Leak at Call of Duty publisher, Coinbase staff phishing and other cybersecurity developments

We round up the weeks most important cybersecurity news.

Coinbase staff targeted by SMS phishing

On February 17, the cryptocurrency exchange Coinbase stated that its employees had fallen victim to an SMS phishing campaign. The incident occurred on February 5.

The targeted employees received text messages about the urgent need to log in to their account via the provided link. One recipient clicked it, entered their login and password.

The 2FA on the account was bypassed by the attackers, who called the employee impersonating the IT department. The victim followed instructions and authenticated on their device.

The Coinbase security team detected the suspicious activity, promptly blocking the compromised account.

The attacker managed to obtain limited contact information of employees, including names, email addresses and phone numbers.

At the same time, the exchange stressed that customer data and their funds were not affected.

Coinbase suspected that the attack was carried out by the hacker group 0ktapus, also known as Scattered Spider, which has at least 130 similar breaches against other organisations.

FBI records malicious activity on internal network

On February 17, an unknown intruder breached the computer system of the FBI’s New York field office, according to CNN.

According to informed sources, the affected segment was used to investigate crimes related to the sexual exploitation of children.

According to the agency, this was a single incident that was promptly contained. The FBI provided no further comment on the investigation, including potential threat sources.

Call of Duty update schedule leaked online

The game developer and publisher Activision confirmed unauthorized access to one of its internal Slack channels and data theft. The incident occurred in December 2022, but public disclosure came only after researchers from Vx-underground reported it.

.@Activision was breached December 4th, 2022. The Threat Actors successfully phished a privileged user on the network. They exfiltrated sensitive work place documents as well as scheduled to be released content dating to November 17th, 2023.

Activision did not tell anyone. pic.twitter.com/urD64iIlC5

— vx-underground (@vxunderground) February 20, 2023

They published a number of edited screenshots from December 4, 2022, obtained directly from the attackers. They show confidential internal documents relating to the Call of Duty franchise, as well as the content publication schedule for 2023.

According to Vx-underground, the breach was carried out through a phishing SMS attack targeting an employee. After that the hackers gained access to Activision’s Slack channel.

The game developer itself did not provide details of the breach, but assured that the game’s source code and players’ personal data were not affected.

According to Insider Gaming, the leak includes full names, email addresses, phone numbers, salary ranges and other employee data. In addition, the compromised Activision employee, according to journalists, works in the human resources department and has access to a large amount of confidential information.

GoDaddy reports multi-year systems compromise

In an SEC filing, the registrar GoDaddy disclosed the fact of a targeted attack on its systems lasting for several years.

According to the company, unknown actors compromised the shared hosting environment running cPanel, stole the source code and installed malware on their servers.

The issue came to light in early December 2022 after customers complained their sites were redirected to random domains.

GoDaddy noted that the attack was carried out by an organised group targeting hosting providers worldwide. Their objective was to infect sites with malware to conduct phishing campaigns and other malicious actions.

The registrar’s team is now working with external cybersecurity experts and law enforcement authorities to investigate the incident.

A new infostealer gains traction in the dark Web

Among cybercriminals, a new infostealer Stealc, capable of stealing data from browsers, extensions and cryptocurrency wallet addresses, is gaining popularity. Sekoia experts noted this.

https://t.co/CnRXY1H4Ke uncovered a new #infostealer advertised as #Stealc on underground forums since early 2023 and already widespread in the wild.

In a nutshell, Stealc is a copycat of the prominent #Vidar and #Raccoon stealers.https://t.co/3FqVt4y9ZM

— SEKOIA.IO (@sekoia_io) February 20, 2023

Since January 2023, the malware has been actively advertised on hacker forums and Telegram channels.

In particular, authors note that Stealc’s developers drew on existing “market” solutions, including Vidar, Raccoon, Mars and Redline. However, unlike them, the new stealer can be configured to capture specific file types.

Researchers identified more than 40 Stealc command servers and several dozen malware samples, indicating interest among cybercriminals.

Experts flag surge in attacks via social media and messaging apps

Positive Technologies specialists studied the most current cybersecurity threats of the fourth quarter of 2022. Among the main trends is the increase in attacks through social networks and messaging apps.

Also criminals used malware, social engineering and exploitation of vulnerabilities.

As a result, there were disruptions to critical infrastructure, large-scale data leaks of user data and product source code.

The total number of cyberattacks during the study period rose by 15% year-on-year from Q4 2021.

Also on ForkLog:

• Sam Bankman-Fried charged with в сговоре с целью банковского мошенничества.
• Edge Wallet suffered утечка 2000 закрытых ключей.
• A Belarus resident lost $70 000 trying to cash out cryptocurrency.
• Founders of Forsage charged with криптовалютной пирамиды на $340 млн.
• Voyager to be investigated for вводящий в заблуждение криптомаркетинг.
• Vinnik’s lawyer admitted возможность его обмена.
• A Bitcoin consultant for North Korea detained in Moscow.
• Hackers stole $300 000 through a phishing site tied to a well-known Ethereum conference.
• The TrickBot botnet was sanctioned by the US and the UK.
• NBA star Paul Pierce will pay $1.4 million for advertising EthereumMax.
• Journalists reported the murder of OneCoin founder Ruja Ignatova.

What to read this weekend?

In the education section “Kryptorium” we discuss the Ronin sidechain reboot after the massive breach.