Account compromises and data theft are common attack vectors, and adversaries keep evolving their techniques to gain access to organization networks. Here are this week’s phishing, data breach and ransomware headlines.


Cyberattack Hits Cryptocurrency Play-to-Earn Game WonderHero

Popular cryptocurrency play-to-earn gaming platform WonderHero recently underwent a cyberattack where the adversaries were able to steal $320,000 in cryptocurrency. Over $320,000 worth of Binance Coin (BNB) was stolen from the gaming platform, which has over 11,000 active users. Consequently, the price of its native coin – WND reduced by over 90%.

The blockchain analysis firm PeckShield was the first to inform WonderHero of the breach. Soon after detecting the breach, WonderHero disabled its website and game – a measure meant to protect users from adversaries. The public breach notification came later and informed users that WonderHear knew about the sudden WND price drop. They ensured users that the company was taking necessary measures in response to the breach. Reportedly, the adversaries minted 80 million WND and stole 750 BNB. The 750 BNB were then sent to a cryptocurrency mixer called PancakeSwap.

The initial investigation by WonderHear revealed that the platform’s cross-chain bridging withdrawal system was what led the adversaries in. Cross-chain bridges are a common target for hackers, and this WonderHear incident was just added to the list. The platform is now working on fixing the cross-chain bridge vulnerability and auditing its entire system. It plans to airdrop new WND tokens based on a snapshot before the attack. Eventually, the platform shall work on creating a bug bounty program to help identify and patch vulnerabilities in the future. WonderHero shall also compensate all liquidity providers. However, the tentative timeline for the recovery of services shall be announced later.


NB65 Leaks Approximately 1 Million VGTRK Email Addresses

In defiance of Russian anti-phishing measures, the Network Battalion 65 (NB65) hacker group (linked to the Anonymous ransomware gang) recently claimed to have leaked around 1 million email addresses belonging to the All-Russia State Television and Radio Broadcasting Company (VGTRK) – Russia’s largest state media corporation.

NB65 leaked over 900,000 emails from the media house and shared the list with the non-profit whistleblower site for news leaks – Distributed Denial of Secrets (DDoSecrets). The whistleblower has, in turn, made this 786.2 GB cache available to the general public as a torrent file. Co-founder of DDoSecrets, Emma Best, called this leak an unprecedented exposure of state-owned propaganda and media. Clearly, this information is important to the Russian government and crucial for state security.


Data Breach Hits Fox News

A data breach recently hit Fox News and exposed a database containing 58GB of data. The breach was caused by a configuration error in an internal server of Fox News which meant that anyone with an internet connection could have easily accessed the personally identifiable information (PII) of employees stored without any password protection. The database reportedly contained 13 million records of content management data, along with an unspecified number of employee details. Consequently, the internal Fox emails, employee ID numbers, usernames, and affiliate station information were exposed.

One of the exposed folders contained details of 65,000 celebrities, production crew, cast members, and their internal Fox ID reference numbers. While not all information was exposed for all victims, the main details compromised include the hostnames, event logging, host account numbers, device and interface data, IP addresses, etc.

Fox News has adopted necessary anti-phishing protection measures and began an internal investigation which revealed that the compromised database is not connected to any production environment. As per security experts, Fox News quickly adopted security measures and secured the exposed database, which indicates that the matter has been taken care of.


Data Breach Hits Texas Department of Insurance

A security issue in one of the web applications of the Texas Department of Insurance recently led to the compromise of the personal data of over 1.8 million people. The Texas Department of Insurance (TDI) first disclosed the breach on 24th March, and the Texas Attorney General’s office reported about the compromise on 4th April. The compromised details include citizens’ names, contact numbers, addresses, partial or full social security numbers, DOBs, and information about worker compensation claims and injuries.

While the TDI has refrained from sharing too many details about the incident, it appears that no third parties were involved. The vulnerability in an internal TDI application used to manage employees’ compensation details was initially identified on 4th January. A vulnerability in the programming code of the affected application enabled anyone on the internet to access the confidential data stored on the server. As part of its measures for protection against phishing, the TDI temporarily shut down the application and brought it back online only after fixing the flaw.

So far, there is no evidence of the misuse of compromised information. Still, the TDI is providing a year of complimentary identity theft and credit monitoring services to all victims.


Data Breach Hits Block

Block recently underwent a data breach owing to its negligence in revoking the admin rights of former employees. Apparently, a former Block employee downloaded reports containing US customer information from the Cash App. The incident was reported to the Securities and Exchange Commission (SEC) on 4th April, where Block (formerly known as Square) mentioned that the breach was caused by an insider on 10th December.

The said employee had regular access to the compromised reports as part of the past job responsibilities, but the access was not discontinued after the employment ended. The compromised customer data includes their full names, brokerage portfolio value, account numbers, stock trading activity for one trading day, and brokerage portfolio holdings. While the company has refrained from releasing the exact number of Cash App customers affected by the breach, it did mention sending breach notifications to around 8.2 million current and former customers.

Fortunately, no PII apart from full names was exposed. Other Cash App products and customers outside the US remain unaffected by the incident. Four months after discovering the incident, Block launched an internal investigation and adopted measures to prevent phishing attacks and informed law enforcement and the concerned regulatory authorities.


Conti Ransomware Targets Parker Hannifin

The US industrial components giant Parker Hannifin recently underwent a cyberattack exposing several gigabytes of sensitive files. Parker Hannifin is renowned for providing control and motion technologies and precision-engineered solutions for industrial, mobile, and aerospace organizations. The breach was disclosed on 14th March after Parker detected the intrusion and shut down some of its systems. An investigation was launched shortly after, and the company informed law enforcement. As part of its measures for protection from phishing, Parker Hannifin hired external cybersecurity and legal experts to get to the roots of the attack.

While the investigations continue, Parker has confirmed that some data like employees’ personal information was compromised. Fortunately, the attack did not affect Parker’s business operations. As per the reports of Security Week, the Conti ransomware gang is responsible for the attack on Parker Hannifin. Conti has leaked an archive of 5GB of data belonging to the company and claims that this is only 3% of the stolen data.


Cyberattack Hits Indian Bank Without Firewall

An Indian bank called the Andra Pradesh Mahesh Co-Operative Urban Bank recently underwent a cyberattack, but such an event was imminent because the bank lacked basic phishing attack prevention measures. The bank functioned without a valid firewall license or an intrusion detection system that helped the adversaries steal millions of rupees.

With 45 branches and close to $400 million of deposits, the Andra Pradesh Mahesh Co-Operative Urban Bank is one of India’s smaller banks. According to the Hyderabad City Police, the bank undermined the importance of cybersecurity measures which led to the circulation of more than 200 phishing emails in just three days in November 2021. At least one of these phishing emails proved effective in fooling bank staff, leading to installing a Remote Access Trojan (RAT).

The adversaries withdrew money at 938 ATMs, and the Hyderabad City Police could freeze another ~$2 million worth of funds. Initial reports indicate that the Mahesh Bank lacked proper network infrastructure and didn’t adopt enough security measures to isolate head office applications from branches. Reports suggest that the hackers are based outside India, probably in Nigeria or the UK. The funds were transferred to them via cryptocurrency.