Threat actors are developing advanced and sophisticated techniques to target organizations worldwide with new tools. This week’s top cybersecurity news highlights new double extortion tools, why Google is being sued, the FBI’s warning to US students, the cyber espionage campaign on Asian casinos, 2.2 million stolen customer records, and OldGremlin targeting Russia with ransomware.
New Double Extortion Tool by BlackByte Ransomware
One of BlackByte’s ransomware affiliates has been using “ExByte,” a new double extortion tool designed to steal data from compromised Windows devices.
Security researchers at Symantec discovered the ExByte data exfiltration tool. The tool performs anti-analysis checks when executed to check the presence of a sandbox, debuggers, and anti-virus software processes. Furthermore, the tool can send the exfiltrated data to the threat actor’s Mega cloud storage service.
ExByte follows the BlackByte ransomware, implements malware checks for DLL (Dynamic Link Library) files, and reviews running processes. Once the tests return clean, ExByte uploads all files to the Mega cloud storage with hardcoded account credentials and enumerates all data on the victim’s system.
BlackByte has been around since 2021 and has breached diverse organizations, including critical structures in the US. With the increasing number of ransomware operations and their success in stealing valuable information, ALPHV and LockBit are developing better data theft tools. A step that is necessary to combat the growing cybercrime and innovation in threat tactics.
Google Sued, Organization Collected Biometric Data Without Consent
An attorney general from Texas, United States, has sued Google for collecting and using the biometric details of millions of Texas residents without consent.
Ken Paxton, the attorney general, claims that Google allegedly uses its suite of products and services, Google Photos, Google Assistant, and the Nest Hub Max, to collect various biometric data. Ken claims the organization has been collecting voiceprints and face geometry records since 2015, a significant violation of the Biometric Privacy Act of Texas (The Capture or Use of Biometric Identifier Act).
The act mandates that organizations need an individual’s consent for collecting biometric identifiers such as retinal scans, fingerprints, voice records, or any physical geometry. This is not the first case, as Ken also sued Google for violating the Texas Deceptive Trade Practices-Consumer Protection Act and the Texas Deceptive Trade Practices Act for tracking location data without consent.
The lawsuit could invite financial and reputational losses for Google, one of the most prominent organizations worldwide. Google has already been fined $2.72 billion for abusing its market dominance and $1.7 billion for anti-competitive online advertisement practices.
FBI Warning, US Student Loan Debt Relief Applicants Latest Targets
The FBI (Federal Bureau of Investigation) released a warning, urging students enrolling in the Federal Aid Program to be wary since there may be an attempt to steal their information.
The Federal Student Aid program was announced in August 2022. It is a debt relief program aimed at helping students manage their debts, allowing them to wipe $10,000 to $20,000. With such high credits available, and a significant number of students eager to avail the relief, threat actors might scour the opportunity to set up phishing pages to run fraud channels.
The FBI says that personal and financial information and finances may be at risk as cybercriminals may contact potential victims via various sources in an attempt to purport entrance into the program. With 45 million students that have borrowed loans and $1.6 million owed, students should be careful and only apply for the Federal Aid Program on the official website after double checking.
The FBI has clarified that the application process does not need account logins or uploading documents, personal information, or financial information in the first phase of federal aid. The FTC also issued a warning that you can refer to for understanding the entire process and avoiding threat actors.
Asian Casino Cyber Espionage Campaign Discovered
DiceyF, a hacking group, is causing all kinds of harm in Southeast Asia. DiceyF is attributed to deploying an attack framework into online casinos that have allowed the threat actor for financial gains and cyber espionage.
Kaspersky’s security researchers released a detailed report on DiceyF highlighting how the hacker gang has been conducting stealthy cyber espionage and IP (Intellectual Property) theft since November 2021. The threat actors are believed to be of Chinese origin, owing to their alignments with “Operation Earth Berberoka,” an operation covering threat actors targeting online gambling sites, discovered by Trend Micro in March 2022.
The attack framework, “GamePlayerFramework,” is malware written in C# programming language that includes payload downloaders, malware launchers, remote access capabilities, keyloggers, clipboard stealers, and plugins. The framework consists of two branches, Tifa, and a sophisticated version, Yuna. The threat actors load the framework, which connects to the C2 (Command and Control) server to send XOR-encrypted packets every 20 seconds, providing the victim’s credentials, session details, date, and time.
The DiceyF hacker group has demonstrated excellent evasive maneuvers and technical capacity with the attack framework. A malware that was undiscovered for such a long time is a question on cybersecurity approaches and exhibits how cybercriminals are not wasting a second to target the innocent.
2.2 Million MyDeal Customer Records Up for Sale
MyDeal, a subsidiary of Woolworth, disclosed the details of a data breach that led to the hacker putting the records of 2.2 million customers on sale on a hacker forum. MyDeal is a retail marketplace for Australian shoppers purchased (80%) by Woolworth in September.
MyDeal suffered a data breach when a threat actor accessed the organization’s CRM (Customer Relationship Management) system using compromised login credentials. The threat actor was able to view and export the data of 2.2 million customers, including customer names, email addresses, delivery addresses, phone numbers, and dates of birth in particular cases. MyDeal also clarified that for 1.2 million customers, only the email information was exposed and has assured its clientele that no financial information, government IDs, or account credentials were disclosed.
The data leaked in the breach can open individuals up to spear-phishing campaigns and be used for fraud, impersonation scams, or identity theft. Furthermore, the threat actor posted the stolen records of 1 million customers on a hacker forum for $600. The hacker also claims additional records would be available once the database has been parsed and posted screenshots of MyDeal’s confluence server and the login for its AWS account.
The threat actor has already released the personal information of 286 customers. MyDeal has initiated its threat response and has sent data breach notifications to the affected customers. Even if no passwords were exposed, it would be best to change your MyDeal account passwords and enable MFA (Multi-Factor Authentication).
Russian Organizations Targeted by OldGremlin via Linux Ransomware
OldGremlin has been attacking Russia’s corporate networks and has added file encryptors to its Linux malware.
One of the few ransomware gangs targeting Russia, OldGremlin has been around since March 2020. Using its novel malware, it has been targeting Russia’s logistics, industry, insurance, real estate, software development, and banking sectors. OldGremlin is also referred to as TinyScouts and is known for a handful of ransomware campaigns a year with million-dollar ransoms. 2022 saw the ransomware gang launch five campaigns, with the highest ransom of $16.9 million.
Researchers at Group IB tracked the cybercriminal gang and their tactics and discovered their malware for Linux systems. The malware uses the AES algorithm with CBC block ciphers to encrypt files and is wrapped using Ultimate Packer. The threat actor breaches Russian organizations using phishing emails that distribute the initial payload via malicious documents that a victim downloads from a file-sharing service. The threat actor creates a NodeJS backdoor for remote access and stays for around 50 days, collecting information.
OldGremlin has been behind 16 cyber attacks and has debunked the myth that ransomware groups avoid Russian organizations. However, with such sophisticated toolkits and malware, it would be best for all organizations to stay on guard and deploy anti-phishing measures.