As technology advances, the risks to personal and corporate security increase, requiring businesses and individuals to remain vigilant in the face of emerging cyber threats. Our Weekly Cybersecurity Bulletin provides a comprehensive overview of the top cybersecurity news from around the world that caused an uproar in the past week, to keep you informed and up-to-date on the latest threats and trends in the industry.
Activision Employee Data Allegedly Leaked by Hacker on Cybercrime Forum
In December 2022, an alleged data breach occurred at American game publisher Activision, with a threat actor posting the stolen data on a hacking forum.
The hackers claim to have obtained the data from the Activision Azure database. The leaked information comprises 19,444 unique records containing full names, phone numbers, job titles, locations, and email addresses of alleged Activision employees.
The data dump is free to all forum members in a text file. The potential data leak was first detected and reported on Twitter by the threat intelligence platform FalconFeedsio.
The appearance of the employee database on the forum has raised concerns about an increased risk of phishing and social engineering attacks on Activision employees. On February 21, 2023, Activision confirmed that it had suffered a data breach in early December 2022 after an HR employee fell prey to a smishing (SMS-based phishing) attempt.
However, the organization maintained that no sensitive employee data, game code, or player data had been accessed, and any leaked details about upcoming game content were already part of public marketing materials.
Data Breach Impacting Ph.D. Applicants Disclosed by Stanford University
Stanford University suffered a data breach in December 2022 and January 2023. During the breach, admission information for the Economics Ph.D. program was downloaded from the university’s website without authorization.
As a result, the university has contacted nearly 900 individuals who submitted personal and health data to its Department of Economics as part of the graduate application process, notifying them that their data was accessed without authorization.
The university stated that the breach occurred due to a misconfiguration of a folder’s settings on the department’s website.
The incident was promptly investigated, and it was discovered that two downloads of the application materials occurred between December 5, 2022, and January 24, 2023. The exposed information includes applicants’ names, dates of birth, home addresses, email addresses, phone numbers, race, ethnicity, citizenship, and gender. However, no financial or social security information was exposed as these data types were not part of the application files.
After the data breach, Stanford University took several measures to address the situation. They immediately blocked access to the files that were downloaded without authorization. Furthermore, the university investigated and found no evidence to suggest that the accessed information had been misused.
FTC Reports 30% Surge in Fraud Causing $8.8 Billion Loss to Americans in 2022
According to the U.S. FTC (Federal Trade Commission), Americans lost almost $8.8 billion to scams in 2022, a significant increase of over 30% compared to the previous year.
The FTC reported that 2.4 million consumers reported losing money to scammers in 2022, with the imposter and online shopping scams being the most common types of fraud reported. The top five fraud categories also included scams involving prizes, sweepstakes, lotteries, investments, and business and job opportunities.
Investment scams were the leading cause of reported losses, with consumers losing over $3.8 billion in 2022, more than double the reported loss in 2021. Imposter scams were the second-highest category, with reported losses of $2.6 billion, up from $2.4 billion in 2021.
The FTC added 5.1 million consumer reports to its secure online database, the Consumer Sentinel Network, in 2022, with over 1.1 million reports of identity theft filed through the FTC’s IdentityTheft.gov website. Last month, the agency reported that nearly 70,000 people had reported record losses of $1.3 billion to romance scams in 2022.
Consumers can use the FTC’s ReportFraud.ftc.gov website to report fraud attempts and file an identity theft report at IdentityTheft.gov.
Clasiopa Hackers Utilize New Atharvan Malware for Targeted Attacks
According to security researchers, a group of hackers is using a RAT (Remote Access Trojan) named Atharvan to target organizations in the materials research sector.
The hackers are being tracked as Clasiopa by Symantec, a Broadcom enterprise. While Symantec analysts have found a clue indicating an Indian threat actor, little evidence supports any attribution theory. Symantec researchers suggest that Clasiopa may use brute force to gain access to public-facing servers.
Once the hackers have compromised a system, they perform a series of actions that include checking the IP (Internet Protocol) address of the breached system, disabling endpoint protection products, deploying malware to scan for specific files, and exfiltrating them as ZIP archives, clearing Sysmon logs and event logs to remove traces of malicious activity, and creating a scheduled task to list file names.
In addition to utilizing legitimate software such as Agile DGS and Agile FD signed with outdated certificates, Clasiopa also employs two backdoors: the custom Atharvan and the open-source Lilith RAT. Atharvan is particularly noteworthy as it is a custom backdoor not seen in other attacks.
Clasiopa’s goals are currently unclear, but cyber espionage motivates the attacks.
Russian Hackers Allegedly Backdoored Ukrainian Government Websites in 2021
This week, multiple government websites in Ukraine were breached by Russian state hackers using backdoors that were planted as far back as December 2021, according to the CERT-UA (Computer Emergency Response Team of Ukraine).
CERT-UA discovered the attacks after a web shell was found on a hacked website on Thursday, which the threat actors used to install additional malware. The web shell was created in December 2021 and was used to deploy backdoors in February 2022. The attackers, tracked as UAC-0056, Ember Bear, or Lorec53 also used the GOST and Ngrok tools to deploy backdoors during the early stages of the attack.
Ukraine’s cybersecurity defense and security agency, SSSCIP, confirmed the attack and stated that SSSCIP, the Security Service of Ukraine, and the Cyber Police are working to isolate and investigate the cyber incident. SSSCIP clarified that the incident had not caused any essential system failures or disruptions that would affect the operation of Ukrainian public authorities.
The cybercrime group behind the attack has been identified as Ember Bear, a gang that emerged in March 2021 and primarily targets Ukrainian entities with backdoors, information stealers, and fake ransomware via phishing emails.
Lastpass Breach in 2022 Involves DevOps Engineer Hacked to Steal Password Vault Data
LastPass has provided details regarding a coordinated second attack, during which a hacker accessed and exfiltrated information from Amazon AWS cloud storage servers for over two months.
LastPass disclosed a breach in December where partially encrypted password vault data and customer information were stolen.
The organization has now revealed how the second attack was executed, which involved using stolen information from an August breach, data from another breach, and an RCE (Remote Code Execution) vulnerability to install a keylogger on the device of a senior DevOps engineer, who was one of 4 with access to decryption keys for LastPass’ encrypted Amazon S3 buckets.
The threat actor successfully installed a keylogger on the engineer’s device by exploiting a third-party media software package vulnerability.
The threat actor then used the employee’s master credentials to gain access to the DevOps engineer’s LastPass corporate vault, enabling the threat actor to export the native corporate vault entries and the content of shared folders, which contained encrypted secure notes with access and decryption keys required to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some critical database backups.
LastPass has since updated its security posture, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.