NATO documents on the dark web, record leaks in Russia and other cybersecurity events

We have gathered the week’s most important cybersecurity news.

Bill Murray was targeted by a hacker after the charity NFT auction

In the early hours of September 2, an unknown hacker siphoned 119.2 ETH (about $185,000 at the time of the incident) from Bill Murray’s cryptocurrency wallet. The actor had raised these funds the day before at a charity NFT auction.

According to Etherscan, the movement of funds began around 02:00 Kyiv time. Subsequently, the total amount was moved to wallets linked to the Binance exchange and the Union Chain platform.

The unknown actor also attempted to steal 800 NFTs from Murray’s personal collection. However, Project Venkman, the company responsible for safeguarding the celebrity’s funds, used a script to move the tokens to a third-party address.

Upon learning of the incident, one of the auction participants sent 120 ETH (about $187,500 at the time of the transaction) to Chive Charities to reimburse the stolen funds.

Murray’s team contacted the police and, together with analysts from Chainalysis, is trying to identify the hacker.

Media: unknown hackers put NATO secret documents stolen from Portugal’s armed forces up for sale

The General Staff of the Portuguese Armed Forces was subjected to a cyberattack, during which attackers managed to steal NATO secrets. They were put up for sale on the dark web, local media report, citing their own sources.

According to them, the General Staff learned of the incident only after samples of the stolen data appeared online.

First to notice the hackers’ announcement were agents from American cyber intelligence, who informed the U.S. Embassy in Lisbon. They, in turn, passed the leak on to the Portuguese government.

Experts from the National Security Office and the National Cybersecurity Center of Portugal are currently investigating the incident.

“It was a protracted, covert cyberattack using bots programmed to detect such documents, which were subsequently stolen in several stages,” said a source close to the investigation.

He added that the leaked documents are “extremely serious”, and their dissemination could provoke a real crisis of trust in NATO towards Portugal.

No official statements have yet been issued by Portuguese authorities.

Norton Labs: more than 80% of popular sites with search capabilities transmit users’ search queries to advertisers

Approximately eight out of ten sites with a search panel transmit their visitors’ queries to internet advertisers, security researchers from Norton Labs found.

This practice breaches user privacy and leaks information into an extensive network of third parties, which can then use it to deliver targeted advertising or track online behavior.

Data is distributed among network members or sold to a larger number of organisations, resulting in users being unable to stop its spread.

While some sites may state this in their Terms of Use, visitors generally do not read it, assuming their search queries are isolated from big data brokers.

To study this, Norton Labs built a Chrome-based scanner that collected all traffic after a search and tested it on 1 million sites. In 81.3% of cases, the user query appeared on third-party sites.

Most leaks occurred via the Referer header (75.8%) and the URL (71%), and the payload contained the requested phrase in 21.2% of studied cases.

Regarding the disclosure of privacy policy practices, the scanner found that only 13% specifically mentioned “search terms,” and 75% contained a general statement “sharing user information with third parties”.

Norton Labs warned that the only way to prevent leaks is to prohibit the browser from loading third-party trackers on sites visited by the user. In privacy-focused search engines such as DuckDuckGo or Brave Search, they recommended using built-in fields where possible.

On hacked YouTube channel of South Korea’s government, a crypto video was published

On September 3, hackers breached the South Korean government’s YouTube channel and started streaming a video about cryptocurrencies. Local media reported.

The attackers renamed the account to SpaceX Invest and began broadcasting an interview with Elon Musk.

The breach was detected 2.5 hours later, after which the account was restored. It is believed the attackers used stolen login credentials.

Group-IB records a record number of Russian company database leaks

In the summer of 2022, the number of publicly released databases from Russian companies doubled compared with spring.

According to Group-IB’s analysts, over three summer months 140 databases entered the network; August set the anti-record with 100 leaks from 75 Russian companies. The total number of data rows published by hackers during this period amounted to 304 million.

Among the victims were online delivery services, transportation, construction and medical companies, online cinemas, telecom operators and others.

The relevance of most published databases dates to spring–summer 2022. They include client names, phone numbers, addresses, dates of birth. Some also include hashed passwords, passport data, order details and other personal information.

Also on ForkLog:

• A vulnerability in Avalanche threatened complete network outage.
• Chainalysis helped arrest the cryptocurrency worth $30 million stolen in the Ronin hack.
• Unknown actors hacked The Sandbox’s Instagram account.
• The attacker obtained 370 000 USDC as a result of an attack on Nereus Finance.
• The Kyber Network team compensated the $265,000 stolen during the hack.
• Changpeng Zhao agreed with Elon Musk’s statement about “90% of the bots” in Twitter comments.
• Hackers staged a fake XRP giveaway on behalf of PwC’s subsidiary in Venezuela.
• An exploit in the Rug Pull Finder project was used to create 450 NFTs.

What to read this weekend?

Read ForkLog’s coverage of the social-credit system in China and life inside a digital dystopia in our special report.

Follow ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analysis.