We round up the week’s most important cybersecurity news.
- Ukraine’s GUR said it hacked the Russian Federal Tax Service.
- The websites of two ransomware groups went offline.
- OAuth applications were used to automate covert mining.
- In Spain, the alleged Kelvin Security leader was arrested.
OAuth applications used to automate covert mining
Researchers at Microsoft discovered a series of cyber incidents in which OAuth applications were used to automate phishing campaigns, compromise business email and conceal cryptocurrency mining.
The attackers targeted accounts lacking reliable authentication mechanisms. Through compromised accounts, they created new OAuth applications with high privileges, which gave the malware operators persistent and stealthy access to the system.
In one case the Storm-1283 group deployed virtual machines for crypto mining using OAuth. Losses ranged from $10,000 to $1.5 million depending on the duration of the attack.
In aggregate, experts found and removed about 17 000 malicious versions of the app, through which from July to November attackers sent more than 927 000 phishing emails.
Ukraine’s GUR said it hacked the Russian Federal Tax Service
On December 12, Ukraine’s GUR cyber division stated that it hacked 2,300 regional servers of the Russian Federal Tax Service by infecting them with malware.
According to the GUR, the attack led to the complete destruction of the agency’s primary database and its backups. The Russian IT firm Office.ed-it.ru, which provides the tax service’s data-centre services, was also breached, disrupting the link between regional tax offices and the central office in Moscow.
According to the Ukrainian side, paralyzing the Russian tax system will last at least a month, and full restoration is unlikely.
The publication Bleeping Computer could not independently verify the information.
In Spain, the alleged Kelvin Security leader was arrested
On December 7, Spanish police arrested a Venezuelan citizen in Alicante believed to be one of the leaders of the hacking group Kelvin Security.
Law enforcement says that since 2020, the cybercriminals have targeted no fewer than 300 government institutions in 90 countries, including Spain, Germany, Italy, Argentina, Chile, Japan, and the United States. The stolen data were sold on hacker forums.
The detainee, according to investigators, laundered the illicit proceeds via cryptocurrency.
Police seized computer equipment intended to help identify associates of the suspect, data buyers, and other entities linked to him.
The two ransomware groups’ sites went offline
Last week the server infrastructure of the ALPHV (BlackCat) and NoEscape ransomware gangs suddenly became inaccessible.
The leak site of the BlackCat ransomware gang is down from some hours ago…
?— MalwareHunterTeam (@malwrhunterteam) December 7, 2023
A few days later, the negotiation and data-leak sites were restored, albeit without content. They attributed the outage to hosting-side issues.
We’ve had a dozen or so people ask us about ALPHV and their sudden website outage.
1. We have NOT heard rumors of them being arrested, we also have NOT heard rumors of their servers being seized. The only mentions of these rumors are from other people asking us about these…
— vx-underground (@vxunderground) December 11, 2023
Meanwhile, NoEscape operators were suspected by X users of staging an exit scam for several millions of dollars.
While rumors about ALPHV are about, it looks like #NoEscape #Ransomware executed an exit scam and has stolen several deposits and possibly payouts from their operators. They have arbitration complaints on all major hacking forums and appear to be banned on XSS and Exploit at the… pic.twitter.com/dh4D133zNJ
— AzAl Security (@azalsecurity) December 11, 2023
Some independent sources suggested that the outages could have been caused by US law enforcement interference. The publication Bleeping Computer independently confirmed this information.
Today, RedSense can confirm that #ALPHV aka #BlackCat ransomware gang’s site has been taken down by law enforcement @4D435A pic.twitter.com/ydx5irW86N
— RedSense (@RedSenseIntel) December 8, 2023
Meanwhile, the LockBit gang, taking advantage of the moment, announced plans to recruit operators from ALPHV and NoEscape.
Data from one of ALPHV’s victims — the German energy agency — has already been posted on LockBit’s leak site.
@AlvieriD
Lockbit is calling affiliates of #Alphv and #NoEscape to “move to his own ransom program, where they can finish their negotiations” after issues we have saw with both ransom groups…Also claiming a possible scam on both gangs. pic.twitter.com/dh4D133zNJ
— Who said what (@g0njxa) December 12, 2023
Toyota warned clients about a leak of personal and financial information
Toyota Financial Services, a subsidiary of Toyota Motor Corporation, told clients that a third party gained access to their confidential and financial data. The incident occurred in November and affected subsidiaries in Europe and Africa.
The attack was carried out by the Medusa group. After they failed to obtain an $8 million ransom, they leaked the stolen information on their leak site.
The compromised data included:
- full name;
- residence address;
- contract information;
- lease or purchase details;
- IBAN.
Toyota continues its internal investigation and promises to inform affected customers promptly if further data disclosures are discovered.
Fraud schemes around cryptocurrency investments spread in Russia
Since the start of 2023, the security company F.A.C.C.T. has identified 10 active scam partner programs attracting users from Russia through giveaways and crypto investments.
To scale their illegal business, attackers buy ready-made phishing resources and template payment pages, as well as traffic, for a share of the money stolen from victims.
Mostly these scam pages focus on lotteries with prize boxes, crypto investments, and especially “lucrative” offers from marketplaces. Less often, there are offers to buy a “pretty” domain name for a site.
Monthly, one such program can bring in about 4.3 million rubles for participants in the “affiliate community.”
Also on ForkLog:
- Over $300 million of 2023 Bitcoin thefts passed through mixers.
- The Nirvana Finance hacker agreed to return $12.3 million.
- Ledger users were affected by the wallet connector breach with dapps.
- Hitachi and Concordium will develop a biometric cryptocurrency wallet.
- CoinList will pay a $1.2 million penalty for violations of sanctions against Russia.
- The U.S. DOJ charged the organizers of a $25 million crypto scam.
- Yearn Finance lost $1.4 million due to a transaction error.
- Report: the crypto industry losses from hacks halved over the year.
- Alleged Hive ransomware operator arrested in France.
- The Kyivstar network was attacked by hackers. Responsibility for the breach was claimed by the Russian Solntsepek.
- OKX DEX lost $430 000 as a result of the breach.
- China will implement digital identification via a blockchain platform.
- Tough times for Binance: 24/7 monitoring and a battle with the SEC.
- HTX faced a withdrawal of $258 million after the November hack.
- Tether blocked 161 addresses from the U.S. sanctions list.
- Venus lost $274 000 due to oracle failures on Binance.
- “Bitcoin inscriptions” were added to the U.S. National Vulnerability Database.
What to read this weekend?
We discuss the specifics of ethical hacking with staff from the Ukrainian analytics firm HAPI.