Here are the week’s most important cybersecurity news.
- Rockstar Games confirmed the leak of the GTA VI source code and gameplay footage.
- A cyberattack on Revolut exposed the personal data of tens of thousands of users.
- In South Korea, suspicious bitcoin transactions worth $680 million were detected.
- Lviv hackers sold data of 30 million Ukrainian and EU citizens’ accounts to Russians.
South Korea identifies suspicious cryptocurrency transfers worth $680 million
The Financial Supervisory Service (FSS) of South Korea once again detected suspicious currency transactions worth $680 million.
According to the regulator, most transfers were related to cryptocurrencies. Local firms received transfers from bitcoin exchanges and then sent funds abroad.
82 corporations, including travel and cosmetics firms, remain implicated in illicit financial operations, the regulator says.
New facts emerged in the course of an ongoing investigation into alleged facilitation by local banks — Shinhan Bank and Woori Bank — of cross-border transfers to crypto exchanges totaling $6.5 billion, associated with the “kimchi premium.” Thus the total amount of suspicious operations to date stands at $7.2 billion.
According to the FSS, 72% of transfers ($5.18 billion) were sent to Hong Kong, 15% ($1.09 billion) to Japan and 5% ($360 million) to China. U.S. dollars accounted for 81.8% of the anomalous transactions, with Japanese yen and Hong Kong dollars accounting for 15.3% and 3.1%, respectively.
The regulator intends to complete the collection of evidence by October.
Rockstar Games confirms GTA VI source code and gameplay leak
On September 18, a hacker gained access to the source code and videos of the in-development game Grand Theft Auto VI. Rockstar Games confirmed the authenticity of the leak.
The attacker, using the handle teapotuberhacker, said he hacked Rockstar’s servers via Slack and Confluence. He posted on a forum an RAR archive containing 90 stolen videos. They show various in-game features, including camera angles, NPC tracking and Vice City locations.
Later the hacker also published 9,500 lines of GTA 6 source code, apparently related to scripting for various in-game actions.
Rockstar Games confirmed the authenticity of data stolen from the company’s internal network.
“We do not currently anticipate any disruptions to our gaming services or any long-term impact on the development of our ongoing projects,” the developers said.
Rockstar Games sent DMCA notices on Twitter, YouTube and other platforms, attempting to remove the footage. However, the videos and screenshots have already virally spread online.
Revolut cyberattack exposed tens of thousands of users’ data
The fintech startup Revolut confirmed it was the target of a targeted cyberattack that allowed hackers to access the personal data of tens of thousands of customers. TechCrunch reports.
According to a Revolut spokesperson, “an unauthorised third party gained access to information about a small percentage (0.16%) of customers over a short period.” The company detected malicious access late on September 11 and contained the attack by the morning.
The number of affected customers was not disclosed. However in a Lithuanian government report, the company notified that the attack affected 50,150 customers, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.
Revolut declined to specify what types of data were accessed, but stressed that funds were not stolen. In a Reddit post to affected customers, the company added that the breach did not involve “card data, PINs or passwords.”
Analysts surmise that using social engineering techniques, the hackers likely gained partial access to card data as well as customers’ names, addresses, emails and phone numbers.
As a precaution, Revolut formed a dedicated team to monitor customer account security.
Lviv hackers sold data of 30 million Ukrainian and EU accounts to Russians
SBU in Lviv disrupted the activities of a hacker group that stole personal information from user accounts across Ukraine and the EU.
Confidential data was sold on the dark web. Payments were accepted via YuMoney, Qiwi and WebMoney.
Preliminary data indicate that selling 30 million accounts earned them almost 14 million hryvnias (about $380,000).
The SBU added that the hacked accounts were used to spread disinformation about the socio-political situation in Ukraine and the EU.
Law enforcement seized hard drives, computers, mobile phones, SIM cards and USB drives.
The organizer is suspected of unauthorized distribution of restricted information. The investigation continues.
Google Tag Manager used to infect e-commerce sites with malware
Hackers use Google Tag Manager (GTM) containers to inject skimmers that steal payment card data and buyers’ personal information on ecommerce sites. This is according to analysts at Recorded Future.
GTM is used to collect various metrics, track customers, and other marketing purposes. Containers also allow embedding JavaScript and other resources on sites. Attackers have learned to hide malicious scripts inside them.
In total, the incident affected 569 domains. 314 of them were infected with GTM skimmers, while the remaining 255 sent stolen data to malicious domains related to GTM abuse.
“Currently, information for over 165,000 payment cards belonging to victims of the attacks is available on the dark web,” researchers write.
According to them, it typically takes admins more than three months to fix the breach.
66% of affected sites are based in the United States. The rest are in Canada, the United Kingdom, Argentina, India, Italy, Australia, Brazil, Greece, Indonesia and other countries.
Experts uncover a password-stealing Trojan via corporate email
From April to August 2022, Kaspersky’s SecureList recorded about 740,000 cases of spam containing the Agent Tesla spyware. Recipients included organizations worldwide.
The program can steal logins and passwords from browsers and other applications, take screenshots, and collect data from webcams and keyboards. Hackers can sell the data on the dark web or use it in further targeted attacks on the same companies.
The malware is distributed as an archive via emails purportedly from suppliers or contractors. In this spam campaign, attackers use the names of existing firms, imitate the letter style and sender signature.
Hackers are revealed by strange sender addresses using the word “newsletter.” Such addresses are typically used for news bulletins, not procurement emails. The sender’s domain name also differs from the company’s official name on the logo.
All messages originate from a restricted set of IP addresses, indicating a single command center for the attack.
Also on ForkLog:
- Hackers stole from market maker Wintermute assets worth $160 million.
- The hacked Twitter account of an Indian Bitcoin exchange was used for fake XRP advertising.
- Analysts identified a replay attack using Ethereum PoW fork tokens.
What to read this weekend?
This week ForkLog takes a detailed look at the Tornado Cash mixer case and the reasons for its block.
Read ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, prices and analysis.