
September Security Roundup
Currently, the world faces not one pandemic but two: Coronavirus and the rise of ransomware attacks.
While both have negatively impacted the economy, in the case of cybercrime, lax security measures allow hackers to have an easy way to make a fortune in ransom claims. Malicious software makes it simple for hackers to access data, encrypt it and hold it hostage until the victim organisations pay the hefty ransom. Cybercrime is rapidly growing, so it's key that organisations need to stay vigilant of the ongoing threats around them.
Here are just some of the attacks that have recently taken place:
Thailand visitors have data exposed
More than 106 million international travellers to Thailand were the unfortunate victims of a cyber attack that resulted in the exposure of their personal details such as full names, passport numbers, arrival dates and more. The database was published online without a password meaning it was accessible by anyone who wanted to go looking for it, putting the victims in a vulnerable position. The exposed data was secured three days after its discovery on the Censys search engine, but there is no way of telling if or what PII was exfiltrated to be exploited at a later date. (source)
The return of the REvil Ransomware group
Following a short hiatus after its attack on Kasey earlier this year, the infamous REvil Ransomware group got most of its infrastructure back online. Currently, there have been no new samples posted on the Happy Blog, meaning that the group hasn’t launched any known attacks personally, with its last attack on the 8th of July 2021. However, ransomware experts are suggesting that the group will return under a different name and with a new ransomware variant. (source)
The largest documented DDoS attack in history
In early September, Yandex reported one of the biggest Distributed Denial of Service (DDoS) attacks in history, which intended to overwhelm its systems to the point they would have to shut down. While the flood of junk traffic peaked on September 5th, Yandex managed to stave off the record attack of nearly 22 million requests per second and effectively defend against the large-scale barrage. (source)
Microsoft uncovers something phishy
In late September, Microsoft uncovered a large Phishing-as-a-Service operator providing a start to finish phishing attack service for the maximum price of $800 (around £600). Known under the trio of names BulletProofLink, BulletProftLink or Anthrax, the service is advertised via cybercrime forums where it offers phishing templates used to deceive victims into believing authenticity (for between $80 to $100 per template) and carries out social engineering phishing attacks. (source)
Hackers can steal your money when your iPhone is locked
A vulnerability within iOS has been discovered that would allow a malicious actor to use a stolen, locked iPhone to pay for thousands of pounds worth of goods. Malicious actors could use a man-in-the-middle (MITM) attack method to grant them authorisation of Powered-On iOS devices with Apple Pay enabled using commercially available tech. The android application modifies the communication using Apple’s Express Transit (implemented in iOS 12.3) vulnerability though neither Apple nor Visa have any plans to patch the error any time soon. (source1) (source2)
RaidForums makes its staff area public
The underground security forum RaidForums recently had hidden the staff area of its website exposed to the clearnet. The data breach marketplace is where threat actors often sell or leak illicitly obtained data dumps. The section of the forum intended to be concealed for staff use only, was up until recently, found accidentally indexed on google.com sharing private data and tips like how to create personas, user banning records, site hosting preferences and more. (source)
Hackers impersonate bank clerks and steal from the elderly
A group of nine individuals have been arrested and face criminal charges after defrauding multiple people by manipulating their caller IDs to appear as though calls were coming from verified banks. They called victims to claim their bank accounts had been hacked and that the only way to secure their money was to transfer it across into a secure vault. Of course, the vault was simply an account the hackers had access to. Unfortunately, the Dutch police receive 200 reports like this every single day. It is a real problem that they are trying to get under control. (source)
Scammers romance victims into downloading bogus apps
A scam dubbed CryptoRom has been spotted targeting users on dating apps such as Tinder, Bumble and Grindr to form friendships with the victims before tricking them into installing completely bogus trading apps on their iPhones. Victims are convinced to invest in the app, only for their funds to be later stolen by the scammers. According to a study of a bitcoin wallet maintained by them, they have made about $1.4 million from the scam by using Apple's Enterprise Developer Program. These findings show how fraudsters are using Apple's distribution mechanism, known as Super Signature services, to target iOS users. Furthermore, the researchers discovered malicious programmes tied to these scams that use configuration profiles that take advantage of Apple's Enterprise Signature distribution method. (source)
A VPN provider’s misconfiguration exposes PII of one million users
Free VPN service, Quickfox, used by Chinese residents to access sites from outside of mainland China had inadequately configured its Elastic Stack security leaving a server exposed and accessible. Unfortunately, with no password protection or encryption, at least one million users had their PII exposed. A 100GB trove containing 500 million records, including customer emails, IP addresses, phone numbers, and other PII, as well as system data on 300,000 clients, was discovered by researchers. The server has yet to be secured. (source)
A REvil/Sodinokibi ransomware universal decryption key us out
Back in July, a universal decoder for the ransomware distributed by REvil ransomware group was found. Originally, it was hidden to be used by victims of the Kaseya breach only. How they came about this key was unknown, but recently Bitdefender discovered a universal decryption key and freely distributed it to anyone in need of it and released a guide to the decryption of the seized files. (source1) (source2)
Apple Patches Zero-Click
In September, the NSO group was discovered using a zero-click, zero-day weakness within Apple's iMessage service by exploiting pdfs and its vulnerabilities to put spyware on people. Fortunately, Apple has recently patched the issue, and you can find out more about it in our recent blog here.
Babuk ransomware’s full source code leaked on hacker forum
In early September we discovered a threat actor had released the source code for the Bubuk or Babuk Locker ransomware allowing security specialists to analyse the source code and its operations. Allegedly, the threat actor decided to do so out of guilt and claimed in their post that they were terminally ill, stating they still "have time to live like a human.” If you want to know more about Babuk Locker, you can read our Threat Report by Zachary Goggins here. (source)