Trojan for Bitcoin wallets, Okta breach and other cybersecurity events

We round up the week’s most important cybersecurity news.

Crypto-wallet holders targeted by the Android banking Trojan Godfather

Users of hundreds of banking apps, crypto wallets, and Bitcoin exchanges were targeted by the Android banking Trojan Godfather. This was reported by Group-IB researchers.

Group-IB’s #ThreatIntelligence detected more than 400 international financial companies targeted by the #Godfather #Android banking #Trojan between June 2021 and October 2022. Godfather’s predecessor is another #banking Trojan named #Anubis:https://t.co/Kf2IGvrLnk pic.twitter.com/JERnAuNfAC— Group-IB Global (@GroupIB_GIB) December 21, 2022

According to them, the malware has been spreading since June 2021 and as of October 2022 targeted 215 international banks, 94 crypto wallets, and 110 Bitcoin exchanges. Most are in the United States, Turkey, Spain, Canada, Germany, France, and the United Kingdom.

Godfather is an upgraded version of the banking trojan Anubis. On the victim’s device it collects usernames, passwords, and also two-factor authentication codes via SMS.

The malware is distributed as legitimate apps on Google Play and under a ‘malware-as-a-service’ model.

Experts could not estimate the number of victims; however, according to Cyble’s report, Godfather is distributed in Turkey as a popular music app. It has been downloaded over 10 million times on Google Play.

Okta reports breach of its GitHub repositories

Attackers breached Okta’s GitHub repositories and stole the source code of the leading identity-management solutions provider.

According to an internal memo, GitHub had already warned Okta about suspicious access to Okta Workforce Identity Cloud code repositories in early December. The Auth0 Customer Identity Cloud product was not affected.

Okta says that attackers did not gain access to corporate or customer environments, and the incident did not affect service.

Following information about possible suspicious access, Okta imposed temporary restrictions on access to GitHub repositories, paused all integrations with third-party applications, and notified law enforcement.

LastPass clarifies impact of December breach

LastPass has completed the investigation into the breach that occurred earlier in December.

Attackers gained access to encrypted vault data. They contain customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, phone numbers and LastPass access IP addresses.

Developers emphasise that the vault’s sensitive data remains securely encrypted thanks to a zero-knowledge security model.

Meanwhile, unencrypted financial data were not affected, as they were archived in a cloud storage container.

LastPass does not disclose the total number of affected users, but advised fewer than 3% of its customers to take additional steps to safeguard their sensitive data.

LastPass notes that the breach could be used later for phishing, credential stuffing, or brute-force attacks on LastPass accounts. brute-force

Hackers steal Viber accounts by posing as hypermarkets

Hackers posed as well-known hypermarkets to steal Viber users’ accounts, according to the Telegram channel “Belarus Brain”.

Since the start of winter, several dozen such cases have been reported.

The scammers send a phishing link with a “promo code” from well-known retailers, and by following it the user loses access to their account.

After that, cybercriminals call victims from stolen numbers and, under various pretexts, persuade them to take out a loan in their name.

Hackers bypassed 2FA when hacking Xfinity email

Since December 19, Xfinity Mail users began receiving notifications of account information updates. They lost access after passwords were changed.

After regaining access, users discovered they had been breached, and unknown parties added an extra email address with the domain yopmail.com to their profile.

Despite the two-factor authentication enabled on accounts, attackers managed to bypass it. They allegedly used a private method of OTP bypass for the Xfinity site, enabling them to forge successful 2FA verification checks. OTP

After that, the attackers reset the password and changed the additional email address for future password recoveries from other sites, primarily cryptocurrency exchanges Coinbase and Gemini.

Xfinity did not comment officially, but according to a client, the company is aware of the breach and is investigating.

Ransomware attackers halt The Guardian publication

On the evening of December 20, The Guardian was hit by an unnamed ransomware program, according to Bloomberg.

The incident affected the IT systems and several business units, prompting the editors to instruct staff to work from home for the rest of the week.

The publication continued to publish on its site and apps, and by December 23, print edition resumed.

Technical details of the incident are unavailable; an investigation is ongoing.

Ukraine’s Ministry confirms attack by Ukrainian hackers on Rutube

Minister of Digital Transformation of Ukraine Mykhailo Fedorov acknowledged that Ukrainian hackers conducted the cyberattack on the Russian video hosting Rutube on May 9. Bloomberg reports.

According to Fedorov, since the war began the IT Army of Ukraine has repeatedly disrupted Russian services. He noted that the Rutube attack was timed to Victory Day.

“The IT Army even managed to hack Rutube employee badges to prevent them from entering the company,” the minister added.

On May 9 Rutube faced the strongest cyberattack in its history and could not operate for several days. At that time, Anonymous claimed responsibility. They reported damaging more than 75% of the primary databases and infrastructure and 90% of backups and DR clusters.

Russian taxi services will grant FSB access to their databases

The State Duma of the Russian Federation, in third reading, passed a law regulating taxi services.

The document obliges taxi services to provide the FSB access to their information systems and databases used to process and store orders.

The technical means required to process orders, and the databases, must be hosted on the territory of the Russian Federation.

Also on ForkLog:

• Bitcoins stolen from a Russian darknet marketplace were sent to aid Ukraine.
• Authorities in Italy and Albania uncovered a fraudulent crypto-investment scheme.
• On OpenSea, Bored Ape tokens worth millions of dollars were stolen.
• Hackers demanded $2.25 million in Bitcoin from a Chinese electric-car manufacturer.
• Telegram reported mass account thefts.
• Since the start of the year, scammers launched nearly 120,000 tokens.

What to read this weekend?

In late June, the Ronin sidechain was relaunched after the March $625 million hack. We suggest reading a piece on the project and one of the largest hacker attacks in the history of DeFi.

Read ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, prices and analytics.