The malicious activities of cybercriminals never stop, and neither does the cybersecurity news that we bring to keep you updated with the best of security. This week’s top cybersecurity news includes malware targeting Japanese politicians, Gmail’s end-to-end encryption, Epic Games’ $520 million fine, JFK’s taxi dispatch system hacking, LastPass’ cloud storage breach, and the new PolyVice encryptor. Let us take a look.
MirrorStealer Malware Campaign Targeting Japanese Politicians
The MirrorFace hacking group has been targeting Japanese politicians with its MirrorStealer malware. The MirrorStealer campaign targeted politicians weeks before the election for the House of Councilors in July 2022.
ESET’s researchers who discovered the campaign reported that the threat actors left behind traces that led to the campaign’s discovery. The threat actors used LODEINFO, their signature information-stealing malware. LODEINFO has links to APT10 infrastructure and communicates with the C2 (Command and Control) server of the same. Back in October, Kaspersky also outlined the deployment of LODEINFO targeting Japanese targets and the development of a custom backdoor capability.
During the July attacks, the MirrorFace cybercriminal group, which comprises members from APT10 and Cicada groups, sent out spear-phishing emails impersonating PR agents of their political parties and sent video files, WinRAR archives, and more which contained an encrypted copy of the LODEINFO malware along with malicious DLL (Dynamic-link library) loader.
LODEINFO deployed MirrorStealer on compromised systems which targeted login credentials stored in email clients and web browsers that were exfiltrated and sent to the C2 server. ESET discovered the campaign as APT10 did not remove the MirrorStealer text files with stolen credentials and left them on the compromised systems.
End-to-end Encryption for Gmail Web
Google has announced its E2EE (End-to-End Encryption) for Gmail. The E2EE will allow individuals using Google Workspace or Gmail to send and receive encrypted emails both inside and outside the domain.
Google’s E2EE has been in the market for some time and is available on Google Drive, Docs, Sheets, Slides, Meet, and Calendar. Google’s E2EE can be enabled to encrypt data to ensure that any data as part of an email, including the body and any attachments, are not decrypted by Google’s servers. The only thing not encrypted is the email header, as it includes timestamps and recipient lists.
Individuals will be able to use their own encryption keys for organizational data or utilize the default encryption provided by Google. Google provides its CSE (Client Side Encryption) that encrypts all content in the client’s browser before data transmission. While using Google’s CSE, you can also choose whether to share it internally or externally.
Google E2EE is still in the beta phase, available to customers of Google Workspace Enterprise Plus, Education Plus, and Education Standard. You can submit an application to apply for the beta or wait for it to go public.
Epic Games fined $520 Million for Privacy Violations
Fortnite creator Epic Games has been fined a whopping $520 million by the FTC (Federal Trade Commission) for violating children’s privacy laws and using dark patterns for unintentional in-game purchases.
Fortnite is free to download and play, but in-game costumes and dance moves require players to pay. With a player base of over 400 million worldwide, the FTC has decided on a $520 million fine, $275 million of which is the monetary penalty for violating COPPA (Children’s Online Privacy Protection Act), a federal law in the United States that regulates the collection of personal information from children under the age of 13, and the remaining $245 million is the refund for players affected by dark patterns and billing practices.
The FTC’s fine against Epic Games is the most significant monetary penalty, the largest administrative order, and the most significant gaming case refund to date. Epic Games was found guilty of harvesting children’s personal information without verifiable parental consent and enabling real-time voice and text chat communications by default, opening them up to bullying and harassment.
The fine resulted since Epic did not turn off the default settings even after employees urged the organization to do it as back as in 2017 and multiple children being harassed sexually while playing the game. Epic games also confuse players with purchase prompts and misleading offers to make purchases unintentionally.
JFK’s Taxi Dispatch System Hacked by Russians for Profit
Two US citizens were arrested for conspiring with Russian threat actors. The threat actors and these citizens hacked the taxi dispatch system of JFK (John F. Kennedy International Airport) to move taxis in a queue for a $10 fee.
JFK’s taxi dispatch system is a system that ensures all taxis are dispatched from the airport to reach the appropriate terminal for the fare correctly. The system provides proper operations for taxi drivers since there is a significant demand for taxis at the airport. The US DoJ (United States Department of Justice) explained that the help of Russian hackers Daniel Abayev and Peter Leyman breached this system for nearly a year between September 2019 and 2021.
The accused attempted various mechanisms to access the system, including a bribe for malware infection using a flash drive, obtaining unauthorized access, and stealing tablets connected to the dispatch system. The US DoJ also found discussions between the two to hack into the dispatch system.
The hackers communicated with the taxi drivers using chat applications and private groups, making “Shop Open” and “Shop Closed” announcements, where the taxi drivers had to pay $10 via cash or mobile payment to skip a line. The accused will have to forfeit all property related to the offenses and may face a sentence of up to 10 years in prison.
Cloud Storage Breach, Hackers Steal Customer Vault Data from LastPass
Threat actors stole critical customer vault data after breaching LastPass’s cloud storage. Last month, Karim Toubba, the organization’s CEO, claimed that the threat actors only gained access to “certain elements.”
The threat actor gained access to Lastpass’s cloud storage using an access key and dual storage container decryption keys that they stole from the developer environment. After gaining access, the threat actors copied information and got access to customer account information, organization names, end-user names, email addresses, billing addresses, contact numbers, and IP (Internet Protocol) addresses.
The data stolen by the threat actors are not entirely at risk since it is still encrypted with 256-bit AES encryption and can be decrypted using each individual’s master password, which is not known to LastPass as the enterprise never maintains it.
LastPass has warned its customers that brute force attacks on their master passwords might occur, so their sensitive information, such as usernames, passwords, attachments, auto form fills, and secure notes are safely encrypted.
New Custom Encryptor for Vice Society Ransomware Gang
The Vice Society ransomware gang has switched to a new ransomware encryptor based on NTRUEncrypt and ChaCha20-Poly1305.
Named PolyVice, the new ransomware encryptor gives the threat actors a unique signature and appends “ViceSociety” to all locked files. The encryptor first appeared in July 2022 and leaves ransom notes under a new name, includes hardcoded master keys, wallpapers, and provides a builder enabling buyers to generate multiple lockers/ decryptors.
PolyVice also uses a hybrid encryption scheme with the payloads importing pre-generated 192-bit NTRU public keys and another ransom key pair on the compromised system, unique for each target. PolyVice encrypts files under 5 MBs, partially encrypts the ones from 5MB – 100 MB, and breaks files over 100 MB into even chunks for each chunk.
SentinelOne’s findings show the advanced capabilities of PolyVice and threat actors employing the encryptor can cause catastrophic damage to demand ransoms.