top of page
  • Kathleen Maxted

Cyber Weekly Digest - 2023 Week #4

Take a look at this week's Cyber Weekly Digest for a rundown of the latest cyber security news, including another T-Mobile data breach and how ransomware groups are using Google Ads to target victims. Keep reading to stay up to date on the biggest cyber security news from the week.

The personal information of 37 million customer accounts has been breached after T-Mobile disclosed a hack on their systems through one of its Application Programming Interfaces (APIs). APIs are software interfaces or mechanisms commonly used by applications or computers to communicate with each other. Many online web services use APIs so that their online apps or external partners can retrieve internal data as long as they pass the right authentication tokens. While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first. The breach affected 37 million customers; however, the leaked data did not include passwords, payment data, or any financial information. However, it did include full names, addresses, email, phone numbers, dates of birth, T-Mobile account numbers and information such as the number of lines on the account and plan features. Phishing threat actors could utilise this to trick users into buying fake products that could potentially be malicious. This is T-Mobile’s eighth data breach since 2018, including one attack that led to a threat actor gaining access to customer data of roughly 3% of all T-Mobile customers.

Rostelecom, Russia’s largest internet service provider, says 2022 was a record year for DDoS attacks targeting organisations in the country. DDoS attacks are cyberattacks aimed at making internet-connected websites or services unavailable by overwhelming them with many requests that deplete the server’s ability to accept new connections, causing the service to become unresponsive. Hacktivists have used DDoS attacks on both sides of the Ukraine-Russian conflict to disrupt critical services, usually as retaliation for actions or announcements concerning the ongoing war. In a report published on January 23rd, 2023, Rostelecom says its experts recorded 21.5 million critical web attacks aimed at roughly 600 Russian organisations from various industries, including telecom, retail, financial, and the public sector. The most powerful DDoS attack recorded by the Russian ISP was 760 GB/sec, almost twice as big as the most potent attack of the previous year, while the longest DDoS attack lasted nearly three months. Rostelecom was targeted with over 500,000 DDoS attacks targeting Moscow city’s entities in 2022. About 80% of cyberattacks targeting Russian entities were DDoS, but Rostelecom also recorded the targeting of website vulnerabilities.

The FBI has confirmed that the North Korean state-sponsored “Lazarus” and APT38 hacking groups were behind the theft of $100 million worth of Ethereum stolen from Harmony Horizon June 2022. Harmony Horizon is a cross-chain bridge for Ethereum that suffered a breach in June 2022, allowing hackers to assume control of a MultiSigWallet contract and use it to transfer large amounts of tokens to their addresses. Cryptocurrency security firm, Certik, released a report describing the attack flow and the steps the threat actors took to siphon millions. The North Korean Hackers attempted to move 41,000 ETH ($63.3) through Railgun before depositing the funds to many addresses in three cryptocurrency exchanges. 350 cryptocurrency addresses have been identified to be under the direct control of the Lazarus group. The hackers converted some of these moved funds into Bitcoin, and the FBI seized an undefined portion by working closely with virtual asset service providers. Some cryptocurrency wallets were hosted on Binance for laundering purposes, and all the accounts in the laundering actions were frozen.

A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks. Over the past few weeks, cybersecurity researchers have exposed how Google search results have become a hotbed of malicious advertisements pushing malware. These adverts pretend to be websites for popular software programs, like LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC. Clicking on the adverts leads visitors to fake sites that appear as download portals or replicas of the software’s legitimate sites. However, when you try to download the software, you will usually get an MSI file that installs various malware depending on the threat actors behind the campaign. The list of currently known malware in these campaigns are RedLine, Gozi, Vidar, and potentially, Cobalt Strike and ransomware. Threat researchers believe that DEV-0569 is using what is called SEO poisoning to rank sites pretending to be popular software in search results. DEV-0569 is also thought to be an Initial Access Broker that uses its malware distribution system to breach corporate networks. They use this in their own attacks or sell it to other malicious actors, such as the Royal ransomware gang.

Riot Games, the creators of League of Legends and the Packman anti-cheat software, have their source code allegedly being auctioned on hacking websites after a confirmed breach of the game company’s developer environment. On January 24th 2023, the company confirmed that they had received a ransom note from the threat actor and said they would not be paying a ransom. obtained this ransom note, which demanded $10 million to prevent the stolen data from going public. In a conversation with security research group VX-underground, the threat actors stated that they gained access to Riot Game’s network after performing a social engineering attack over SMS on one of the company’s employees. The threat actors claimed they had access to the development network for thirty-six hours until the company’s SOC detected them. The forum post includes a link to a thousand-page PDF document that they claim contains a directory listing of the 72.4 GB stolen source code. The hacker selling the alleged source code starts the auction at $1,000,000.



bottom of page