We’ve gathered the week’s most important cybersecurity news.
- A suspect in the Pentagon document leak was arrested in the United States.
- Hackers stole data from 400,000 Kodi media player users.
- Sex traffickers used a popular U.S. family-safety app.
- Over a million WordPress sites were infected with Balada Injector malware.
In the United States, a suspect in the leaking of secret Pentagon documents and U.S. intelligence was arrested.
The FBI arrested 21-year-old US Air Force National Guard airman Jack Teixeira, suspected of leaking secret Pentagon and U.S. intelligence documents. The New York Times reports.
According to the publication, Teixeira was an admin of the Discord server Thug Shaker Central, whose members included fans of “guns, video games and racist memes.” It was on that server that hundreds of pages of secret government documents were posted.
One member told the NYT that he personally knows the person under the handle O.G., who leaked the information. Other members described him as an undisputed leader who had access to intelligence data.
Journalists believe that this person was Teixeira. Interior details in his home matched those in photos of the leaked documents.
A pic of Jack Teixeira he posted on social media — released by the NYT pic.twitter.com/IGZGUnN2Wb
— Michael A. Horowitz (@michaelh992) April 13, 2023
Pentagon officials say the leak was deliberate. The leak contains information about the war in Ukraine, including assessments of the Ukrainian army’s condition, U.S. estimates of the possibility of a Ukrainian counteroffensive, and intelligence analysis of “unforeseen scenarios” in the war, including “a strike by Ukraine against the Kremlin.”
Additionally, documents concerning China, Iran, South Korea, Israel and other countries leaked online. Experts noted that some documents were edited.
If Teixeira is found guilty, he faces decades in prison.
Hackers stole data from 400 000 Kodi users
The MyBB open-source Kodi media player forum was breached in a cyberattack. Hackers stole databases containing records, private messages and user credentials, and then attempted to sell them.
The incident occurred in February, but only came to light recently.
According to the developers, the hackers gained access to the admin console using the credentials of an inactive employee. They then created database backups and downloaded existing backups.
The Kodi forum, currently closed, has about 400,000 members.
The team said that all their passwords should be considered compromised by default.
The administrators plan to deploy a new server for the forum and the project’s Wiki.
The FBI warned of the dangers of free charging stations in public places
Owners of mobile devices were warned about the dangers of using charging stations at airports, hotels and shopping centres. The FBI issued the alert.
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023
According to the agency, attackers have found ways to inject malware onto devices through public USB ports for monitoring devices.
The FBI advised using only your own portable chargers and a wall outlet.
Over a million WordPress sites were infected with Balada Injector malware
Researchers from Sucuri detected over a million WordPress sites infected with Balada Injector malware.
In 2022 alone, our external website scanner SiteCheck detected the Balada Injector malware over 141,000 times. The campaign consistently ranks in the top 3 infections we clean from compromised websites. Research by @unmaskparasites#WordPress #infosechttps://t.co/toOX1SDNtQ
— Sucuri Security (@sucurisecurity) April 10, 2023
The malware was first spotted in 2017, but its active distribution surged in March this year.
Balada Injector injects malicious code that lets attackers access the site’s database and steal confidential information. The malware can modify pages and redirect visitors to phishing links, as well as add fake WordPress administrator accounts and leave backdoors for persistent access.
According to Sucuri, most affected sites ran on outdated WordPress versions with vulnerable themes or plugins. Balada Injector spread was aided by the malware’s ability to bypass basic security measures, including CAPTCHA and simple 2FA.
Sex traffickers used a popular US family-safety app
The popular U.S. family-location-tracking service Life360 was used by sex traffickers. Forbes uncovered the evidence.
According to the publication, since 2018 the app, which shows the user’s coordinates in real time on a map, has appeared in at least nine court cases involving sexual crimes.
In 2019, the US DOJ provided a Florida court with statements from victims of Alston Williams, who allegedly used Life360 to monitor minors and adults. He was later sentenced to life imprisonment for crimes related to trafficking in persons.
In 2022, a Sacramento man, Robert Pierre Duncan, was convicted of sexually exploiting a 17-year-old girl. Court documents stated that he used Life360 to track “every step” she took and “watch how long [the victim] stayed in the car and where she moved in search of clients.”
In 2023, an 18-year-old Amazon employee in San Diego said that before joining the tech giant she was forced into sex work. According to Forbes documents, the alleged trafficker forced her to bring in at least $6,000 a week and required her to install Life360 on her phone.
Life360 CEO Chris Hulls confirmed that over the last eight months the company received four requests from law enforcement for data related to human-trafficking investigations for sexual exploitation. However, he noted the issue had not been discussed at the leadership level, likely due to its rarity.
Life360 is one of the most popular family-safety apps in the United States. The service has more than 50 million active users in 195 countries in total.
In the dark web, malicious Google Play apps for up to $20,000 were found
Experts at Kaspersky Lab analyzed ads for selling malicious Google Play apps on several dark web forums.
Our latest report revealed that #cybercriminals use #Darknet to sell malicious Google Play #apps for up to US$20,000??https://t.co/EFOhQChaqS
— Kaspersky (@kaspersky) April 10, 2023
Prices for the programs start at $2,000 and go up to $20,000. The cost of a developer account required to upload apps to the store ranges from $60 to $200.
Most often attackers offer malicious code to be embedded in cryptocurrency trackers, various financial apps, QR code scanners or dating services. Advertisers indicate how many times these programs have been downloaded to show their potential reach.
For an extra fee, attackers can obfuscate the malware’s code to make detection by security solutions harder.
Accounts on Telegram began to be hijacked under the guise of access to adult content
Attackers lure Russian-speaking Telegram users to authorize in a bot that supposedly lets them search for intimate photos. This was reported by Kaspersky Lab experts.
Victims are directed to a phishing page where they are asked for their phone number and verification code. As a result, these data go to cybercriminals.
Subsequently, access to the accounts is used to steal confidential data, blackmail, and send fraudulent messages from the compromised account.
Experts recommended not clicking on links in suspicious messages and enabling two-factor authentication on the account.
Also on ForkLog:
- Bitrue crypto exchange hacked for $23 million.
- Ethermint patched a vulnerability worth tens of millions of dollars.
- Justin Sun summoned to court in the Tron case.
- Russia’s MVD completed an investigation into the embezzlement of WEX funds.
- Hacker withdrew $11 million from Yearn Finance DeFi protocol.
- Former JPMorgan employee charged with cryptocurrency fraud.
- SushiSwap announced a plan to compensate for the breach.
- South Korean authorities arrested employees of Coinone exchange.
- Tether blocked an address related to MEV-bot attacks with a $3 million balance.
- BlockSec recovered 100 ETH stolen from SushiSwap.
- The GDAC exchange suffered a breach worth nearly $13 million.
- DeFi protocol Terraport Finance was hacked ten days after launch.
- The SushiSwap team announced a vulnerability in the platform’s smart contract.
What to read this weekend?
In the educational section, “Cryptorium,” we discuss the Harmony blockchain platform and the $100 million Horizon cross-chain bridge hack.