermore, Ding also sought the help of a friend to scan his entrance badge to make it appear as if he was working in Google’s US office when he was, in fact, in China.
Ding lied to Google’s investigator but was later found guilty and arrested on 5 March 2024. The man now faces a penalty of up to a decade in jail and a fine of $1 million.