We have gathered the week\’s most important cybersecurity news.
- A hacker extorted $1 million in Monero from the telecom operator Optus, but later apologised for the breach.
- In Britain, a suspected hacker linked to Uber and Rockstar Games was arrested.
- Malicious versions of WhatsApp were found in app stores.
- Experts warned crypto-wallet owners about the activity of the NullMixer trojan.
Former NSA employee tried to sell secret information for cryptocurrency
Former NSA employee charged with espionage in support of a foreign government. He planned to sell secret information related to foreign targeting of U.S. systems and data on American cyber operations. For his services he requested an undisclosed cryptocurrency worth $85 000. The buyer had already received excerpts from three secret documents.
According to the Justice Department, 30-year-old Jare Sebastian Dalke served as a security information systems developer at the NSA from June 6 to July 1, 2022. In late July he began communicating with someone he believed to be connected to a foreign government. In fact, his interlocutor was an undercover FBI agent.
Dalke offered to sell confidential information related to foreign targeting of U.S. systems and data on American cyber operations. For his services he asked for an undisclosed cryptocurrency equivalent to $85 000. The buyer had received excerpts from three secret documents.
Dalke was arrested during another attempt to pass along information of national importance. He has been charged with espionage.
If convicted, the former NSA employee faces life imprisonment or the death penalty.
Hacker extorted $1 million in Monero from Optus, later apologised for the breach
On September 22, the hacker breached Australian telecommunications giant Optus, gaining access to information on 9.8 million customers. The company confirmed the breach.
The attacker posted on a dark-web forum demanding within a week $1 million in Monero. Otherwise he threatened to sell the confidential data.
As evidence, the hacker published 200 samples from database records. He later posted information on a further 10,000 Optus customers, insisting on a ransom.
A few days later the original post was removed, but other forum users copied the stolen data and spread it. Some Optus customers reported receiving anonymous letters demanding $2,000 to remove personal data.
In a new post on the forum the hacker apologised for the cyberattack, adding that the publication of stolen data “was a mistake.”
Optus confirmed the breach, stating that it could include customers’ names, dates of birth, phone numbers, email addresses, as well as passport and driving licence numbers. Payment details and account passwords were not compromised.
The company is investigating the incident with the police. It has also agreed to cover the cost of replacing passports disclosed in the breach.
WhatsApp detects malicious Android versions of the messaging app
Android app stores have found clones of WhatsApp capable of stealing chats and users’ personal data. The Sun reports.
The attackers distribute the malware disguised as an enhanced version of the messenger with exclusive features. In reality the user installs a virus that tracks their subsequent actions.
WhatsApp warned that all unofficial apps violate the company’s Terms of Service.
«If you use them, there is no guarantee that your messages or data, such as your location or files you share, will be secure», – the developers noted.
They added that they plan to block WhatsApp users who install such apps. Google noted that it has begun removing the malicious copies from stores.
Lazarus infected open-source software with trojans
The North Korean hacking group Lazarus is weaponizing trojans in legitimate open-source software to target large organisations, according to Microsoft.
Experts say that since June 2022, hackers have created fake LinkedIn profiles, offering jobs on behalf of well-known tech, defence and media companies. They then move the conversation to WhatsApp and send the recipient a file with a backdoor embedded.
The malware provides attackers access to the attacked network and remote systems to steal confidential information.
Among legitimate open-source programs used by the attackers for infection are PuTTY, KiTTY, TightVNC, Sumatra PDF Reader and the muPDF/Subliminal Recording installer.
The malware campaign targets primarily IT and media support professionals working in the United Kingdom, India and the US.
Separately, SentinelOne experts found that Lazarus used fake job offers from Crypto.com to steal digital assets from potential applicants.
The malware campaign targets primarily IT and media support professionals working in the United Kingdom, India and the United States.
Separately, SentinelOne experts found that Lazarus used fake job offers from Crypto.com to steal digital assets from potential applicants.
In the United Kingdom, the suspected hacker behind Uber and Rockstar Games arrested
On 22 September, the City of London Police said they had arrested a 17-year-old in Oxfordshire on suspicion of involvement in recent major cyberattacks. Police provided no further details, noting only that the arrest took place in Oxfordshire.
Journalist Matthew Keys later confirmed via his sources that the arrestee is tied to the Lapsus$ hacking group. He is charged with hacking video game developers Rockstar Games and Take Two Interactive.
Sources also say the teen is connected to the attack on Uber Technologies, said the insiders.
Earlier this year, the teen was charged with compromising data for Microsoft, Okta and Nvidia. He was released on bail pending trial.
Now prosecutors say, in addition to computer misuse, he is charged with violating his bail conditions.
A law-enforcement source said at least two more suspects are involved in the Rockstar Games and Uber attacks. Further arrests are expected.
In Germany, a hacker arrested for €4 million stolen via phishing
The Federal Criminal Police Office (BKA) has identified three suspects in organizing large-scale phishing campaigns that led to €4 million in losses. One of them has been arrested.
According to the agency, between 3 October 2020 and 29 May 2021 the attackers sent phishing emails impersonating real German banks, claiming upcoming changes to the internal security system and urging recipients to click a link to enter current credentials.
They also asked victims to provide a one-time code for online transactions, enabling the hackers to access their online banking and withdraw funds.
To conceal the illicit activity, the attackers carried out a number of DDoS-attacks on banking systems.
One hacker was arrested, a second faces charges in 124 counts of computer fraud. The investigation into the third continues.
Experts warned crypto-wallet owners about the activity of the NullMixer trojan
Since the beginning of the year, nearly 50,000 users worldwide have encountered the NullMixer trojan, which among other things spoofs crypto-wallet addresses. This was reported by Kaspersky Lab researchers.
The malware distributors spread the malware on sites offering various hacking tools, key generators and activator programs.
On a victim\’s computer, NullMixer drops multiple malicious files, including spyware, backdoors, bankers, and the RedLine stealer. The latter can replace cryptocurrency wallet addresses, steal Telegram account data, credentials from certain VPN apps, Discord tokens, saved passwords and cookies from browsers.
Experts stressed that the trojan authors use professional SEO tools. With them, sites hosting the malware rise to the top of search results.
Also on ForkLog:
- In China, 93 suspects were arrested in money-laundering of $5.5 billion through cryptocurrencies.
- Hackers stole an additional $950,000 due to a Profanity vulnerability.
- San Francisco police will gain access to private surveillance cameras.
- In Beijing, bus drivers were ordered to wear mood bracelets.
- The Tornado Cash developer remained under arrest for two months.
What to read this weekend?
Here is a refresher on current material about facial recognition technologies in Russian cities and the legal aspects of this trend.
Read ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, prices and analysis.