Here we are again, sharing the latest in cybersecurity to help paint a picture of the persistent challenges and how you can stay safe. This week, we’ll share news about the exploitation of Twitter features, the FBI’s win over the Blackcat ransomware gang, Xfinity’s significant data breach, and the conviction of an Amazon engineer turned crypto hacker. Ready to dive in? Let’s take a look.
Twitter ‘Feature’ Exploited by Crypto Scammers Impersonating High-Profile Accounts
Crypto scammers are abusing a feature on Twitter and using it to promote scams, phony giveaways, and fraud Telegram channels.
A post’s URL (Uniform Resource Locator) on X (formerly Twitter) consists of the account name along with a status ID. It uses the status ID to check if the post is to be loaded from the database but does not check if the account name is valid. So, the URLs use only the IDs of the tweets, not the account names.
Researchers of the Malware Hunter Team have shared how threat actors are using it as a redirecting mechanism, creating URLs that look genuine but are actually not. Threat actors and scammers are using these to promote fake crypto giveaways to take victims to wallet drainers and pump-and-dump Discord channels. You can filter some of these tweets using the Quality Filter located under Settings > Notifications > Filters and turn it on.
Phishing awareness training often emphasizes the importance of a diligent approach to online safety. The best way to check if you’re going to a scam site is to check the account name with the profile the tweet is posted on. If they match, the tweet is legitimate. If not, chances are that you’re headed towards a scam. Implementing this technique of cross-verification not only helps differentiate between legitimate content and deceptive tricks but also adds an extra layer of phishing protection, promoting a secure online experience.
FBI Thwarts Blackcat Ransomware Operation and Develops Decryption Tool
The US DOJ (Department of Justice) shared news that the FBI was able to breach the ALPHV (Blackcat) ransomware gang and obtain decryption keys.
Many of the Tor negotiation and data leak sites of the threat actor group stopped working on 7 December. This was the result of the DOJ. They recently shared that the FBI conducted a law enforcement operation and gained access to the gang’s infrastructure. They monitored the operations for months and made away with decryption keys, and used these keys to help nearly 500 victims recover their data for free, saving about $68 million in ransom demands.
The FBI also seized their data leak site which now shows a banner that the site was seized in an internal law enforcement operation. On Tuesday, the threat actors gained access to their data leak site once. Since the FBI holds the private keys, the threat actors and the FBI seized the URL back and forth multiple times.
This ended when the gang announced the launch of their new Tor URL and also threatened to remove all restrictions from the data, allowing their affiliates to target critical infrastructures and any organizations they choose to.
Data Breach Affects 35 Million People, Revealed by Xfinity
Xfinity shared details that threat actors breached its Citrix servers in October and made away with customer information from the system.
Image sourced from artmotion.eu
Citrix released security updates on 25 October 2023 to address a critical vulnerability called Citrix Bleed (CVE-2023-4966). Mandiant revealed that the zero-day vulnerability has been exploited since August 2023. But this is not all.
Xfinity investigated the breach and shared that information was exfiltrated from its systems and nearly 35,879,455 people were affected. The information taken by the threat actors includes names, contact information, birth dates, and secret questions/answers. Also, the last four digits of the customer’s social security numbers.
Xfinity asked all affected people to reset their passwords. However, they reported that they’ve been receiving password reset requests for the past week. Xfinity did patch the vulnerability but the data is still out there.
Former Amazon Engineer Admits Guilt in Hacking Crypto Exchanges
A former Amazon security engineer named Shakeeb Ahmed pleaded guilty to hacking and stealing.
The man stole nearly $12.3 million from two crypto exchanges back in 2022. He stole it from Nirvana Finance and an unnamed exchange on the Solana Blockchain. Ahmed revealed that he used his blockchain audit and reverse engineering skills to meddle with the smart contracts. He targeted the one on Solana by manipulating a smart contract so it could introduce false pricing data and generate $9 million in inflated fees.
He later offered to return the funds, keeping $1.5 million on the condition that law enforcement would not be involved. Afterward, he exploited a Nirvana Finance DeFi smart contract loophole and took a flash loan of ANA tokens. He got them at a low price, selling them at a gain of $3.6 million.
Ahmed pled guilty to a computer fraud charge and will compensate his victims with $5,071,074.23. He will also need to forfeit the stolen $12.3 million.