Cybersecurity has become an ever-increasing challenge with new ransomware, malware, data breach, and cyber threats occurring routinely to target the digital world and personal data. And to stay protected, it is best to keep up with cybersecurity’s latest. From stolen crypto to credit card fraud, and phishing campaigns to state-sponsored attacks and ransomware, here are the top cybersecurity headlines of this week.
Credit Card Fraud: Multi-Million Dollar Operation Exposed
Researchers at ReasonLabs discovered a credit card fraud campaign that siphoned millions from credit cards. The fraud campaign was managed from a fake suite of online dating, and customer support websites thought to be operated by Russian cybercriminals.
The credit card fraud campaign has been going on since 2019, with the threat actors employing two types of campaigns. These fake websites were registered to non-existent emails and corporations and served as money laundering channels.
The threat actors included 24*7 chat support and working telephone lines to improve the legitimacy of these fake portals, employed APIs (Application Programming Interfaces), and utilized dark web credit card dumps to siphon money. The threat actors used generic names to blend with spending habits and charged light amounts and recurring payments.
ReasonLabs revealed that most of the victims of this credit card fraud campaign are from the United States and their researchers have identified and reported 275 such fake websites to law enforcement, payment processors, and multiple services. But the fact that such a sophisticated credit card fraud campaign went unnoticed for over 2 years raises questions about the security of financial giants and the state of cybersecurity.
Threat Actors Target Microsoft Exchange Server with 0Auth Malware and Phishing
The Microsoft Exchange Server was targeted with a 0Auth phishing email campaign. The threat actors gained access to the cloud tenants hosting the Exchange servers with credential stuffing and deployed 0Auth applications and phishing.
The threat actors initiated the attack with a credential-stuffing campaign targeting high-risk accounts with MFA (Multi-Factor Authentication) disabled. The attacks leveraged admin accounts for initial access into the cloud tenants, allowing them to create malicious 0Auth applications. These applications tampered with the email server by adding an inbound connector which was utilized for designing rules to evade the detection of phishing emails.
Furthermore, the rules and connector were removed intermittently for additional evasion. However, the 0Auth application had the ability to remain dormant on the account, so it could be easily used to add new connectors for each attack wave.
This approach allowed the threat actors to launch a wave of phishing emails through the Microsoft Exchange Server, targeting them with sweepstakes claims to target financial information. Amazon SES and Mail Chimp were the most prominent tenants utilized to send emails in bulk, and Microsoft revealed that the threat actor has been pushing phishing campaigns with this approach for multiple years.
$162 Million Stolen From Crypto Market Maker
Wintermute, a digital asset trading enterprise, was hacked, with the threat actors making away with $162.2 million. Wintermute is still solvent with over $300 million in equity but will likely suffer service disruptions until the security sweep is complete.
Wintermute’s CEO, Evgeny Gaevoy, has not revealed the details of the hacking incident. Still, crypto experts worldwide have speculated that the most likely scenario is the exploitation of a Profanity bug that was disclosed a few weeks prior to the hack. Profanity allows individuals to generate Ethereum vanity addresses that can contain some predefined strings to personalize portions of an address.
The private keys of 7-character vanity addresses could easily be cracked with a brute-force approach utilizing 1000 GPUs for only 50 days. With Ethereum 2.0 rendering mining equipment obsolete, hackers could have utilized crypto-mining farms for such a powerful attack. The hacker’s wallet address has been identified. Currently, it holds $48.7 million in crypto, with the rest of the finances resting in Curve Finance’s liquidity pool, where they will be challenging to identify or freeze.
Until Wintermute reveals the details of the attack, it’s all speculation. However, Gaevoy has stated that the platform is ready to treat the incident as a “white hat” event and is prepared to pay the threat actors a bounty for revealing the vulnerability.
Albanian Government Network Spied for 14 Months, says FBI
The Albanian government’s network was spied on for roughly 14 months, according to the FBI (Federal Bureau of Investigation) and CISA (Cybersecurity and Infrastructure Security Agency).
The FBI and CISA released a joint advisory, sharing details of Iranian state cyber actors who accessed the Albanian Government Network and surveyed it for nearly 14 months, launching a destructive couple in July 2022 consisting of ransomware for file encryption and malware for wiping hard drives.
The Iranian threat group, HomeLand Justice, was behind the attack and did not stay dormant within the network and regularly exfiltrated email content. The threat actors utilized compromised Microsoft Exchange credentials for initial access and conducted lateral movements, reconnaissance, and credential harvesting as a precursor to the attack in July.
The threat actors also left anti-Mujahideen E-Khalq (MEK) messages on compromised systems. Following the attack, Albania announced that it had severed all diplomatic relations with Iran, with the US also blaming Iran. The cybercriminals launched another wave of malware attacks this September as retaliation.
New York Racing Association Under Hive Ransomware Attack
The ransomware group, Hive, is responsible for another attack, this time on the NYRA (New York Racing Association). Hive has previously targeted French Telecom Altice, Bell Canada’s subsidiary BTS, and healthcare services in Costa Rica.
NYRA suffered a ransomware attack on 30 June 2022. The attack targeted NYRA systems, encrypting them and allowing the threat actors to access the personal data of NYRA customers. Since the systems were encrypted, NYRA could not review the personal data. However, NYRA released a data breach notification to its customers stating that the accessed data contained various personal information, including social security numbers, health insurance information, health records, and driver’s license information.
Since the threat actors were able to access PII (Personal Identifiable Information) and PHI (Protected Healthcare Information), NYRA is working with federal law enforcement agencies and has hired a private cybersecurity team following the Hive ransomware attack. Furthermore, NYRA has offered its customers a 2-year membership of Experian’s IdentityWorksSM for superior identity detection and identity theft resolution, which can be redeemed before 25 November 2022.
Russian State-Sponsored Hackers Masquerading as Ukrainian Telecoms To Spread Malware
Sandworm, a Russian state-sponsored hacking group, has been masquerading as Ukraine telecommunication providers to target victims with malware. The US attributed Sandworm as a state-backed threat and revealed that it is a part of the Russian GRU foreign military intelligence service.
Sandworm has been involved in multiple attacks this year, a significant one being the Cyclops Blink, a botnet deployed on the Ukrainian energy infrastructure. The recent Telecoms campaign by the threat actors was reported by Recorded Future, who observed the rise of Sandworm’s C2 (Command and Control) infrastructures.
The threat actors deployed dynamic DNS (Domain Name System) domains, disguising themselves as Ukrainian telecommunication providers. Once a victim opens the domain, the webpage automatically downloads an encoded ISO file that contains malware. The threat actors deployed the Colibri Loader and the Warzone Remote Access Trojan using the ISO files onto critical systems in Ukraine.
The Warzone Remote Access Trojan rose to popularity in 2019 and is adept at evading the tracking and attribution of this malware. The malware includes notable features such as bypasses, hidden remote desktops, credential and cookie theft capabilities, live keyloggers, reverse proxy, and process management, making it a significant threat.