Cybersecurity Ventures Cybercrime Diary. PHOTO: Cybercrime Magazine.

Cybercrime Diary, Vol. 5, No. 4: Who’s Hacked? Latest Data Breaches And Cyberattacks

Adversaries go phishing, while enterprises pay for the bait

Eli Kirtman

Northport, N.Y. – Jan. 4, 2021

Cybercriminals and nation-state threat actors alike ramped up their tactics in the final quarter of 2020. While unsecured data across industries provided bad actors a treasure trove of opportunity, phishing attacks, malware dissemination, and ransom demands dominated the threatscape.

Major brands and organizations of all sizes and types globally were victims of cybercrime in the latest period covered.

December

Dec. 31. Ticketmaster agrees to pay $10 million fine to escape criminal charges for conspiring to hack its startup rival Songkick. Ticketmaster allegedly infiltrated its rival’s systems to steal seats and dominate ticket sales for concerts by major music acts on tour. U.S. Department of Justice says Ticketmaster employees “repeatedly — and illegally — accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect potential business intelligence.”

Dec. 29. U.K.’s National Crime Agency arrests 21 men on suspicion of Computer Misuse Act and Fraud offenses. The suspects were involved in an online criminal marketplace advertising stolen credentials on the WeLeakInfo website. The site hosted 12 billion stolen credentials compiled from more than 10,000 data breaches. The five-week operation resulted in the seizure of over £41,000 in bitcoin. Evidence suggests the perpetrators had also purchased cybercrime tools such as crypters and remote access Trojans.

Dec. 29. SolarWinds publishes security advisory detailing the SUNBURST and SUPERNOVA threats to its Orion Platform software. SUNBURST — a vulnerability inserted into Orion software — was previously addressed by the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-01. The sophisticated supply chain attack appears to be used in a targeted way as its exploitation requires manual intervention. Yet another malware referred to as SUPERNOVA is “separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.”

Dec. 28. Japanese automotive giant Kawasaki announces that information from its overseas offices was leaked to external parties. An internal system audit revealed unauthorized access to Kawasaki’s servers in Japan from Thailand, Indonesia, Philippines, and the U.S. The notification states, “At this time, the company has found no evidence of leaking information to the external network. However, due to the fact that the scope of unauthorized access spanned multiple domestic and overseas offices, it took a considerable amount of time until the company (could) formally announce the incident.” 

Dec. 23. Cybersecurity and Infrastructure Security Agency (CISA) alerts that there are initial access vectors other than the SolarWinds Orion platform jeopardizing data security of companies across the nation. One suspected vector is the abuse of Security Assertion Markup Language (SAML) tokens. While CISA is working to confirm initial access vectors and identify any changes in behavior consistent with the adversary, it “expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”

Dec. 22. Bitgrail founder Francesco Firano allegedly participated in a series of hacks to steal nearly $150 million from an estimated 230,000 Bitgrail users, according to Italian authorities in a press release. The investigation revealed that Firano transferred approximately 230 BTC from the exchange to The Rock Trading company in Malta, which he allegedly owns, just three days prior to reporting the theft of 17 million Nano worth almost $150 million.

Dec. 21. Fox Business reports Wall Street Journal (WSJ) identifies at least 24 organizations tainted with SolarWinds’ Orion software. In addition to at least six previously identified federal agencies, the suspected Russian espionage operation has potentially compromised Cisco Systems Inc., Intel Corp., Nvidia Corp., Deloitte LLP, VMware Inc., Belkin International Inc., and other companies including hospitals and universities, according to WSJ’s analysis of internet records. The Journal says it “gathered digital clues from victim computers collected by threat-intelligence companies Farsight Security and RiskIQ and then used decryption methods to reveal the identities of some of the servers that downloaded the malicious code.”

Dec. 18. Cybersecurity and Infrastructure Security Agency (CISA) provides supplemental guidance to mitigate the SolarWinds Orion code compromise. It includes “an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions.”

Dec. 17. New Jersey Cybersecurity and Communications Integration Cell issues Spotify data breach notification. The streaming service provider had a system vulnerability that exposed user data to business partners. Though the data was not accessible to the public, the exposure existed 8 months before it was discovered and could have affected data provided for Spotify account registration, including user email address and password, preferred display name, date of birth, and gender.

Dec. 16. U.S. Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) form a Cyber Unified Coordination Group (UCG) to coordinate a “whole-of-government response” to the SolarWinds Orion software compromise. According to CISA, “The UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities. This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.”

Dec. 14. U.S. government officials and SolarWinds confirm that about 18,000 private and government users — Department of State, Department of Homeland Security, Pentagon, intelligence agencies, nuclear labs, FireEye and other Fortune 500 companies — downloaded the Russian tainted Orion software update that was originally reported by FireEye in early December. One of Russia’s premier intelligence agencies — believed to be S.V.R., a successor to the K.G.B. — embedded malicious code in the Orion software made by SolarWinds. Investigators believe the “hackers used multiple entry points in addition to the compromised Orion software update, and that this may be only the beginning of what they find,” according to The New York Times.

Dec. 10. The European Medicines Agency (EMA) reports that regulatory documents related to the COVID-19 vaccine (mRNA) developed by Pfizer and BioNTech were exposed when hackers breached its server. The vaccine, which demonstrated a 95 percent efficacy in clinical trials, was recently authorized for use in the United Kingdom and is under consideration by the U.S. Food and Drug Administration for Emergency Use Authorization.

Dec. 10. U.S. Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center issue advisory regarding numerous reports of ransomware attacks against K-12 educational institutions. The threats compromise confidential student data and disrupt distance learning services. ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools. The reporting agencies expect these types of attacks to continue through the 2020/2021 academic year. 

Dec. 9. Check Point Research designates Phorpiex botnet as the “most wanted malware” in November 2020. According to the security firm’s Global Threat Index for November 2020, the notorious botnet’s infections surged to affect four percent of businesses globally. Its attacks involve an Avaddon ransomware payload, which could be the result of the crypto-malware gang’s growing affiliate program. Check Point explains: “Avaddon is a relatively new Ransomware-as-a-Service (RaaS) variant, and its operators have again been recruiting affiliates to distribute the ransomware for a cut of the profits. Avaddon has been distributed via JS and Excel files as part of malspam campaigns and is able to encrypt a wide range of file types.”

Dec. 8. FireEye succumbs to “the biggest known theft of cybersecurity tools” since the U.S. National Security Agency was hacked in 2016, according to The New York Times. Kevin Mandia, chief executive at FireEye, which is known for finding vulnerabilities in its clients’ systems — including the U.S. Department of Homeland Security and intelligence agencies — says the attackers “tailored their world-class capabilities specifically to target and attack FireEye” and “this attack is different from the tens of thousands of incidents we have responded to throughout the years.” The FBI’s preliminary investigation indicates an actor — likely Russian intelligence agencies — with a high level of sophistication consistent with a nation-state is responsible for the attack.

Dec. 7. Bleeping Computer reports that DoppelPaymer cybergang hits Foxconn Technology Group with ransomware. The gang left the largest electronics manufacturing company in the world a ransom note: “Your network has been hacked and encrypted … Any attempt to recover your files without the encryption tool leads to the data destruction.” The payload: approximately $34,686,000 USD. The threat actor reportedly encrypted 1,200 servers, downloaded 100GB of data, deleted approximately 30TB of data backups, and knocked out some of the firm’s U.S. operations.

Dec. 4. Bleeping Computer reports BlackShadow hacks Israeli insurance company Shirbit for hefty ransom. The adversary warns the victim has 24 hours to pay 50 bitcoins, approximately $1 million, to retrieve its data, otherwise, the attackers will leak sensitive information every 24 hours until the ransom is paid.

Dec. 3. IBM Security X-Force’s threat intelligence task force reveals global spear-phishing campaign targeting executives at organizations headquartered in Germany, Italy, South Korea, Czech Republic, Europe, and Taiwan. The executives are likely involved in company efforts to support a COVID-19 vaccine cold chain, which is a component of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during storage and transportation. “The precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft,” according to the report.

Dec. 1. Philly’s largest hunger-relief group duped into wiring $923,533 to cybercriminals. Philabundance thought it was paying a construction bill for the completion of its $12 million community kitchen. “Weeks later we realized it was sent to a fraudulent account,” says the company’s chief executive Loree Jones. The tricksters phished its way into the group’s computer systems and planted controls that blocked legitimate email traffic. They then spoofed an email to mimic the construction company’s invoice. “While I am aware of cybercrime and crime in general, I was disturbed to know that a beloved, respected organization literally feeding people in the midst of a pandemic was preyed on in this way,” says Jones.

November

Nov. 30. U.S. Justice Department sentences Timothy Dalton Vaughn, 22, ninety-five months in federal prison for series of cyber and swatting attacks. The black hat member of the “Apophis Squad” — a worldwide collective of computer hackers and swatters — sent bogus cyber-threats of shootings and bombings to schools in the U.S. and U.K. via email, and launched distributed denial-of-service attacks disabling the website of a California-based company who refused to pay a $20,000 USD ransom in 2018.

Nov. 27. INTERPOL National Central Bureau in Abuja, Nigerian Police Force, and Singapore-based cybersecurity Group-IB — collectively dubbed Operation Falcon — coordinate the arrest of three Nigerians believed to be members of organized crime group TMT. The Nigerians — Onwuka Emmanuel Chidiebere, Ikechukwu Ohanedozie, and Onuegwu Ifeanyi — allegedly launched phishing campaigns loaded with malware and spyware to infiltrate and syphon funds from companies in over 150 countries since 2017. The suspects are scheduled to be arraigned in Nigeria.

Nov. 23. U.S. Federal Bureau of Investigation (FBI) identifies nearly 100 spoofed websites incarnating the agency’s name, posing potential cyber and disinformation risks. The alert states, “Cyber actors create spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word, or use an alternative top-level domain, such as a ‘[.]com’ version of a legitimate ‘[.]gov’ website. Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI’s mission, services, or news coverage. Additionally, cyber actors may use seemingly legitimate email accounts to entice the public into clicking on malicious files or links.” The FBI urges all members of the American public to be diligent and provides mitigation efforts and guidance for reporting suspicious or criminal activity.

Nov. 21. KrebsOnSecurity reports fraudsters swindle GoDaddy employees into handing over targeted cryptocurrency domain. On the heels of previous incursions over the past week, the latest campaign hit cryptocurrency trading platform liquid.com. “A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” says Liquid’s CEO Mike Kayamori. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

Nov. 20. U.S. Justice Department hits 21-year-old Jordan K. Milleson and 19-year-old Kyell A. Bryan with identity theft and conspiracy charges for SIM swapping and vishing scams. The two suspects allegedly created phishing websites that mimicked legitimate employee portals belonging to wireless providers. The duo then emailed and/or called employees at these providers to coax them into logging in at these fake portals. Sources tell KrebsOnSecurity the two men were active members of OGusers, an online forum that caters to people selling access to hijacked social media accounts, and they are part of a larger vishing and phishing conspiracy spanning the U.S. and UK.

Nov. 19. U.S. Federal Bureau of Investigation provides critical information to help cybersecurity professionals and system administrators guard against Ragnar Locker ransomware. First observed in April 2020 when unknown actors used it to encrypt a large corporation’s files for an $11 million ransom, the malware now targets an increasing list of victims, including cloud service providers, communication, construction, travel, and enterprise software companies. The advisory states, “Ragnar Locker actors first obtain access to a victim’s network and perform reconnaissance to locate network resources, backups, or other sensitive files for data exfiltration. In the final stage of the attack, actors manually deploy the ransomware, encrypting the victim’s data.”

Nov. 13. Microsoft reports three nation-state actors originating from Russia and North Korea are targeting companies directly involved with COVID-19 vaccine research and treatment in Canada, France, India, South Korea and the United States. The attacks came from Russian threat actor Strontium and North Korean adversaries known as Zinc and Cerium. “Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people’s accounts using thousands or millions of rapid attempts,” says Microsoft. “Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using COVID-19 themes while masquerading as World Health Organization representatives.”

Nov. 9. Prestige Software, an online hospitality firm managing hotel reservations, exposes over 10 million user records. The booking company reportedly used an Amazon Web Services S3 bucket without any security authentication, leaving 24.4 GB of data including sensitive credit card information and PII of millions of customers open for exfiltration. While no one knows how long the database was exposed and who has accessed it, the unsecured bucket also affects hotel reservation companies like Agoda, Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre, etc.

Nov. 6. U.S. Army National Guard’s Combined Cyber Response Team responds to cyberattack against the University of Vermont Health Network. The attack disrupted service and prevented access to the MyChart Patient Portal at multiple locations in Vermont and upstate New York, according to Healthcare IT News. “Attacks that focus on or originate from end-user devices have long recovery times because of the enormous number of devices in a health system of this size. Every individual machine needs to be tested, possibly repaired or upgraded, and then certified as ‘clean’ before being put back on the network,” says Drex DeFord, healthcare executive strategist for CI Security. The National Guard will help ensure thousands of end-user devices are free of malware or viruses.

Nov. 6. Phishing attackers leverage previously leaked email and personal data to scam more than 1.1 million XRP coins from Ledger owners. The scammers deploy a phishing email that lures users to a fake version of Ledger’s website where they’re coaxed to download malware disguised as a security update. Once downloaded, users can say goodbye to the money in their Ledger wallet. According to Xrplorer — a fraud awareness site operated by the community — the coins were siphoned in five transactions and ended up at Bittrex. While the company patched the vulnerability months ago, the coins are long gone.

Nov. 5. Fraudsters deploy notorious banking Trojan hours after voter polls closed to leverage uncertainty of the U.S. presidential election, according to Information Security Media Group. The bad actors use hijacked email threads to launch spam and election-themed phishing attacks with an attached zip file labeled “ElectionInterference” that contains a malicious Excel spreadsheet. If Excel macros are enabled, the spreadsheet will unleash the Qbot banking Trojan and infect devices.

Nov. 5. The British Broadcasting Corporation (BBC) sustains hundreds of thousands of malicious emails every day. According to data released under the Freedom of Information Act, BBC’s cyber defense systems blocked an average of 283,597 malicious emails every day during the first eight months of 2020 and a total of 51,898,393 emails containing viruses, ransomware, and spyware, during the same period.

Nov. 2. U.S. Department of Justice sentences Russian cybercriminal Aleksandr Brovko eight years in prison for $100 million botnet conspiracy. The suspect’s role in the cyber conspiracy involved writing software scripts to troll botnet logs and extract highly sensitive personal information using more than 200,000 unauthorized access devices to transfer funds. “Brovko was an active member of several elite, online forums designed for Russian-speaking cybercriminals to gather and exchange their criminal tools and services,” according to the news release.

Nov. 2. Gaming company Capcom discloses cyberattack on its systems, including email and file servers. The Japanese video game developer says the systems were accessed by an unauthorized third party. While it has halted some internal network operations, the notice states there is no indication that customer information was breached and the incident hasn’t affected connections for playing online games or access to its various websites.

Nov. 1. WIRED reports that attackers leverage Google Drive’s legitimate collaboration feature to deploy malicious links via email invites or Google Drive notifications. “The smartest part of the scam is that the emails and notifications it generates come directly from Google,” says WIRED.

October

Oct. 31. Hackers hijack prestigious university email domains to phish through corporate email gateways. Forbes says the phishing tactic has a simple principle: “Business email servers perform reputation checks on incoming email, rejecting any from suspect or unknown domains. The answer, then, is to hijack domains that have a good reputation. As a bonus, it’s likely that the legitimate return address could make recipients more likely to be taken in by the phish.”

Oct. 30. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation report an Iranian advanced persistent threat actor scanned state websites with the legitimate web vulnerability scanner Acunetix. The threat actor is responsible for mass dissemination of voter intimidation emails to U.S. citizens and dissemination of U.S. election-related disinformation campaigns to influence and interfere with the 2020 U.S. presidential election. The actor also attempts to exploit known website vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leverage unique flaws in websites to obtain copies of voter registration data. The agencies confirm that the actor successfully obtained voter registration data in at least one state as a result of website misconfigurations and a scripted process using the cURL tool to iterate through voter records.

Oct. 28. Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services warn the Healthcare and Public Health (HPH) Sector of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. The advisory describes tactics, techniques, and procedures used by cybercriminals to target the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.

Oct. 27. Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and U.S. Cyber Command Cyber National Mission Force warn commercial sector businesses around the world of malicious cyber activity, known as HIDDEN COBRA, by North Korean advanced persistent threat group Kimsuky. The advisory describes tactics, techniques, and procedures used by Kimsuky to gain intelligence on various topics of interest to the North Korean government.

Oct. 22. Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency warn Russian state-sponsored advanced persistent threat actor — known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala — is targeting U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. The threat actor has successfully compromised network infrastructure and exfiltrated data from at least two victim servers.

Oct. 19. Microsoft hits number one on Check Point’s top ten “most imitated” brands used when phishing attempts were executed via e-mail or a website. “The Microsoft brand gets used the most for these phishing attacks because of the work-from-home scenario that’s common now during the COVID-19 pandemic,” explains Maya Horowitz, director of threat intelligence and research at Check Point. “The phishing efforts typically try to get users to reset their Microsoft Office 365 credentials.”

Oct. 18. Facebook Phishing Campaign: Nefarious actor masquerades as YouTube link to phish credentials. Impersonating a contact known to the Facebook Messenger recipient, the bad actor provides a YouTube link that redirects victims “through multiple websites that first determine if the victim is using a mobile device before presenting a Facebook phishing page and culminating in the presentation of the legitimate Google Play Store site,” according to an investigation by Cyberint Research. “Whilst the phished credentials appear to be used to further propagate the threat, it is not clear if any other data theft or account fraud is occurring within Facebook.”

Oct. 17. “Forum Data Breach – Please Change Your Password,” warns gaming developer Sandbox Interactive. Hackers breached the main database of the developer’s free medieval fantasy video game Albion Online and stole players’ email addresses and passwords. The massively multiplayer online role-playing game (MMORPG) entertains over 180,000 daily players, according to a @UnderTheBreach tweet stating the hacker is offering the Albion Online data for sale on a hacking forum.

Oct. 16. Google’s Threat Analysis Group (TAG) reports Chinese threat actor APT31 targets U.S. election with python-based implanted malware. Previously reported targeting Biden campaign staffers, APT31’s new tactic impersonates McAfee via phishing emails, prompting victims to install malicious anti-virus software hosted on GitHub. Meanwhile, the threat actor discreetly installs malware and exfiltrates files using Dropbox as its command and control. “Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” says TAG. Google is working with U.S government agencies and tech industry to thwart the threats.

Oct. 15. Notorious ransomware gang Egregor nabs data from internal networks of video game giants Ubisoft and Crytek. The gang allegedly published 20 MB of source code from Ubisoft’s Watch Dogs: Legion game and 300 MB of information about the development process of various Crytek games on Egregor’s dark web portal. The ransomware operators told ZDNet that they have not encrypted Ubisoft’s data, but Crytek’s data has been fully encrypted. While no ransom has been officially requested yet, the gang threatens to leak more information.

Oct. 12. Franklin, Massachusetts, sustains spear-phishing attack resulting in $522,000 of its non-general fund account misdirected to a third party. “I have been reassured that Franklin’s electronic data is secure,” says Town Administrator Jamie Hellen. “There is currently no evidence of a breach of our systems. All personal information, accounts and town software systems have been found not to be compromised. The incident was not a ransomware attack.” Franklin police along with state and federal authorities are investigating the cyberattack.

Oct. 9. Cybersecurity and Infrastructure Security Agency (CISA) warns federal, state, local, tribal, and territorial (SLTT) governments of advanced persistent threat actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities during a single intrusion to compromise a network or application. Although there is no evidence that integrity of elections data has been compromised, CISA is aware of instances where this malicious activity resulted in unauthorized access to elections support systems, indicating there may be risks to elections information housed on government networks.

Oct. 6. Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing & Analysis Center report a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. The sophisticated Trojan commonly functions as a downloader or dropper of other malware. It is difficult to combat because of its “worm-like” features that enable network-wide infections, and it’s considered one of the most prevalent ongoing cyber threats. The reporting agencies recommend implementing mitigation measures described in the alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Oct. 4. Anthem to pay $39.5 million settlement for a 2014 data breach. The attackers infiltrated Anthem’s systems via phishing emails that enabled them to install malware and siphon personally identifiable information of nearly 79 million Americans. In addition to the hefty payout, Anthem agrees to improve its confidentiality and security policies, boost security protocols, and submit to third-party audits and assessments.

Oct. 1. U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) advises companies that facilitating ransomware payments to cyber actors on behalf of victims may risk violating OFAC regulations. The International Emergency Economic Powers Act and the Trading with the Enemy Act prohibit U.S. persons from engaging in transactions with actors on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). The advisory encourages organizations to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.

Cybercrime Diary Archives

Eli Kirtman is a freelance writer based in Cincinnati, Ohio.