Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA – Cybersecurity News [July 15, 2024]
Here’s an inside look at the latest cybersecurity news covering the 15 million emails stolen from Trello, Kaspersky’s exit from the U.S., what Revolver Rabbit is doing with 500,000 domains, the AT&T Data Breach, and info-stealer malware being distributed via Facebook ad campaigns. Let’s take a look!
Email Addresses of 15 Million Trello Users Posted on Hacking Forum
A threat actor shared over 15 million email addresses of Trello users leveraging an unsecured API (Application Programming Interface).
Atlassian’s Trello is an online project management tool that is quite common among businesses for organizing tasks. The threat actor goes by the name of “emo” and got access to 15,115,516 Trello members’ email accounts back in January. The data in the profiles is public information, but the profiles also had non-public email addresses.
Emo shared that he collected the data using an unsecured REST API, which allowed developers to query for public information of any profile by using their Trello ID, email, or username. The threat actor created a data set with 500 million email addresses and fed it to the API to find out if any of these were linked to Trello accounts, and got 15 million hits.
The data is available for sale on the Breached hacking forum and contains public Trello account information, email addresses, and full names that threat actors can use for targeted phishing attacks and doxing.
Atlassian confirmed that this API misuse was uncovered in January 2024, and they made changes to prevent unauthenticated users/services from making requests.
Revolver Rabbit Gang Registers Half a Million Domains for Malware Attacks
The Revolver Rabbit cybercriminal gang has registered over 500,000 domain names for targeting Windows and Mac systems with infostealers.
The threat actors use RDGAs (Registered Domain Generation Algorithms) to register multiple domain names automatically in an instant. These are similar to DGAs that threat actors commonly use for C2 (Command and Control) communication’s potential destinations. DGAs are usually embedded in malware strains and have only a handful of generated domains, but RGDAs remain with the threat actors and register all the domains that are available.
The news of Revolver Rabbit using RDGAs to buy half a million domains was discovered by researchers at Infoblox, who also shared that the threat actors are distributing the XLoader info-stealer using these domains to execute malicious files and collect sensitive data. The actor’s preferred naming format for the domains involves one or more dictionary words hyphenated together, followed by a five-digit number. Some of these are:
- app-software-development-training-52686[.]bond
- security-surveillance-cameras-42345[.]bond
- bra-portable-air-conditioner-9o[.]bond
Infoblox has been tracking Revolver Rabbit for almost a year and the malicious operations of the gang are widespread, ranging from malware delivery, scams, routing traffic to malicious locations, and phishing and spam campaigns.
Kaspersky Ends Its Operations in the United States
Kaspersky Lab, one of the most significant Russian cybersecurity organizations and antivirus software providers, issued a statement that it would start shutting down all operations in the U.S.
The news is in response to the sanctions by the OFAC (U.S. Treasury Department’s Office of Foreign Assets Control) on 12 Kaspersky Lab executives. The decision was the result of a thorough investigation that showed the organization’s operations in the U.S. posed a risk to national security due to the Russian government’s cyber capabilities and sway over the organization’s operations.
The OFAC also outlined that any person or business using Kaspersky products and services assumes all cybersecurity risks. The organization was banned from selling software and providing any antivirus updates on 29 September 2023.
The organization has shared that it will gradually wind down all operations in the U.S. and eliminate all US-based positions starting 20 July 2024.
AT&T Data Breach Reveals Call Logs of 109 Million Customers
In other news, AT&T has been warning users of a massive data breach where the threat actors made away with the call logs of nearly 109 million customers.
The logs were stored on an online database on the organization’s Snowflake account. They were stolen between 14 and 25 April this year, following which AT&T filed a Form 8-K with the SEC, sharing that the stolen information has call and text records of AT&T mobile users and that of the customers of its MVNOs (Mobile Virtual Network Operators).
The stolen data contains telephone numbers, count of interactions, aggregate call durations, and cell site identification numbers. The exposed data does not include any customer names or the content of the calls or texts, but the stolen data does expose identities that threat actors can use to correlate communications metadata and publicly available information.
AT&T had already notified law enforcement and started working with cybersecurity experts when the attack occurred and got permission to delay the public notification twice by the U.S. DoJ. AT&T hinted that law enforcement has already apprehended one individual regarding the case and that the organization is implementing top-notch phishing protection measures to block similar unauthorized attempts from happening in the future.
All the former and current customers affected by the breach will soon receive notifications on what to do. In the meantime, you can use the links provided in AT&T’s notification to check if your phone number data was exposed. You can also download and check what data was stolen.
Facebook Ads for Windows Desktop Themes Distribute Info-Stealing Malware
Threat actors are using Facebook business pages and ads to infect innocent victims with the SYS01 password-stealing malware.
The campaign was discovered by researchers at Trustwave, who shared that the threat actors promote Windows themes, free game downloads, and software activation cracks for applications. They are promoted via business pages, where the threat actors hijack existing pages and assume the business identity, tricking the pre-existing user base.
The threat actors take out thousands of ads for different campaigns, and when a user clicks on one, they are taken to web pages designed as download pages of the ad’s promoted content. If you click on the download buttons, the browser downloads a ZIP file archive that contains the SYS01 info-stealer. The malware is extremely capable and contains a ton of executables, DLLs, and PowerShell and PHP scripts to help threat actors steal data and malware from infected systems.
The info-stealing malware runs in a virtual environment, helping it evade detection and establish persistence within the system, making away with browser cookies, browser credentials, and crypto wallets. The stolen data is stored in a folder temporarily before being sent to the threat actors, who use the stolen credentials to hijack more accounts for malvertising.
The campaign is also spreading to other social media like LinkedIn and YouTube. The best way to protect yourselves is to ensure you have robust malware protection, steer clear of such advertisements, and not download anything from untrusted sources.