Cybersecurity Roundup: X’s Redirect Error, DeFi Hack Sentencing, and More

We have compiled the most significant cybersecurity news of the week.

Automatic Link Redirects on X: A Boon for Phishers

On April 9, the social network X began automatically altering links mentioning twitter.com to x.com. In the following two days, the network was flooded with dozens of phishing sites, reports KrebsOnSecurity.

Since the replacement was done line by line, the potential threat affected all domains containing x.com in their name. For example, the original link spacetwitter.com could redirect to the site spacex.com.

Some individuals intentionally registered domains similar to popular brands (Fedex, Linux, Rolex, Webex, Yandex, and others) but ending in twitter.com to prevent their purchase by fraudsters. 

On several such sites, a placeholder warning about recent changes and potential phishing use is displayed.

Shortly after the issue was publicly highlighted, X’s administration corrected the error.

Bitcoin Wallet Owners Warned of New Attack Type

A new multi-stage attack spreading remote access trojans and cryptocurrency wallet grabbers uses phishing messages disguised as invoices. This was reported by researchers from Fortinet.

Attackers use BatCloak and ScrubCrypt tools to obfuscate malicious code.

The first to be installed is the Venom RAT trojan, which gives attackers control over the compromised system. Subsequently, other malware is loaded: Remcos RAT, XWorm, NanoCore RAT, and an infostealer. 

The latter collects system information and extracts data from folders associated with Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty, Zcash wallets, as well as Foxmail and Telegram applications. 

Apple Notifies Users in 92 Countries of Espionage

Apple has sent notifications to users in 92 countries about attempts to remotely hack their devices through a “mercenary spyware attack.” 

No connection to specific attackers or jurisdictions has been reported. Typically, journalists, activists, politicians, and diplomats fall victim to spyware. 

Users are advised to enable Lockdown mode on their devices and update the software on their iPhones and other Apple products to the latest version.

Nirvana Finance Hacker Sentenced to Prison

Security specialist Shakib Ahmed, accused of hacking the yield farming protocol Nirvana Finance and an unnamed DEX (presumably Cream Finance), has been sentenced to three years in prison in the US. This is the first-ever sentence related to an attack on the DeFi segment, reports CoinDesk.

According to the investigation, in 2022, Ahmed exploited a vulnerability in the smart contract of an unnamed exchange. Several weeks later, he attacked Nirvana Finance using a flash loan and withdrew $3.49 million in cryptocurrencies from the project’s treasury.

The hacker was arrested in July 2023. He pleaded guilty and agreed to forfeit stolen assets worth $12.3 million.

After release, the perpetrator will spend three years under supervision. He is also required to pay $5 million in compensation to the victims.

Telegram Account Hijacking Scheme via Wi-Fi Network Discovered

Using public Wi-Fi networks can lead to the hijacking of accounts in the Telegram messenger. This is reported by the YouTube channel “Batrankov Academy”. 

An expert discovered a fraudulent Wi-Fi network at Moscow’s Sheremetyevo Airport named SVO_Free. After connecting to the network, the user receives a message requiring registration via Telegram. For this, they are asked for an access code, after sending which, fraudsters intercept control over the account.

To avoid such incidents, it is recommended to prefer mobile internet in public places, periodically check the list of connected devices in Telegram settings, and set a passcode on the messenger. 

Ukrainian Hackers Destroy Data Center with “Gazprom” and “Lukoil” Data

The hacker group Blackjack, together with the SBU, destroyed the cloud service OwenCloud.ru, used by Russian industrial giants.

This data center housed data from over 10,000 legal entities, including the “Ural Civil Aviation Plant,” “NPP RUBIN” (part of the “Ruselectronics” holding), “Ural Special Equipment Plant,” “Gazprom,” “Transgaz,” “Lukoil,” “Rosneft,” “Norilsk Nickel,” “Rostelecom,” “Telecom,” and “MegaFon.”

As a result of the operation, over 300 TB of data were destroyed — 400 virtual and 42 physical servers, which hosted internal documentation, backups, and other programs for remote management of processes at enterprises.

Also on ForkLog:

• Investigation into the theft of bitcoins from a Bitcoin Core developer revealed.
• The Pectra update in Ethereum will allow for the recovery of private keys.
• Experts assessed the consequences of the SEC and Uniswap confrontation. 
• Kraken will delist Monero in Ireland and Belgium.
• Half of the presales on Solana turned out to be scams.
• The US Treasury requested additional powers in the cryptocurrency sector.
• The founder of ACE Exchange was accused of fraud amounting to $10.7 million.
• Worldcoin allowed the deletion of biometric data.
• The trial of a participant in the attack on the DeFi project Mango Markets began in the US.
• Every sixth meme token on Base is fraudulent, and 91% have vulnerabilities — study.
• The STFIL protocol reported the arrest of developers in China.
• Phishing ads found in Etherscan and other services.

What to Read Over the Weekend?

ForkLog’s interview with American journalist Laura Shin, host of the popular podcast Unchained. We discuss, among other things, the investigation into the collapse of The DAO and the lessons the community has yet to learn from it.