We’ve compiled the week’s most important cybersecurity news.
- TikTok tracked a British journalist through her cat’s account.
- Police shut down a dark-web service for carders with $18m in Bitcoin in revenue.
- The Cl0p extortion group apologised to the attacked company after learning its profile.
- Researchers hacked an orbital nanosatellite.
TikTok tracked a British journalist via her cat’s account
Representatives of ByteDance, the owner of TikTok, told Financial Times journalist Kristina Criddle that four of their employees tracked her via the account of her cat Buffy. BBC News.
They said that in summer 2022 internal-audit specialists from TikTok in China and the United States examined Criddle’s IP address location, comparing it with IP data from an unknown number of their employees, in order to try to determine who the journalist had secretly been dating.
The company found that the aforementioned employees were responsible for data leaks affecting several other Western correspondents. The violators were dismissed for abuse of power and misconduct.
Criddle ran the TikTok account on behalf of her cat Buffy. The journalist’s name and profession were not mentioned in the posts.
The channel had about 170 followers. Over three years the journalist uploaded about 20 Buffy videos, which were viewed on average a few hundred times.
ByteDance said it “deeply regrets” this “significant breach” and “will do everything possible to ensure that this never happens again.”
Loki stealer targeted Russian companies
In early May, researchers at F.A.C.C.T. (formerly Group-IB) detected a large-scale phishing campaign impersonating the largest Russian supplier of electrical equipment.
More than 300 companies received letters with a commercial offer.
The attackers spoofed the sender’s address using spoofing. The emails carried a ZIP archive containing the Loki stealer, designed to steal credentials.
They could thereafter be used to access email accounts, databases, financial fraud, extortion or espionage.
Researchers hacked an orbital nanosatellite
French technology group Thales demonstrated the first successful breach of an ESA demonstrator nanosatellite.
?️@esa has organised an unprecedented takeover of a demonstration satellite.
The @thalesgroup‘s offensive #cybersecurity team took up the challenge by identifying vulnerabilities that could disrupt the operation of #ESA‘s satellite.#CYSAThttps://t.co/V0i88knbXZ pic.twitter.com/xkvPd5CBw9— Thales Group (@thalesgroup) April 25, 2023
Researchers identified a number of vulnerabilities enabling interference with the spacecraft, using standard privileges.
The Thales team managed to gain full control over the satellite, providing access to the on-board computer, which controls the GPS, orientation and camera.
Collectively, this created the potential to compromise data sent to ground infrastructure, notably by modifying imagery or masking certain geographic areas on the satellite images, evading ESA detection.
The test attack was conducted to model cyber threats and countermeasures.
Cl0p extortionists apologised to the breached company after identifying its profile
The Cl0p ransomware group attacked Brightline, a provider of remote therapy for children and adolescents.
In total, the criminals stole names and contact details of over 783,000 patients.
According to Brightline, the data were stolen in March 2023 from the GoAnywhere MFT file-sharing service, which also contained confidential medical information.
However, after the incident drew media attention, the hackers contacted BleepingComputer and said they were unaware of the company’s specialization. They claimed they had removed the data from their leak site and apologised for the attack.
Android malware from Google Play downloaded more than 620,000 times
The Trojan Fleckpe infiltrated the official Google Play Store under the guise of popular photo- and video-editing apps. The malware was installed more than 620,000 times, according to Kaspersky Lab.
Jocker, Harly, now Fleckpe
Not quite an Easter egg: a new family of Trojan subscribers on Google Play ? https://t.co/attX4wnURR pic.twitter.com/PFl9QxyIpV
— Eugene Kaspersky (@e_kaspersky) May 5, 2023
On launch, the program loads a malicious dropper library onto the victim’s device, which runs the payload from the app’s resources.
The payload transmits MCC and MNC codes to the attackers’ command server, allowing the attackers to determine the victim’s country and mobile operator. In response, the server returns a page with a paid subscription. The Trojan opens it and quietly attempts to subscribe the user to the service.
Experts found the Trojan targeted residents of Thailand, though victims also included users in Poland, Malaysia, Indonesia and Singapore.
As of the report, the apps had been removed from Google Play. However, experts warned that attackers may release other, as-yet-undiscovered programs.
Russian hackers used WinRAR to delete data during attack on Ukraine government agencies
The Russian hacking group Sandworm, which attacked Ukrainian state institutions on 25 April, wiped files on Windows and Linux computers using the WinRAR archiving tool, CERT-UA reports.
According to them, the attackers gained access to critical systems via compromised VPN accounts that were not protected by multi-factor authentication.
The BAT script RoarBat used by the hackers searched for various file types on infected Windows devices and archived them with WinRAR, with a parameter to automatically delete.
In Linux systems, attackers used a Bash script with the dd utility to overwrite target file types with zero bytes, erasing their contents.
The use of legitimate tools aided the hackers in bypassing security measures.
Police closed a dark-web service for carders with $18 million in Bitcoin
The U.S. Department of Justice filed indictments in absentia against Russian Denis Kulkov, suspected of creating the dark-web platform Try2Check, which earned him at least $18m in Bitcoin.
According to the agency, Kulkov founded Try2Check in 2005. It was used by cybercriminals trading stolen payment cards. Checking one card cost 20 cents. Over nine months in 2018 the site performed at least 16m checks, and over 13 months from September 2021 at least 17m checks.
The site is now closed following a joint operation by law enforcement from the United States, Germany and Austria.
The State Department and the U.S. Secret Service announced a $10 million reward for any information that would lead to the capture and arrest of Kulkov, who resides in Russia.
He faces up to 20 years in prison.
Also on ForkLog:
- Media: since 2021 Israel arrested 189 terrorist-linked Binance accounts.
- CertiK blocked $160,000 stolen from DEX Merlin.
- Texas authorities charged the founder of Elon Musk AI Token with fraud.
- Curve Finance restarted the stablecoin due to an integration error.
- WSB Coin plunged 90% due to a suspected dump by the group’s curator.
- The former OpenSea executive was found guilty of insider trading by a court guilty.
- Europol shut down the dark-web marketplace Monopoly Market and confiscated cryptocurrency.
- The Ukrainian police dismantled nine Bitcoin exchangers.
- The brother of Helix’s founder was sentenced to four years in prison for stealing 712 BTC.
- The losses from crypto hacks and scams in April exceeded $103m.
What to read this weekend?
In the educational section “Cryptoorium” we discuss the shortcomings of the MetaMask wallet and the problems potential users may face.