METRO reports IT-system outage after cyberattack; arrest in Lapsus$ case and other cybersecurity developments

We have gathered the week’s most important cybersecurity news.

METRO reports IT-system outage after cyberattack

The international wholesale giant METRO is experiencing disruptions to its IT infrastructure and payment processing following the recent cyberattack.

According to available information, the problem began on October 17 and affected stores in Austria, Germany and France.

The company’s IT team, together with external experts, is conducting an investigation to determine the cause of the ongoing disruption.

Although METRO stores did not halt operations, the wholesale group has had to suspend online-order processing and run payments offline.

The company has not yet disclosed the nature of the cyberattack, but experts say disruptions to IT infrastructure are typically linked to ransomware.

Microsoft data leak affects 65,000 organizations worldwide

Microsoft warned that some customer data could be exposed due to a misconfigured server.

The leak occurred due to misconfiguration of an endpoint that is not used within the Microsoft ecosystem.

Names, email addresses, contents of emails, phone numbers, and business files relating to transactions between affected customers and Microsoft or an authorised partner were exposed.

However, an internal investigation found no evidence of credential or systems compromise.

The problematic server was secured on September 24 after the leak was discovered by SOCRadar specialists. According to their report, data dating from 2017 to 2022 were stored in a misconfigured Azure BLOB storage.

SOCRadar contends that Microsoft’s server stored 2.4 TB of data, including over 335,000 emails, 133,000 projects and 548,000 users.

The incident potentially affected information from more than 65,000 companies in 111 countries. In particular, investigators found details of partner ecosystem operations, invoices, product price lists, internal client-facing notes, sales strategies and documents relating to user assets.

Microsoft, in turn, said SOCRadar ‘overstates the figures and scale of the problem’. The company also condemned SOCRadar’s decision to collect the data and make it searchable on a dedicated portal, saying this ‘does not serve customers’ security interests and potentially exposes them to unnecessary risk’.

In Brazil, arrest of a suspected Lapsus$ member

The Federal Police of Brazil arrested a suspected member of the notorious hacking group Lapsus$. What is known about the suspect is that they may be a teenager.

The arrest was carried out as part of investigations into cyberattacks on the Ministry of Health and dozens of other government agencies. These were among Lapsus$’s first high‑profile operations.

In particular, during the attack on the Health Ministry, the attackers deleted files and defaced the ministry’s website.

Law enforcement gathered evidence of the creation of a criminal organisation, intrusion into computer devices, disruption of communications, as well as child exploitation and money laundering.

In September, Britain’s police arrested a teenager connected with Lapsus$ and, reportedly, responsible for the Uber and Rockstar Games breaches.

As of now it is unclear how many members remain at large. Security researchers believe they are scattered across the world and speak several languages, including English, Russian, Turkish, German and Portuguese.

Ducktail phishing campaign targets Facebook users’ Bitcoin wallets

In a new Ducktail phishing campaign, a previously unknown malware written in PHP, used to steal Facebook credentials, browser data and cryptocurrency wallets, has circulated online. Zscaler reports.

Ducktail activity was first documented by WithSecure researchers in July 2022. They linked the attacks to Vietnamese hackers.

Most of the campaign’s decoy payloads relate to games, subtitles, adult videos and cracked MS Office apps. They are hosted in ZIP archives on legitimate file-hosting services.

The malware installs in the background. A generated TMP file launches a stealer component. Its code decrypts in the computer’s memory, minimising the chance of detection.

The attackers seek detailed Facebook account information, browser-stored confidential data, cookies, cryptocurrency wallet addresses, and other basic system data.

The new phishing campaign targets everyday Facebook users. If the account type is identified as a business account, the malware will attempt to obtain additional information about payment methods, amounts spent, owner details, pages they own and their PayPal address.

DeadBolt ransomware operators duped into handing over decryption keys

The Dutch national police, with assistance from cybersecurity researchers at Responders.NU, obtained 150 decryption keys from the DeadBolt ransomware group.

Law enforcement made Bitcoin payments to the attackers’ addresses and cancelled the transactions after receiving the decryptors. As a result, victims will be able to unlock their encrypted data for free.

DeadBolt ransomware focuses on network-attached storage devices and has encrypted over 20,000 QNAP and Asustor devices worldwide; at least a thousand of them are in the Netherlands.

Experts uncover a ‘stealthy’ PowerShell backdoor

SafeBreach researchers have found a new PowerShell backdoor that has already been used to attack at least 69 targets.

The malware spreads via phishing using malicious Word documents, typically masquerading as job offers. On infection, the PowerShell script creates a scheduled task, claiming to be part of a Windows update.

Inside the backdoor are two additional scripts — Script.ps1 and Temp.ps1. The first sends the victim’s identifier to its operators and receives further commands in encrypted form. The second decodes the received commands, executes them, then encrypts and uploads the result to the controller server.

At the time of discovery, none of the antivirus products flagged them as malicious.

Analysis of the commands showed that two-thirds were intended for data theft, with the remainder used to compile lists of files, accounts and RDP clients, and their removal.

Experts say the PowerShell backdoor was created by unknown developers; insufficient data prevents identifying them.

Russia to allocate 1.18 billion rubles for internet isolation

The Russian Ministry of Digital Development, Communications and Mass Media amended the draft federal budget to fund the creation of a sovereign Runet.

In total, 1.18 billion rubles will be allocated to the programme during 2023‑2024.

The funds will be used to develop a system for monitoring internet traffic and managing the public communications network.

Also on ForkLog:

• Mango Markets community approved a $47 million deal with the hacker. Victims were offered a payout plan.
• The TempleDAO hacker sent assets to Tornado Cash.
• NFT collection Seven Treasures collapsed amid the LiveArtX wallet hack.
• Hackers breached BitKeep’s Swap wallet. Losses amounted to $1m.
• Attackers drained more than $8m from the DeFi protocol Moola Market.

What to read this weekend?

We explain how to preserve privacy in secure messaging apps.

Read ForkLog’s Bitcoin news in our Telegram — crypto news, price data and analysis.