URSNIF hacker’s revenge, Minecraft server attack and other cybersecurity developments

We have gathered the week’s most important cybersecurity news.

Uber faced a data breach linked to a hack of a third-party supplier

Uber is investigating an incident involving a breach of Teqtivity, a third-party provider of tracking services, which led to a data leak at the company.

More than 77,000 employee email addresses, IT asset reports, Windows domain login names, and other details, including what is believed to be source code for the mobile device management platform used by Uber and Uber Eats, were exposed publicly.

Teqtivity theorised the attacker gained access to Teqtivity’s AWS backup server, where the client-related source code and data files were stored.

According to the supplier, it “does not collect or store confidential information, including bank account details or government-issued identifiers.”

The company is conducting an investigation with law enforcement.

Uber regards the forum where the data archive appeared as linked to the Lapsus$ ransomware group. Its members are responsible for the September breach of Uber’s internal network and the Slack servers. However the company has found no link between Lapsus$ and the new incident, nor any malicious access to its systems.

Analyses of the leak indicated it related to Uber’s internal corporate information and did not involve any of its clients. Nevertheless, the leaked data contains enough information to enable targeted phishing of the company’s staff.

Minecraft servers were attacked by the MCCrash botnet

Microsoft researchers have identified a hybrid Windows/Linux botnet, MCCrash, that is disabling Minecraft servers and carrying out DDoS attacks on other platforms.

The botnet’s name derives from one of its commands: ATTACK_MCCRASH. It triggers abnormal resource consumption on the target server, leading to a crash.

Subsequently MCCrash attempts to run on the victim’s device a malicious script named malware.py to recruit it into the botnet.

Currently the malware targets only Minecraft server version 1.12.2. However, the described method also affects versions 1.7.2–1.18.2, on which roughly half of all Minecraft servers run.

“If the malware is updated to attack all vulnerable versions, its reach could become significantly broader,” warned Microsoft.

Analysts found that the majority of infected devices are in Russia. The exact number of affected systems was not disclosed.

Australian woman sentenced to 5.5 years for $3.3 million identity-fraud scheme

The 24-year-old Melbourne resident, arrested in 2019 for data theft, was sentenced to 5.5 years, according to the Australian Federal Police (AFP).

The woman pleaded guilty in November 2021.

According to AFT, she was part of an international crime syndicate involved in large-scale cybercrime. The defendant stole at least $3.3 million and laundered a further $2.5 million. In addition, the criminals attempted to steal $7.5 million from their victims.

The accused bought stolen personal data of real people on the dark web and used fake SIM cards to forge email addresses to “capture personal data.”

Subsequently, the scammers used these identities to open more than 60 bank accounts across various Australian financial institutions, and then siphoned funds from victims’ pension and trading accounts.

The stolen funds were redirected to a contact in Hong Kong, who purchased and resold luxury items. A portion of the laundered funds returned to Australia in cryptocurrency.

Former URSNIF ransomware member, seeking revenge, reveals the identities of accomplices

A Twitter user going by URSNIFleak, who claims to be a former member of the URSNIF ransomware group, disclosed the real identities of three accomplices in a series of tweets. The incident was reported on BreachForums.

The hacker published fragments of group chats and screenshots of source code for some URSNIF malware. The messages also discussed money laundering and the situation in Ukraine.

The motive was revenge and an attempt to blackmail the ransomware group. The URSNIFleak account stopped posting new content only after the group’s leader, going by CAP, paid him to stay silent.

In the last tweet before the account’s deletion the hacker wrote:

“I just earned more money in one week than in years. Pay your workers properly and they won’t have reason to leak dirt.”

Experts believe the discord stemmed from not-so-successful extortion operations.

Researchers uncovered a botnet targeting WordPress sites

GoTrim, malware written in Go, scans the internet for WordPress sites and attempts to brute-force the administrator password to gain control over the resource. Fortinet researchers reported.

First botnet attacks were observed in late September. Despite ongoing development, the malware already has powerful capabilities.

It connects to each site and attempts to compromise administrator accounts by brute-forcing usernames and passwords from a list provided by operators.

If successful, GoTrim transmits information about the new infection to the command server. The malware then loads the bot client from a hardcoded URL and subsequently removes the script and the brute-force component from the infected system.

The botnet’s command-and-control server can remotely:

• check credentials provided for WordPress and OpenCart domains;
• detect WordPress, Joomla!, OpenCart, or Data Life Engine CMS installations in a domain;
• eliminate the malware.

If the target site uses a CAPTCHA plugin to deter bots, GoTrim downloads the corresponding solver.

To avoid attracting WordPress security teams, the botnet does not attack sites hosted on WordPress.com, instead targeting portals with their own servers.

Such breaches could lead to the deployment of malware, the insertion of credit-card stealing scripts, phishing pages, and other attacks potentially affecting millions, depending on the popularity of the compromised sites.

Ukrainian government sites breached via trojanised Windows 10 installers

Ukrainian government institutions were compromised using trojanised ISO files masquerading as legitimate Windows 10 installers, according to Mandiant.

The trojanised Windows 10 installers were distributed via torrent trackers.

The installers delivered malware capable of collecting and uploading data to attackers’ servers.

After initial reconnaissance, the attackers deployed backdoors Stowaway, Beacon and Sparepart, which allowed them to maintain access to compromised systems, execute commands, transfer files, and steal information, including keystrokes.

According to Mandiant, the affected organisations had previously been listed as targets by APT28, the state-linked group tied to Russia’s military intelligence.

LockBit ransomware attacked the California Department of Finance

The California Department of Finance came under a cyberattack claimed by the LockBit gang.

The Governor’s Office of Emergency Services confirmed the incident, noting the attack did not affect budgetary funds. The scale of the breach was not disclosed.

According to the hackers, they gained access to 75.3 GB of data, including sensitive information, financial and IT documents.

A leak site for the gang shows a counter. They threaten to publish all files if a ransom is not paid by December 24.

The California Cybersecurity Integration Center has opened an investigation into the cyberattack.

InfraGard member data from the FBI listed for sale at $50,000

The hacker USDoD posed as the head of an unnamed financial institution and duped his way into the FBI InfraGard information-sharing programme, which counts more than 80,000 participants. This is reported by KrebsOnSecurity.

InfraGard is a trusted network for sharing information about cyber threats with the largest private-sector organisations in the United States, including those operating in the nuclear sector.

The database is listed for sale at $50,000.

The hacker told KrebsOnSecurity that he gained access by submitting an application to register a new account, using the CEO’s personal data and Social Security number of an unnamed company that qualified for InfraGard membership.

From his own account, USDoD communicated with InfraGard participants.

The hacker obtained the user data through an API embedded in several key site components.

As a guarantor of the deal to sell the database, the attacker appointed BreachForums’ chief admin under the handle Pompompurin. Experts suspect the leak may be part of a larger objective by the hacker.

FBI officials confirmed they are aware of a potentially fake InfraGard account. An investigation is underway.

Also on ForkLog:

• Raydium on Solana AMM protocol breached.
• The Tor Project could not overturn site ban in Russia.
• Exchange Gemini reported a data breach of user data.
• CEO FTX accused former executives of storing private keys unencrypted.
• SEC charged Sam Bankman-Fried with fraud via FTX.
• In China, 63 suspects arrested in money washing of $1.7bn via USDT.
• PRC banned “threatening to national security” deepfakes.
• Darknet saw services to move blocked assets from Bitcoin exchanges.
• In 3Commas they denied leakage of user API keys.

What to read this weekend?

In this piece we explain what could threaten miners’ security and how to avoid it.

Read ForkLog’s bitcoin news in our Telegram — cryptocurrency news, prices and analytics.