Malware Fraud, Ubuntu Malware Distribution, Facebook Data Breach – Cybersecurity News [February 12, 2024]

Want to stay a step ahead of the recent threats in cybersecurity? We’re here with our weekly cybersecurity news piece that will help you out. This week, we’ll be covering new Android and iOS malware, malicious use of Ubuntu features, the new Facebook marketplace data breach, the data compromise of Bank of America, and the PlayDapp Gaming platform breach. Check these out to learn how to stay protected.

New Android, iOS’ Gold Pickaxe’ Malware Uses Facial Recognition for Fraud

There is a new iOS and Android trojan that is using a social engineering scheme to dupe victims so they scan their faces and IDs. 

This Gold Pickaxe malware was spotted by Group-IB and is a creation of GoldFactory, a Chinese threat actor group that is also behind Gold Digger, Gold Digger Plus, and Gold Kefu threats. The threat actor has been targeting Asia-Pacific countries, mainly Vietnam and Thailand, and started with social engineering. They approach the victims via phishing or smishing on the LINE app and then trick them into installing fraudulent applications like Digital Pension. These apps are downloaded from a Google Play impersonation website.

On iOS, they direct victims to a TestFlight URL to install the app and lure them into downloading malicious MDM (Mobile Device Management) profiles to take control of their devices. The malware has many advanced capabilities and can also access SMS, navigate file systems, perform screen clicks, and upload recent photos from the album. 

Gold Pickaxe steals images from iOS and Android devices and then tricks the victims into showing their faces on video via social engineering. However, it does not hijack Face ID data. 

Image sourced from shiksha.com

Malicious Use of Ubuntu’s ‘command-not-found’ Feature to Distribute Malware

Ubuntu’s command-not-found package has a logic flaw that could allow threat actors to push malware packages into the system.

The loophole was discovered by researchers at Aqua Nautilus who highlighted that 26% of the APT (Advanced Package Tool) commands are at risk of impersonation by malicious packages. This could pose a huge supply chain risk for Linux and WSL. The Python script is used for suggesting packages to allow you to run programs that are not currently installed on the system. The suggestion relies on an internal database of APTs and one from the Snap Store that is updated regularly.

The researchers showed how easy it is for threat actors to publish malicious scripts to the snap store, which would come into the database and cause all kinds of harm. The threat actors could also abuse the auto-update feature of snap packages to deliver new and advanced exploits to target new vulnerabilities. 

Snap packages are vulnerable to impersonation through typosquatting, unclaimed names, and mimicking existing APT packages. Attackers can trick users into installing malware disguised as familiar commands. While mitigation steps exist, like user vigilance and developer responsibility, the potential for exploitation remains.

Facebook Marketplace Data Breach: 200,000 User Records Exposed on Cybercrime Forum

A threat actor leaked records of 200,000 individuals and claimed the data contained sensitive information about users of Facebook Marketplace. 

IntelBroker claims that the partial database was stolen by a person using “algoatson” Discord handle after hacking the device of a Meta contractor. The leaked database is full of PII (Personally Identifiable Information) like names, phone numbers, emails, Facebook IDs, and other profile information. The threat actors can use this information in many attacks, most of all impersonation and phishing. The leaked mobile numbers could be used in SIM swap attacks, allowing the threat actors to steal MFA (Multi-Factor Authentication) codes and hijack the Facebook accounts of the victims. 

The threat actor, IntelBroker became infamous after the breach of DC Health Link that led to a congressional hearing after the threat actors made away with personal data of members of the US House of Representatives. 

Unauthorized Creation of 1.79 Billion Cryptocurrency Tokens in PlayDapp Gaming Platform Breach

Hackers have stolen a private key to mint and steal nearly 1.79 billion PLA tokens that are used within the PlayDapp ecosystem. 

An unauthorized wallet minted 200 million PLA tokens on 9 February 2024, which had a value of $36.5 million at the time. PeckShiled, a blockchain security enterprise that it could be due to a leaked private key. PlayDapp informed its community about the news and transferred all locked and unlocked PlayDapp held tokens to a new wallet.

They also sent an offer of a $1 million white hat reward to the threat actor in exchange for the stolen contracts. The offer was in vain as on 12 February, the threat actor minted 1.59 billion PLA tokens with a value of $253.9 million. The value of the stolen tokens is nearly $290 million, but Elliptic shared that the threat actor would have to sell these below market value – which would impact PLA token holders. 

The platform has suspended deposits and withdrawals on the platform and has frozen the hacker’s wallet on major crypto exchanges to control and mitigate the breach. 

Bank of America Alerts Customers to Data Compromise Following Vendor Attack

Bank of America has warned customers of a data breach that left their personal information exposed following a vendor hack last year.

The PII that has been exposed in the breach contains names, residential addresses, SSNs (Social Security Numbers), birth dates, and financial information such as account and credit card numbers. The bank has not disclosed the number of people affected by the data breach, but a notification highlights that 57,028 people were affected.

IMS (Infosys McCamish Systems) was one of the service providers of the Bank of America that was hacked last year in November when an unauthorized third party accessed its systems. The responsibility for the hack was claimed by the LockBit ransomware gang, who also revealed that they encrypted over 2000 of IMS’s systems during the attack.

They added an IMS entry on a dark web forum highlighting that anyone can buy the 50GB database for a good enough price, and it will be published. The accounting firm handling the data, Ernst & Young, was also exposed during a breach in May 2023 by Clop ransomware. 

No systems of the Bank of America were impacted by the breach, but the data is still out there, and the people are at risk.

These recent incidents underscore the importance of implementing robust phishing protection measures and providing comprehensive phishing awareness training. Stay tuned for further insights.