Yanluowang hackers breach, Telegram Premium cancellations and other cybersecurity events

We round up the week\’s most important cybersecurity news.

Yanluowang hackers breached; their internal chats leaked

KELA analysts reported a leak of internal chats from the Yanluowang hacking group that compromised Cisco in May this year.

The January–September 2022 chats were conducted in Russian. Initially, many believed Yanluowang was a Chinese hacking group.

Experts said the chats include discussions by hackers using the handles saint, killanas and stealer. Saint is believed to head the group, while killanas handles coding.

According to one source, aliases of the attackers have been identified on various hacker forums. Another report says Yanluowang members have been fully de-anonymised, including their real names and social media accounts.

Based on leaked data, experts found that:

• Yanluowang has existed since at least autumn 2021;
• the attackers reportedly use Nyx malware in their operations;
• the hackers are developing malware for ESXi;
• On May 14, 2022, Saint said that the group had earned $1 million this year (it is unclear whether this referred to total ransoms or the largest one).

According to Risky Business, the leak likely stemmed from a major breach. Unknown individuals gained control over the internal Matrix chat server used by the group and compromised Yanluowang\’s leak site on the dark web.

On it the hackers posted a message with Telegram and Twitch accounts where links to stolen chat logs were posted. Screenshots of the decryption procedure for the Yanluowang ransomware can also be found online.

The organiser behind the breach is not yet identified. Some say it could be a former member or an unknown cybersecurity expert; another theory suggests a Cisco security employee seeking revenge for the May breach.

Telegram begins cancelling Premium subscriptions obtained fraudulently

On the evening of 31 October, Telegram began sending notices that Premium subscriptions purchased from third parties would be disabled. The scheme of bypassing the official bot was run by three Moscow schoolchildren, according to “Code of Durov”.

In August, a teenager nicknamed Martov discovered a bug in the messenger. At the moment of purchasing a gift subscription on an iPhone with a jailbreak and installed LocalIAPStore he pressed the “cancel” button. Nevertheless, the subscription activated for free.

Martov and his friends — Munfizy and Filya — decided to profit from the vulnerability by reselling subscriptions at a 50% discount off the official price (for 450, 900 or 1,400 rubles depending on the duration).

Later the teenagers split into two teams and began drawing more people into the scheme, mainly from among acquaintances.

“All of our network could bring in roughly $5,000-6,000 a day. I believe Telegram losses could amount to $3 million to $5 million. Only our two teams managed to activate subscriptions for more than 150,000 accounts,” Munfizy said.

Soon there were more than 25 “companies” offering Premium subscriptions at discounted prices. All exploited the same bug and operated on the original scheme. At one point the price of Premium subscriptions on the black market fell by almost 10 times.

Subsequently the friends sold the scheme to outsiders for $5,000.

One of the three initial bug discoverers, speaking anonymously, told journalists that he earned about $80,000 from the vulnerability. He provided personal-account statements as evidence.

On 29 October, Munfizy decided to disclose information about the scheme and to pass the data to the Telegram team with an explanation of how to fix the bug.

A Telegram-insider confirmed to Code of Durov that the described vulnerability existed and has been fixed. He added that developers identified users with such subscriptions and began disabling their Telegram Premium.

According to available data, the messenger did not pay the schoolchildren for discovering the bug.

AstraZeneca confirms patient data exposure

Pharma giant AstraZeneca had for a year left exposed a set of internal passwords that unlocked access to confidential patient information. TechCrunch reports this by SpiderSilk researchers.

They say that in 2021 the developer left passwords for AstraZeneca\’s internal server on GitHub. They allowed access to a test Salesforce cloud environment that the company uses to interact with customers. It contained some patient information, including those who used the AZ&ME app to obtain discounts on medicines.

AstraZeneca removed the GitHub repository containing the credentials a few hours after TechCrunch\’s notification.

A company spokesperson described the incident as a “user error” and said an internal investigation had begun.

AstraZeneca did not say why confidential information was stored in a test environment or whether the company has the technical means to determine whether anyone could access it.

Experts uncovered Laplas Clipper with enhanced spoofing of Bitcoin addresses

The new Laplas Clipper does not merely substitute the recipient\’s wallet and the attacker’s addresses — it generates addresses that closely resemble the copied ones in under a second, researchers at Cyble report.

The clipper\’s mechanism could not yet be determined — the process runs on the attackers\’ server.

Laplas supports creating addresses across networks including Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Dogecoin, Monero, Algorand, Ravecoin, XRP, Zcash, Dash, Ronin, Tron, Tezos, Solana, Cardano, Cosmos, Qtum, and in the Steam Trade store.

According to a dark-web advertisement, generated wallets are stored in a database for three days. However operators can send access keys to their Telegram account to regain control of the assets later.

An annual subscription with access to a web panel for attack orchestration costs $549.

Currently, Laplas is distributed via Smoke Loader and Raccoon Stealer 2.0, signaling interest from cybercriminals.

Emotet botnet resumes activity after five months’ hiatus

On 2 November, Emotet malware, inactive since June, began distributing malicious spam again. Cryptolaemus researchers note this.

According to them, the new spam campaign uses previously stolen email-thread chains to distribute malicious Excel attachments disguised as various invoices, scans and other documents.

The attachments also include instructions for bypassing Microsoft Protected View. This mode, when opening internet-downloaded files, prevents macros from running that install malware.

The malware runs on the infected machine in the background, connecting to the attackers\’ command server for further instructions.

So far, Emotet does not deliver additional payloads to victims\’ devices, so the campaign\’s objectives remain unclear.

Twitter users targeted by phishing emails after Musk\’s paid verification announcement

Following Elon Musk\’s announcement of plans to charge $8 per month for verified Twitter accounts, users started receiving phishing emails. BleepingComputer reports.

The emails instruct users to immediately log into their Twitter accounts, threatening suspension.

According to BleepingComputer, the phishing emails originate from hacked sites and blogs that may run outdated WordPress versions or vulnerable plugins.

Clicking the link takes the user to a phishing webpage where they are asked to enter their login, password and the two-factor SMS code.

The emails vary in appearance. Some look more convincing and use Twitter branding.

Subsequently, with compromised accounts, attackers could impersonate others, mislead the public or promote crypto scams.

Over a million Google Play users downloaded data-stealing malware

Google Play detected four malicious apps that steal sensitive information and generate revenue for the attackers per click. Collectively they were downloaded more than 1 million times, Malwarebytes reports.

All apps are created by Mobile apps Group and at the time of writing remain available in the Play Store. Researchers note that the developer previously was caught twice distributing adware in Google Play but allowed to continue after publishing “clean” versions.

Among the new malicious apps:

• Bluetooth App Sender — over 50,000 downloads;
• Bluetooth Auto Connect — over 1 million downloads;
• Driver: Bluetooth, Wi-Fi, USB — over 10,000 downloads;
• Mobile transfer: smart switch — over 1,000 downloads.

All redirect users to sites offering fake security tools or updates.

Experts note that the apps pause 72 hours before showing the first ad or opening a phishing link, then gradually increasing the number of tabs with similar content. New tabs open even on a locked device.

The apps have no positive reviews, and many users report intrusive ads. Some comments prompt responses from the developers offering help.

Also on ForkLog:

• Web3 ecosystem losses from exploits since the start of the year have approached $3 billion.
• The Deribit crypto-derivatives exchange suffered a $28 million breach.
• The attacker withdrew $1.26 million from the Solend lending protocol.
• Bitcoin ransomware attacked Russians posing as a security update.
• Decentralized exchange Rubic hacked for $1.2 million.
• Crypto exchange aggregator BestChange.ru unblocked in Uzbekistan.
• Gala Games token plunged 25% amid concerns of a multi-million-dollar breach.

What to read this weekend?

We explain how bitcoins become dirty and whether it\’s possible to avoid tracking on the Bitcoin network.

Follow ForkLog\’s Bitcoin news in our Telegram — news on cryptocurrencies, rates and analysis.

Telegram — news on cryptocurrencies, rates and analysis.