We round up the week’s most important cybersecurity news.
- The FBI seized the domains of Genesis Market, a major dark‑web marketplace.
- Media reports that Tesla employees turned customer car‑camera footage into memes.
- MSI hackers demanded a $4 million ransom.
- Police arrested the “most dangerous hacker in Spain.”
The FBI seized the domains of Genesis Market, a major dark‑web marketplace
One of the largest dark‑web marketplaces, Genesis Market, has been shut down in an international operation conducted by law enforcement from 17 countries under the leadership of the FBI. The Record reports.
Founded in 2017, the site sold cookies, fingerprints, and stolen credentials, including for Gmail, Netflix, Spotify, WordPress, PayPal, Reddit, Amazon, LinkedIn, Cloudflare, Twitter, Zoom and Ebay.
Genesis Market played a key role in enabling cybercriminals to gain access to compromised computers for other forms of fraud, including data theft and ransomware attacks.
In total Genesis Market aggregated more than 135 million digital fingerprints, and most stolen data originated from the AZORult malware.
Beyond the seizure of domains and takedown of infrastructure, law enforcement conducted 119 arrests and 208 searches, and questioned 97 individuals. Authorities obtained logs, including the names of 59,000 users, their passwords, email addresses, Jabber accounts, Bitcoin addresses and transaction histories.
According to law enforcement, the platform’s owners earned more than $8.7 million, selling around 80 million credentials, including more than 200,000 related to the government sector.
All three domains of the marketplace are listed on the U.S. Treasury’s sanctions list, in which Genesis is noted as based in Russia.
Researchers noted that the onion version of the site remains accessible without restrictions. FBI representatives declined to comment on this information.
Media reports that Tesla employees turned customer car-camera footage into memes
From 2019 to 2022, some Tesla employees privately shared via an internal messaging system videos and images captured by customers’ car cameras. The story is based on a Reuters investigation, which surveyed nine former employees on anonymity.
For years, some Tesla employees circulated private and sometimes highly invasive recordings from customers’ car cameras. One crash video, showing a child hit by a speeding Tesla, spread ‘like wildfire,’ one ex-worker told @Reuters https://t.co/xPetObBNwe pic.twitter.com/qalz5dP6Yd
— Reuters (@Reuters) April 6, 2023
Some recordings captured Tesla customers in awkward situations. One informant described a video showing a completely naked man approaching a car.
Some footage covered crashes and incidents involving aggressive driving. Another ex-employee said a 2021 clip showed a Tesla speeding into a child riding a bicycle in a residential area.
«The video spread through the Tesla office in San Mateo, California, via private chats, like wildfire», — added one Reuters source.
Tesla has not commented on this information yet.
MSI hackers demanded a $4 million ransom
͏ The Taiwanese computer hardware maker MSI was targeted by the new ransomware group Money Message, according to Bleeping Computer.
The cybercriminals claim to have stolen 1.5 TB of data, including internal databases, the software source code, the BIOS development framework and private keys.
The hackers demanded $4 million by April 10, threatening to publish the leak.
Researchers say Money Message operates by encrypting the victim’s data, after which a note with the ransom is left.
MSI confirmed the attack. According to the filing they made with the Taiwan Stock Exchange, some MSI systems were affected. The company notified authorities. No other details were provided.
Western Digital halts cloud service after breach
California-based storage tech company Western Digital said on Monday, 3 April, that unauthorized access had been detected to a number of its systems.
During this service interruption, you may now access files stored locally on your device using a feature called Local Access.
➡️ How to Enable Local Access on Your My Cloud Device: https://t.co/hRMM0IsiJ4
➡️ My Cloud Status Update: https://t.co/0pX1QHW7Z6 pic.twitter.com/aMfQLRVroy
— Western Digital (@westerndigital) April 7, 2023
In the wake of the incident the company put systems and services offline to “secure its business operations.” Work is underway to restore the affected infrastructure.
Currently Western Digital is experiencing widespread outages affecting several of its products, including My Cloud storage devices and SanDisk.
The company is conducting an investigation with law enforcement to determine the nature and scope of the breach.
Car thieves have learned to bypass the smart-key system
Researchers Jan Tabor from EDAG Group and Ken Tindell from Canis Automotive Labs uncovered a new technique for car theft. One of the researchers himself became a victim of car theft, losing a new Toyota RAV4.
So I’m sure all are aware my RAV4 was stolen last year, ironically via «CAN Injection ??». Myself and @kentindell have been reverse engineering the device that I believe was used for the theft. More details are on his blog https://t.co/bu7ih8TBi0
— Ian Tabor (@mintynet) April 4, 2023
The technique called CAN Injection has been in use for at least a year. Thieves remove the headlights and connect a device to internal cables that hacks the vehicle’s electronic control unit (ECU) to start the intelligent system without the smart key.
In modern cars all ECUs are connected via a CAN network. Through the CAN, attackers transmit a message to the ECU that their access key is valid. After that the thief can unlock the car door.
On the dark web one can find ads for hacking devices to crack Jeep, Maserati, Honda, Renault, Jaguar, Fiat, Peugeot, Nissan, Ford, BMW, Volkswagen, Chrysler, Cadillac, GMC and Toyota. The device costs €5,000 and resembles a portable speaker.
Researchers handed the information to Toyota.
Police arrest the “most dangerous hacker in Spain”
On 3 April, Spanish police announced the arrest of 19-year-old José Luis Uértas, the creator of the Udyat platform for selling stolen confidential information. Known by the handles Alcaseca, Mango and chimichuri, the hacker was considered a “serious threat to national security” of the country.
The investigation began in November 2022 after the hacking of the General Council of the Judicial Power of Spain. He then stole the personal data of 575,000 taxpayers, which he later sold to other cybercriminals.
He is also accused of attacks on top government institutions, theft of €300,000 and money laundering.
Uértas did not shy away from publicity, and once gave an interview for YouTube channel “Club 113,” where he claimed to have access to information about roughly 90% of Spain’s citizens.
Experts identified the hacker by tracing the payment for hosting services for Udyat servers.
During searches, law enforcement seized large sums of cash, a luxury car, documentation and computers. Uértas will remain in custody until trial.
Experts analyzed phishing services in Telegram
From October 2022 to March 2023, Kaspersky Lab found 2.5 million unique phishing URLs generated using phishing kits. The experts studied the content of several Telegram channels of phishers and compiled a list of services offered on dark-market platforms.
The #Telegram black market: How does it work?? ? https://t.co/souWT0I210#phishing #cybercrime #darkweb pic.twitter.com/Jd9t22CupY
— Kaspersky (@kaspersky) April 6, 2023
Telegram bots for creating phishing pages. With them, attackers can create, for example, primitive copies of login pages for social networks, online games and other popular services. Through them they collect users’ data.
Archives with ready-made phishing kits, mimicking popular resources. These are templates resembling international and regional brands. Attackers can also share victims’ data obtained via phishing. Such archives are often distributed as a trial offer before buying a paid service.
Phishing as a service. This is not only access to phishing tools but also various instructions, as well as technical support. Moreover, attackers sell “advanced” scam and phishing pages—custom-made resources with broader functionality or tools for generating them. On such pages, designed to evade detection, there may be social engineering elements, such as attractive design and promises of a big prize.
Also on ForkLog:
- Over the quarter, crypto projects lost from hacks more than $320 million.
- Investigators found $314 million related to TFL and Do Kwon.
- MetaMask implements a warning feature about possible scams.
- Coinbase supported a lawsuit to lift the ban on Tornado Cash.
- Ethereum projects launched a solution for protecting users from MEV attacks.
- The SEC reached an agreement with a former Coinbase manager in an insider-trading case.
- Sri Lankan authorities uncovered a fraudulent crypto scheme worth $47 million.
- Huobi and Gala Games devised a compensation plan for those affected by the GALA incident.
- The hacker moved from the Sentiment protocol no less than $500 000, and later returned 90% of the stolen funds.
- In Ukraine authorities shut down a financial pyramid Life is Good with turnover of nearly $40 million.
- Bitcoin and BNB fell amid rumors of the arrest of the Binance CEO.
- The Euler Finance hacker returned to the project the remaining $31 million.
- MEV bot operators lost $25 million in the exploit.
- In South Korea assets were seized from the Terra team worth $205 million.
- The hacker attacked liquidity pools at Allbridge, BNB Chain developers could identify the hacker. Later, the Allbridge team disclosed the actual amount of damage and the attack vector on the protocol.
What to read this weekend?
In a dedicated card we examine the various MEV strategies and discuss how to defend against them.