The ability of cybercriminals to operate from anywhere around the world and the increasing linkages between physical systems and cyberspace have led to rising cybersecurity incidents. Here are this week’s headlines to give you an idea about how threat actors continue to target individuals and organizations to infiltrate their information assets.
Hackers Deploy Malware Disguised as YouTube Bot to Steal Sensitive Data
Cybercriminals are distributing YouTube bot malware that artificially boosts the rankings of YouTube videos and steals users’ sensitive information. The malicious bot receives commands from the command and control (C2) server for other malicious activities.
About the malware
Cyble researchers discovered that the threat actors distributed the YouTube bot malware as a .NET compiled 32-bit executable file. The executable file requires four argument strings, including the video duration, video ID, like, and comment.
Modus Operandi
- After execution, the malware runs an AntiVM check and prevents malware detection and analysis in a virtual environment.
- If it determines that it is executed in a controlled environment, it terminates. Otherwise, it proceeds to perform the tasks defined in the argument strings.
- Furthermore, the malware creates copies of itself in the %appdata% folder with the name AvastSecurity.exe and executes it using cmd.exe.
- The mutex assists in creating persistence and establishes a task scheduler entry.
- The AvastSecurity.exe file gathers cookies, autofill, and login data from the Chrome browser on the user’s system.
- Finally, the malware passes the previously mentioned arguments (including the cookie information and browser path) and calls the YouTube Playwright function to view the specified video.
Facebook Agrees to Pay $725 M Settlement For Cambridge Analytica Data Leak
Meta Platforms, Facebook’s parent company, agreed to pay $725 million to settle a class-action lawsuit running since 2018.
The legal dispute arose when there were revelations that Facebook allowed third-party apps (like those used by Cambridge Analytica) to access personal information without users’ consent for political advertising.
The proposed settlement was reported by Reuters last week and is the latest penalty that the social media giant will pay in the wake of numerous privacy mishaps through the years. However, it needs the approval of a federal judge of the US District Court’s San Francisco division.
Interestingly, Facebook previously sought dismissal of the lawsuit in September 2019 and claimed the users have no privacy interest in the information they post to their friends on social media.
“It was a breach of trust between Cambridge Analytica, Kogan, and Facebook,” CEO Mark Zuckerberg claimed. “Additionally, it was a breach of trust between Facebook and the users who share their personal data with us and expect us to safeguard it.”
The expose fueled government scrutiny across the Atlantic, prompting the social media giant to settle with the UK Information Commissioner’s Office (ICO) and the US Securities and Exchange Commission (SEC) in 2019.
Latest DeFi Exploit Sees Hackers Drain $8M in Assets From Users’ Bitkeep Wallets.
While most people were enjoying the holiday season, hackers were working, draining approx. $8 million in a BitKeep wallet exploit. On December 26, some BitKeep (multichain crypto wallet) users reported that their funds were drained and transferred when they were not using the wallets.
The BitKeep team mentioned in their official Telegram group that some APK package downloads got hijacked by the attackers and were installed with hacker-implanted code.
They wrote: “If your funds got stolen, the application you downloaded or updated might be an unknown version.”
As the hack progressed, the BitKeep team urged the users to transfer their funds to an officially sourced wallet like Google Play and the Apple App Store. Furthermore, the team advised the community members to create new wallet addresses as their previous addresses might be “leaked to hackers.”
Threat Actors Bypass 2FA and Hack Comcast Xfinity Accounts
Comcast Xfinity customers reported that their accounts got hacked in widespread attacks bypassing two-factor authentication. The attackers used the compromised accounts to reset passwords for other services, like the Gemini and Coinbase crypto exchanges.
Starting December 19, Xfinity email users began receiving notifications regarding account information changes. However, users could not log in when they attempted to access the accounts because the passwords got changed.
After regaining access to their accounts, they discovered they got hacked, and their profile contained a secondary email at the disposable @yopmail.com domain. Xfinity allows users to configure a secondary email address (similar to Gmail), which they can use for password resets and account notifications if they lose access to their Xfinity account.
All Xfinity affected customers said they enabled two-factor authentication on their accounts, yet the cybercriminals bypassed it and logged in to their accounts.
“Someone changed my personal account information and reset my password, and they bypassed 2FA. The email the attackers setup was xxxxxxxx@yopmail.com,” said an Xfinity customer on Reddit.
Danish Shoe Manufacturer Ecco Exposes Over 60 GB of Sensitive Data
The Irish proverb says, “There is no use carrying an umbrella if you have leaky shoes.” The words sum up Ecco’s (a Danish shoe manufacturer and retailer) current predicament. Researchers identified an exposed instance hosting a large amount of Ecco data. The team discovered that Ecco left 50 exposed indices to the public, containing over 60 GB of data available since June 2021.
Since numerous sensitive documents, from system to sales information, were accessible, anyone could view, edit, copy, steal or delete data. The open server with names of the indices showed millions of revealed documents. For example, the directory sales_org contained about 300,000 documents. Another directory, market_specific_quality_dashboard, had about 820,000 records.
North Korea-Linked Attackers Stole $626M in Virtual Assets in 2022
According to the spy agency, over half the crypto assets (800 billion won or $626 million) got stolen this year, reported the Associated Press. Following harsh UN sanctions, the Pyongyang Government focuses on crypto hacking to fund its military program.
“The National Intelligence Service, South Korea’s main spy agency, said North Korea’s capacity to steal digital assets is one of the best globally because of its focus on cybercrimes. It enhanced its focus after the UN toughened economic sanctions in 2017, responding to its nuclear and missile tests.” the AP agency reported.
The UN sanctions imposed in 2016 and 2017 dramatically impacted North Korea’s economy because it could not export its products. The NIS added that over 100 billion won ($78 million) of the stolen funds were from South Korea. Cyber security and intelligence experts agree that attacks targeting the cryptocurrency industry will keep rising next year.
National Intelligence Service experts say that North Korea-linked APT groups are focusing on targeting South Korean technologies and confidential information linked to South Korean national security and foreign policy.
Toy Maker Jakks Pacific Suffers a Data Breach, Multiple Ransomware Groups Leak Data
Toy maker Jakks Pacific reported to the US Securities and Exchange Commission that it discovered a cyberattack last week after two ransomware gangs posted stolen information on their leak site. On December 22, the toy production giant released a notification confirming it suffered a ransomware attack on December 8 which encrypted its servers.
The firm, one of the biggest toy companies worldwide with licensing deals with Nintendo and Disney, hired cybersecurity experts to restore their servers and deal with the incident. The toy maker informed the SEC mid-December and filed the documents confirming the incident.
“We believe that threat actors unlawfully accessed data including personal information (names, emails, taxpayer identification numbers, addresses, and banking information of affected businesses and individuals),” the company said in its statement.
“We suggest you immediately take adequate protective measures to protect your personal and banking information. It is an ongoing investigation.”
One useful way to deal with the threat of phishing attacks is to use phishing protection security solution, such as an email spam filter, or a browser extension that can detect and stop suspicious sites.
EarSpy Attack Eavesdrops On You Using Motion Sensors
An experts’ team recently developed an eavesdropping attack that exploits the motion sensors. It targets Android devices, detects private speech, and identifies a caller’s gender and identity.
More about EarSpy the attack:
- The attack, called EarSpy, is a side-channel attack that eavesdrops on victims by capturing motion sensor data originating from the ear speakers’ echo during any conversation.
- The researchers initially explored the attack on smartphone loudspeakers because, in the past, ear speakers did not produce enough vibration for eavesdropping.
- However, today’s smartphones come with powerful stereo speakers compared to earlier models, which deliver better sound quality and stronger vibrations.
The experiment:
- EarSpy is a group experiment conducted by five American university researchers, namely the New Jersey Institute of Technology, Temple University, Texas A&M University, the University of Dayton, and Rutgers University.
- The researchers experimented on a OnePlus 7T and OnePlus 9 device. They played variable sets of pre-recorded audio using the ear speakers of the two devices.
- During a simulated call, they used Physics Toolbox Sensor Suite (a third-party app) to capture accelerometer data.
- Then, they used MATLAB to analyze the audio stream and extract features.