Crypto firms infected via Telegram, unprecedented DDoS attack on VTB, and other cybersecurity events

We’ve gathered the week’s most important cybersecurity news.

Hackers attacked bitcoin companies via Telegram

Cryptocurrency investment firms came under attack by unidentified attackers via Telegram groups used to contact VIP clients, according to Microsoft Threat Intelligence researchers.

At least one of the victims reported the hackers identified themselves as employees of the OKX exchange and sent him a malicious Excel spreadsheet titled “Comparison of VIP Fees OKX Binance and Huobi.xls”.

After the file was downloaded to the victim’s computer, malicious DLL and a backdoor encoded with XOR were installed.

Although Microsoft did not attribute the attack to any particular group, Volexity has previously linked it to Lazarus.

Microsoft notified customers affected by these attacks and shared information needed to protect their accounts.

VTB reports largest DDoS attack on its infrastructure

On December 6, VTB representatives said the bank’s technology infrastructure was “under an unprecedented cyberattack from abroad”.

Problems affected the mobile apps and the web version of VTB Online.

An analysis of the DDoS attack showed a planned and wide-scale operation. The bank said most attacking requests originated from overseas IP spaces, with some malicious traffic also coming from Russian IPs.

The bank intends to hand this information to law enforcement authorities.

VTB stressed that core systems were operating normally and customer data remained protected from external interference as they sit “inside the bank’s internal technology perimeter”.

The bank described the incident as the largest in its history.

2 million users downloaded malware from Google Play disguised as useful utilities

Doctor Web researchers found in Google Play a bundle of malicious, phishing and adware apps that collectively were downloaded by more than 2 million people.

They were distributed as useful utilities and optimizers.

One such program was TubeBox, allegedly offering earnings from watching videos and ads. In reality, users could not withdraw rewards, and all funds were siphoned by scammers.

Among other apps:

• Bluetooth device auto connect (bt autoconnect group) — 1 million downloads;
• Bluetooth & Wi-Fi & USB driver (simple things for everyone) — 100,000 downloads;
• Volume, Music Equalizer (bt autoconnect group) — 50,000 downloads;
• Fast Cleaner & Cooling Master (Hippo VPN LLC) — 500 downloads.

Doctor Web experts also found a set of apps masquerading as investment programs on behalf of Russian banks and commodity firms. All of them aimed to steal personal data. They were downloaded on average about 10,000 times.

A flaw in the Cryptonite ransomware erased victims’ files with no possibility of recovery

The creator of the Cryptonite ransomware introduced a coding error that caused the malware to delete victims’ data instead of encrypting it, Fortinet researchers said.

The malware was distributed for free on GitHub by user CYBERDEVILZ. At the time of writing, the malware’s code and forks had already been removed.

According to researchers, the program was simple: it used the Fernet module to encrypt files and changed their extensions to .cryptn8. However, starting from the latest version, the Cryptonite sample blocked files with no possibility of recovery.

Fortinet suggested that such destructive behavior was unlikely intended by the developer, citing its low skill level.

According to them, errors in the code lead to the program crashing when attempting to display the ransom note.

Moreover, the key used for encryption is not transmitted to the malware operator. Thus, access to the victim’s files is blocked permanently.

DNS store employees’ data leaked online

The attacker, who previously published data of Beeline employees, posted online information about employees of DNS electronics retail network in Russia and Kazakhstan. Telegram channel ‘Data Leaks’ reports.

A text file with 150,444 records contains:

• Full name;
• 104,820 unique email addresses on various DNS domains;
• date of birth;
• gender;
• work phone;
• branch of the company;
• country.

Data valid as of September 19, 2022.

This same hacker has previously leaked personal information of DNS clients.

The most common cybersecurity myths among Russians named

Experts from Kaspersky Lab conducted a poll of 1,008 respondents to identify the most widespread superstitions about digital security.

75% of respondents believe that you should not speak on the phone with strangers with a simple “Yes” or “No”. They fear the call might be recorded and used to steal money.

Sixty percent think that if a site uses HTTPS, it is guaranteed to be official.

57% think it is enough to reset a smartphone to factory settings to remove all information from it.

53% believe that during suspicious automated calls you should not press “1” or “2” in tone mode on the smartphone. They believe this could allow attackers to infect the device.

50% of respondents are sure that if a device is not connected to the Internet, it cannot be infected by viruses. The same number think unsolicited codes received on the phone or email indicate a hacked account.

32% think that Incognito mode in the browser provides complete anonymity online.

Also on ForkLog:

• In Russia, authorities started tracking dishonest owners of Bitcoin wallets.
• Top executive of Finiko, Edward Sabirov was detained in the UAE.
• Developers will relaunch Nomad cross-chain bridge after the $190m hack.
• In Ukraine more than 600 cases of illegal use of digital assets were uncovered.
• OSCE shared details of a project to combat criminal use of cryptocurrencies in Ukraine.
• A US court unveiled charges against a OneCoin partner.
• Telegram launched the sale of anonymous numbers on Fragment.
• 16 airports in the United States were equipped with facial recognition systems.

What to read this weekend?

Security remains a barrier to the mass adoption of digital assets. Read how crypto projects protect users in ForkLog.

Follow ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analysis.