Read our Cyber Weekly Digest for a rundown of the biggest cyber security news. This week we take a look at how Activision's game source codes were stolen and leaked, as well as $5.8 million worth of crypto recovered from the Lazarus hacking group. Keep reading to stay up to date with the latest cyber stories.
The Norwegian police, have seized 60 million kroner ($5,800,000) worth of cryptocurrency stolen by the North Korean Lazarus hacking group last year from Axie Infinty’s Ronin Bridge. This is the largest financial seizure of this kind to take place in Norway, made possible thanks to the money-tracing capabilities and persistence of police investigators. The seized cryptocurrency was stolen from Sky Marvis, the publisher of the blockchain-based game Axie Infinity, which suffered losses of $620 million in March 2022 after an attacker manipulated the game’s Ronin Bridge to gain partial control of it’s validators and perform two unauthorized transactions. In September 2022, the FBI, with the help of blockchain experts, seized $30,000,000 worth of cryptocurrency stolen during the attack. While the amount represented only 10% of the stolen cryptocurrency (and 5% of its value), the authorities promised that more seizures would follow. These recovered funds will be returned to Sky Marvis for partial victim reimbursement.
A new infostealer malware has been spotted in the wild on the dark web, gaining traction, due to aggressive promotion of stealing capabilities and similarities with malware of the same kind similarly to Vidar, Raccoon, Mars, and Redline. Security researchers spotted the new strain in January and noticed it started to gain traction in early February. Stealc has been advertised on hacking forums by a user called “Plymouth” who presented the malware as a piece of malware with extensive data-stealing capabilities and an easy-to-use administration panel. According to the advertiser, apart from the typical targeting of web browser data, extensions, and cryptocurrency wallets, Stealc also has a customisable file grabber that can be set to target whatever file types the operator wishes to steal. It is written in C and abuses winAPI functions. Most strings in the malware code are obfuscated with RC4 and base64. The malware is distributed via pretending to be cracked programs on phishing sites listed on google searches. Considering the observed distribution method, users are recommended to steer away from installing pirated software and download products only from the official developer's website.
A critical RCE Exploit for Fortinet FortiNAC network access control suite has been released as a proof-of-concept. The vulnerability is rated as critical-severity CVE-2022-39952. Fortinet disclosed the security issue on February 16 and calculated a severity score of 9.8. The vendor warned that it could be leveraged by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges. Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches were urged to prioritise applying the available security updates. This week, researchers published a technical post detailing the vulnerability and how it can be exploited. Proof-of-concept (PoC) exploit code is also available from the company's repository on GitHub. The released PoC involves writing a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker, giving them remote code execution capabilities. FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability., specifically FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and 7.2.0 or later.
Activision has confirmed that it suffered a data breach in early December 2022 after hackers gained access to the company’s internal systems by tricking an employee with an SMS phishing text. The video game maker says that the incident has not compromised game source codes or player details. "On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed," a company spokesperson stated. However, vx-underground, a security research group, says that the threat actor “exfiltrated sensitive workplace documents” along with the content release schedule until November 17, 2023. Screenshots shared by the researchers show that the hackers had gained access to the Slack account of an Activision employee on December 2 and tried to trick other employees into clicking malicious links. The leaked game information shared online was based on marketing materials and the development environment was not affected by the breach.
One of the world’s largest producers and distributors of fresh fruit and vegetables, Dole, has announced that it is dealing with a ransomware attack that has impacted its operations. There are a number of missing details at the current time of writing, the company is currently investigating “the scope of the incident”, noting the impact is limited. Law enforcement authorities have also been informed of the incident. Despite announcing that the impact is limited, a memo leaked on Facebook by a Texan grocery store indicates that the food giant was forced to shut down its production plants in North America. It appears that Dole has also halted its shipments to grocery stores. Consumers have been complaining about pre-packaged Dole salad shortages on store shelves for over a week now. Although the company did not disclose when the attack occurred, it is likely that the shortage was caused by this ransomware attack.