Sifting through the most recent cybersecurity-related news may seem daunting, and keeping up with the latest developments is arduous. However, the WatchGuard Threat Lab is happy to filter through the latest cybersecurity news and highlight some stories we believe are important, noteworthy, or interesting. The goal is to focus on a few recent cybersecurity-related stories, briefly discuss them, and then provide relevant references to research each topic further. Here are the reports.
1) (More) Malvertising via Google Ads
Last week, we briefly discussed a noticeable increase in malvertising via malicious Google Ads. One of the first discoveries was because an NFT collector attempted to download OBS, a streaming software, via Google search. Instead, the user downloaded a novel information stealer named Rhadamanthys. Well, that isn’t the only malware that has ubiquitously taken over Google Ads. Researchers have observed malvertising campaigns for Redline Stealer, Racoon Stealer, Vidar, Ursnif, Cobalt Strike, and even initial access for ransomware. These campaigns impersonate well-known software such as Slack, Zoom, AnyDesk, VLC, 7-Zip, FileZilla, WinRAR, TradingView, Notepad++, and many others. You can see more about these campaigns and impersonated software in the references below.
References:
- https://www.secplicity.org/2023/01/18/cybersecurity-news-malvertising-ransomware-and-alleged-irs-breach/
- https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-use-google-ads-to-breach-your-network/
- https://www.helpnetsecurity.com/2023/01/18/google-ads-increasingly-pointing-to-malware/
- https://thehackernews.com/2022/12/new-malvertising-campaign-via-google.html
- https://techmonitor.ai/technology/cybersecurity/malvertising-google-ads-malware
- https://twitter.com/vxunderground/status/1617826891209281536?cxt=HHwWgMDU6Yy_1vMsAAAA
- https://www.extremetech.com/computing/342464-hackers-buy-google-ads-to-push-malware-through-searches-for-popular-apps
2) Riot Games Breached
On January 20th, the Riot Games Twitter account tweeted that a social engineering attack had impacted their development environment and, thus, would affect future releases in the short term. Riot Games also insisted that everyone should be patient while they gather more information about the. Four days later, Riot Games fulfilled their promise and explained the situation in a follow-up tweet. They explained that they had received a ransom email demanding payment for the exfiltrated data. Data that allegedly included source code.
The very same day, the alleged attacker, ArkaT, posted their ill-gotten gains on BreachForums, a forum commonly used by hackers, leakers, and cybersecurity enthusiasts. This auction, shown in the picture below, is claimed to have source code for League of Legends (LoL), Valorant, and Packman, Riot Games’ anti-cheat software. The auction starts at $1 million, and the current price is the same. Based on responses from users in the forum, the asking price is too high. So, we will see how this unfolds in the coming days and weeks.
References:
- https://therecord.media/riot-games-to-pause-updates-after-social-engineering-attack/
- https://therecord.media/riot-games-receives-ransom-email-for-stolen-source-code-following-social-engineering-attack/
- https://twitter.com/riotgames/status/1616548651823935488
- https://twitter.com/riotgames/status/1617900234734198787
- https://breached.vc/Thread-Selling-League-of-Legends-Source-code-Auction
3) T-Mobile Breached (Again)
Unfortunately, T-Mobile was the victim of yet another security incident. According to a United States Security Exchange Commission (SEC) Form 8-K filing and a memo distributed by T-Mobile, 37 million accounts were affected and had information stolen. The breach occurred due to a threat actor abusing an API to obtain account information. This data does not include financial and sensitive information. This isn’t the first T-Mobile breach, and also isn’t the first T-Mobile breach because of an API flaw. The WatchGuard Threat Lab has noted at least seven other incidents related to T-Mobile dating back to 2009. Two (now three) have been due to API abuse or flaws. These three incidents and the others are listed below.
2009 – A disgruntled employee sold customer records to rivals.
2012 – TeaMp0isoN claims to have breached T-Mobile web servers that affected employees but not customers.
2013 to 2015 – Experian breach that affected 15 million T-Mobile applicants who had their credit history pulled to apply for T-Mobile services between September 2013 and September 2015.
2017 – A security researcher contacted T-Mobile about an API bug exploit ubiquitously observed in the wild.
2018 – 2 million affected customers’ non-sensitive data exposed through API.
2021 – 76.6 million customers were affected by a security breach, according to the official court settlement from Missouri’s Western District Court.
2022 – LAPSUS$ breached T-Mobile multiple times in March of 2022 and stole source code.
2023 – 37 million accounts were affected when an attack abused an API flaw.
References:
- 2009 Incident:
- 2012 Incident:
- 2013-2015 Incident:
- 2017 Incident:
- 2018 Incident:
- 2021 Incident:
- https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation
- https://www.t-mobile.com/news/network/cyberattack-against-tmobile-and-our-customers
- https://www.t-mobile.com/news/business/statement-on-proposed-settlement
- https://storage.courtlistener.com/recap/gov.uscourts.mowd.161283/gov.uscourts.mowd.161283.157.1.pdf
- 2022 Incident:
- 2023 Incident:
4) North Korean Group, Lazarus Group, Steals $100 Million From Crypto Bridge – Horizon Bridge
On June 23, 2022, the Harmony blockchain tweeted that a theft occurred on their Horizon Bridge service amounting to $100 million. Last week, the FBI had a press release indicating the threat actors responsible for the robbery were none other than the Lazarus Group (APT38), a group associated with North Korea. Once they stole the funds, they used RAILGUN, a privacy blockchain, to launder the stolen Ethereum (ETH). Malicious actors on the blockchain use currency “mixers” to make their cryptocurrency harder to trace. You may remember the U.S. Treasury sanctioned the most famous mixer, Tornado Cash, because the Lazarus Group was using it to launder other ill-gotten gains related to the $615 million cryptocurrency heist of the Ronin Network. Before this breach, North Korean hackers had stolen an estimated $1.2 billion in cryptocurrency since 2017. This appears to be another chapter in a novel that is nowhere near ending.
References:
- https://twitter.com/harmonyprotocol/status/1540110924400324608
- https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft
- https://home.treasury.gov/news/press-releases/jy0916
- https://hub.elliptic.co/analysis/the-100-million-horizon-hack-following-the-trail-through-tornado-cash-to-north-korea/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
- https://www.cnbc.com/2022/04/15/ronin-hack-north-korea-linked-to-615-million-crypto-heist-us-says.html
- https://decrypt.co/117857/north-korean-hackers-have-stolen-1-2b-crypto-since-2017
- https://decrypt.co/118031/north-korea-linked-lazarus-group-poses-as-vc-firms-to-spread-malware
- https://twitter.com/zachxbt/status/1614771861266792449
- https://heimdalsecurity.com/blog/lazarus-hacking-group-uses-new-fake-crypto-app-to-spread-malware/
- https://heimdalsecurity.com/blog/lazarus-hacking-group-spreads-malware-via-bogus-job-offers/
- https://decrypt.co/97887/north-korea-hackers-axie-infinity-ronin
5) Australian-Led Anti-Ransomware Task Force Begins Operations
Australia is the leader in a new 37-country anti-ransomware task force that started last week dubbed “The International Country Ransomware Taskforce (ICRTF)”. The ICRTF is a subsidiary of the Counter Ransomware Initiative (CRI) led by the United States. As the name suggests, the objective of this new entity is to hold ransomware operators accountable no matter where they are, halt laundering schemes to prevent cyber criminals from profiting, disrupt their enablers, and share threat intelligence information. The 37 members of this task force include Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, Czech Republic, Dominican Republic, Estonia, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, Romania, Singapore, South Africa, South Korea, Spain, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States, Ukraine, and the EU. Coincidentally, last week is when the FBI and Europol announced the seizure of the Hive ransomware operation. Perhaps that is a good omen for things in the future.
References:
- https://minister.homeaffairs.gov.au/ClareONeil/Pages/australia-leads-global-task-force-to-fight-ransomware.aspx
- https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/counter-ransomware-taskforce
- https://www.whitehouse.gov/briefing-room/statements-releases/2022/11/01/international-counter-ransomware-initiative-2022-joint-statement/
- https://www.whitehouse.gov/briefing-room/speeches-remarks/2022/10/31/background-press-call-by-a-senior-administration-official-previewing-the-second-international-counter-ransomware-initiative-summit/
- https://www.whitehouse.gov/briefing-room/statements-releases/2022/11/01/fact-sheet-the-second-international-counter-ransomware-initiative-summit/
- https://www.whitehouse.gov/briefing-room/speeches-remarks/2022/11/01/closing-remarks-by-national-security-advisor-jake-sullivan-at-the-counter-ransomware-initiative-summit/
- https://www.state.gov/briefings-foreign-press-centers/update-on-the-international-counter-ransomware-initiative
- https://www.secplicity.org/2023/01/26/law-enforcement-infiltrate-and-seize-hive-ransomware-operation/
6) ACLU Releases Nationwide Arizona Finance Surveillance Documents of American Citizens
On March 8, 2022, U.S. Senator Ron Wyden called for an investigation into the U.S. Immigration and Customs Enforcement (ICE) for allegedly operating a bulk surveillance program in the southwest United States and Mexico. According to the official letter, Wyden states that a Department of Homeland Security (DHS) briefing provided intelligence that ICE was using its customs summons authority to administer subpoenas and collect financial data. The administration of these subpoenas allowed officials to collect “approximately six million records about money transfers above $500, to or from Arizona, California, New Mexico, Texas, and Mexico.” According to Wyden, the Arizona Attorney General (AG) spearheaded the program.
Thanks to a public records request by the American Civil Liberties Union (ACLU), we know that the Transaction Record Analysis Center (TRAC) runs the database for the program. According to the ACLU, the database currently contains 145 million records of financial transactions dating back to 2021 and is believed to be still growing. Even worse, the database is accessible by more than 700 law enforcement entities, both federal and local. Here is a list of those agencies.
References:
- https://www.wyden.senate.gov/imo/media/doc/DHS%20IG%20ICE_HSI%20data%20complaint%20final.pdf
- https://www.aclu.org/public-records-request-az-attorney-general-concerning-bulk-collection-wire-transfer-records
- https://www.aclu.org/press-releases/aclu-raises-alarm-over-arizona-attorney-generals-illegal-financial-surveillance
- https://www.aclu.org/foia-collection/arizona-ag-money-transfer-surveillance-foia-database
- https://www.aclu.org/news/privacy-technology/how-the-arizona-attorney-general-created-a-secretive-illegal-surveillance-program
- https://www.aclu.org/2022-05-02-trac-email-re-data-policy-mou-agency-list