Cybersecurity has become a constant learning curve, and individuals need cybersecurity awareness to stay protected from the latest cyber attacks and threats to digital lives. Positive and Negative, this week’s cybersecurity bulletin combines both ends as it brings the top cybersecurity news of the past week.
Hackers Breach 219,000 Starbucks Customer Accounts
Starbucks Singapore suffered a data breach, putting the confidential data of 219,675 customers at risk. The news came as a shock when the threat actor behind the attack offered to sell the stolen database on a hacking forum.
The forum’s owner, Pompompurin, backed the validity of the data. This event prompted Starbucks Singapore to send out letters to its clientele to notify them of the data breach, highlighting that the victims’ names, gender, date of birth, mobile number, email, and residential address might be at risk. The data breach affected the customers who used the Starbucks mobile application, and the data seller is rumored to have sold a copy of the database for $3500.
The threat actor plans to sell four more copies of the stolen data, opening Starbucks customers up to phishing, impersonation, social engineering, and scams.
Self-Spreading YouTube Malware Targeting Gaming Videos
There is a new self-spreading YouTube malware targeting gaming videos of individuals playing popular games such as FIFA, Forza Horizon, Final Fantasy, Spider-Man, and Lego Star Wars.
The YouTube malware uploads malicious video tutorials instructing users to opt for fake cheats and cracks. The videos are accompanied by malware links to such fake cheats to install the malware bundle. Researchers at Kaspersky found a RAR archive in the bundle utilizing RedLine, one of the most significant information stealers that target victims’ web browsers.
The RAR archive also included a miner to take advantage of high-end gaming PCs of YouTube gamers and streamers by targeting graphics cards to mine cryptocurrency for the threat actors.
The self-propagating mechanism of the malware worked with batch files that run executables to steal cookies, download the malicious cheat video, avoid GitHub links reported, and upload the video to the victim’s YouTube account using their cookies. Streamers and gamers who frequently watch YouTube gaming videos are advised to avoid videos advertising cheats.
Iranian Cyber Criminals Utilize New Sock Puppet Phishing Campaign
An Iranian-aligned cybercriminal group was discovered using a sock puppet phishing campaign. The group, TA453, utilized a multi-persona impersonation technique to employ social engineering and boost the trustworthiness of phishing emails.
The threat actors impersonated journalists and medical professionals to target academics, policy experts, and healthcare professionals. The threat actors used fake personas to generate unsolicited email conversations. The multi-persona impersonation approach kicked in as the initial email was CC’d to other fake personas who joined the conversation later to obscure the logical thinking of the targets.
The email conversations often ended with a phishing link to OneDrive documents that downloaded files laced with malicious macros. Korg, the name given to the download template, is a sophisticated malicious payload that utilizes its macros to gather and exfiltrate information from the user’s devices.
The sock puppet campaign was analyzed by Proofpoint, which points out that the exfiltrated data has not been misused till now, indicating the possibility of future harm or another wave of malice at the end of cybercriminals.
The US Recovers $30 Million in Crypto from Lazarus Hackers
The United States government recovered $30 million in cryptocurrency with blockchain specialists and its FBI (Federal Bureau of Investigation). The amount recovered was stolen by Lazarus, a North Korean cybercriminal group who stole the amount from the popular P2E (Play to Earn) game, Axie Infinity.
The news was dropped at the AxieCon event, highlighting the recovery as a community achievement and the result of expert collaboration between government and private entities. Lazarus members followed a 5-stage approach to steal the crypto from the platform, sending it to intermediary wallets, mixing the stolen Ether in batches with Tornado Case, swapping it for Bitcoin, and mixing the Bitcoin in batches once more.
Chainalysis’ Crypto Incident Response team also played a role in recovering the stolen crypto assets as they were able to trace the chain-hopping mechanism. The government utilized advanced tracing techniques to track the $30 million in crypto to cash points and quickly froze the funds once discovered.
An estimated $620 million was stolen by Lazarus as part of its hack. However, the event has established that crypto is not simple to launder or cash out. The recovered money will gradually circulate back into Axie Infinity’s treasury and its community.
Greek Taxpayers Targeted by Phishing Links with Keyloggers
Greek individuals are targeted by a unique phishing campaign impersonating the official tax refund platform. The phishing page is identical to the official one and has an embedded keylogger that supplies victims’ credentials to the threat actors.
The threat actors initiate an email thread impersonating the Hellenic Tax Office about a tax return amount. The email is accompanied by a phishing link to multiple crafted URLs (Uniform Resource Locators) that take the victim to a fake portal designed to add the details of the beneficiary bank account needed due to validation issues, as pointed out in the email.
The phishing page includes seven major Greek banks, taking the user to another phishing page as per the selection. These pages are also fake login portals themed after the specific bank and include a JavaScript keylogger to capture all keystrokes sent to the threat actor’s server.
The keylogger approach allows threat actors to steal login credentials in real time without the need to log in at the victim’s side. Greek users should look out for unsolicited tax return emails requiring them to add beneficiary account details and report them.
Classified NATO Documents on the Dark Web
The EMGFA (Armed Forces General Staff Agency) of Portugal, the central agency that controls, plans, and operates the armed forces of Portugal, suffered a severe cyberattack.
American cyber-intelligence agents were the first to identify the sale of NATO documents on the dark web for interested parties. The news was conveyed to the US embassy in Lisbon, which tipped the Portuguese about the data breach, following which Portugal’s GNS (National Security Office) and national cybersecurity center deployed a team to aid the EMGFA in a complete network scan to identify the threat.
The NATO documents available for sale on the dark web were reported by a local news channel, which validated the information by unnamed sources, outlining the leaked document of “extreme gravity.”
The EMMGFA has not released any official statement on the data breach. Still, experts believe it was a prolonged and undetected attack where threat actors utilized bots programmed to detect documents of specific nature to steal information.
200,000 Accounts Compromised in Corporate Credential Stuffing Attack
The North Face, an apparel business, suffered a credential stuffing attack that compromised the accounts of nearly 200,000 individuals.
The threat actors utilized fake login information from prior data breaches to attack individuals who reused the same password for their North Face accounts. Hackers were able to steal the victim’s full names, mobile numbers, gender, account creation date, order history, loyalty points, billing, and shipping information.
Since the brand does not store credit card information, the financial information of its clientele is safe. However, this is the second time that North Face has suffered a credential stuffing attack, the prior one occurring in 2020.
The North Face issued a notification to inform its customers about the breach. It has asked everyone to reset their passwords and remain vigilant for phishing attacks from email senders impersonating its staff members.