The digital world is gripped with alarming news and novel scams each week. This week’s cybersecurity bulletin shares the top cybersecurity news covering Russian data breaches, extortion scams, fresh IceXLoader malware campaign, China’s spying activities, and Google’s SEO poisoning. Let us take a look.
Whoosh Data Breach, 7.2 Million Customer Records Sold
Whoosh, Russia’s scooter-sharing service suffered a data breach where the hackers were selling a database containing 7.2 million customer records.
Whoosh operates in nearly 40 cities and has 75,000 scooters. The threat actor hacked Whoosh earlier, but the organization confirmed via the Russian media that its IT experts had handled the attack. However, the hacker listed the database for selling the stolen customer records on hacking forums, following which the organization admitted the data leak and clarified that they are working with law enforcement to halt the cyberattack.
The stolen information includes promotional codes, partial user identification details such as email addresses, phone numbers, first names, and payment cards that could be used for financial harm. The threat actor outlined that the database has partial card details of nearly 1,900,000 customers and over 3,000,000 promo codes that buyers could utilize.
The deal on the cybercriminal forum states that the threat actor will only sell the database to 5 individuals for 0.21490980 bitcoins or about $4200 each. The news showcases how the organization failed to protect its customers’ information and exposed 7.2 million individuals to financial and personal harm.
Extortion Scam Targeting Global Websites
Global websites are being targeted by threat actors utilizing a new extortion scam. The threat actors claim to hack the website’s servers and demand a $2500 ransom as an incentive not to leak stolen data.
Team Montesano, the hackers behind the extortion scam, send emails to the website owners with the subject, “Your website, databases, and emails have been hacked.”
This is a non-targeted email and demands ransoms from all individuals, including government websites, organizations, and government agencies. Citing that they will leak the stolen data, the threat actors also threaten to damage the website’s reputation and get it blacklisted if the victim does not succumb to the $2500 demand.
The payments are directed to two Bitcoin addresses, and people have already paid some ransom demands to these addresses. The mass-email campaign is just the threat actor making the most of the current security situation and panic due to the increase in cybercrimes and playing on the fear of website owners. The extortion campaign has been around since 2018 but has taken place recently.
The threat actors have supplied bomb threats, hitman contracts, ransomware threats, and CIA investigations too. You should not pay any attention to such threats, mark the emails as spam and delete them.
Android Malware Linked to Chinese Spies
A spyware known as “BadBazaar” has been discovered on Android, which has been targeting China’s ethnic and religious minorities.
The MalwareHunterTeam has discovered BadBazaar, which follows the infrastructure of another spyware that was employed by the state-sponsored cybercriminal group APT15 to target the Uyghurs in 2020. BadBazaar consists of over 110 applications that have been present since 2018 that are distributed via third-party stores and are not found on Google Play, Android’s official app store.
The spyware collects a ton of information, including location, installed applications, call logs, contacts, SMS history, device, and WiFi information, and call recordings. It can even take new photos and extract them. A new campaign with 50 applications delivered the newer, Moonshine version of the spyware that was promoted to Uyghur-speaking Telegram channels.
Researchers at Lookout have discovered that the Moonshine version is Chinese and written in simple Chinese. The incident showcases how China continues surveillance of minorities despite increased pressure and outcry from human rights protection organizations.
IceXLoader Malware Infecting Homes, Dropped Via Phishing
A new phishing campaign infects corporate and home devices with a fresh IceXLoader malware version. The malware was discovered in the summer of 2022, and the latest version, 3.3.3, enhances its functionality with a multi-stage delivery process.
IceXLoader is aggressively promoted on cybercriminal forums and infects systems using a ZIP file which is delivered via phishing emails. The ZIP extractor creates a hidden folder to drop the second-stage executable that fetches a PNG from a malicious URL (Uniform Resource Locator) and converts it into the IceXLoader payload, which is stored as an obfuscated DLL (Dynamic Link Library) file. Once the payload decrypts, the malware checks for sandboxes and is finally loaded.
The malware is highly sophisticated and infiltrates IP (Internet Protocol) address, username, machine name, Windows OS version, installed security, hardware information, and timestamps and creates a registry key for persistence. The malware also uses advanced evasion to bypass Microsoft’s Antimalware Scan Interface, a part of Windows Defender, and exfiltrated the data to the threat actor-controlled C2 (Command and Control) server.
Security researchers continuously inform affected organizations and homeowners, but new victims are added to the list daily. It is recommended to privy yourself with phishing tactics and avoid clicking on malicious links in emails.
Google SEO Poisoning Campaign Compromises 15,000 Websites
A black hat SEO (Search Engine Optimization) campaign is underway by hackers who have already compromised nearly 15,000 websites. The threat actor redirects the site’s visitors to fake discussion forums.
The attacks were observed by Sucuri, who noticed that the compromised websites contained 20,000 files as part of the SEO attack campaign. Most of the sites attacked by the scam are WordPress websites. Sucuri believes that the threat actor is conducting the campaign to generate indexed pages, so the authority and rank of the Q&A discussion forum increase on Google.
However, the campaign may also be priming the sites to drop malware in the future or for phishing. The hackers modify WordPress PHP files to inject redirects into them and drop their own PHP files using random legitimate file names, so they are not recognized quickly. These infected files contain malicious code that authenticates the user’s login status and redirects them to “https://ois.is/images/logo-6[.]png” if the user is not logged in.
The threat actors utilize multiple domains and hide behind Cloudflare servers to mask their activities. Individuals are advised to steer clear of any such pages, and it would be best for website owners to upgrade all WordPress plugins and implement 2FA (Two Factor Authentication).
Turkey Suspends Social Media Following Blast
Following a terrible blast in Istanbul, Turkey, the country’s authorities have restricted access to social media websites and applications such as Instagram, Facebook, Twitter, Telegram, and YouTube and initiated a nationwide ban.
The news about the blast has been recognized as a terrorist attack that took eight innocent lives and left 81 injured. Turkish residents received a broadcast ban to discourage the dissemination of the information circling the attack, following which the ISPs (Internet Service Providers) halted all access to the above-mentioned social media applications and platforms.
Whatsapp was not halted since it did not cause any significant disruption, but NetBlocks confirmed the other applications were restricted from Sunday afternoon. This is not the only news since Turkey’s President Erdoğan proposed a “disinformation” law to penalize social media users and journalists for spreading fake information or news, and those violating the rule could face up to 3 years in prison.
The law is in effect as of now, and access to social media platforms was given back gradually, as tweeted by NetBlocks.