Top news stories this week
- Hive-ing a bad day. Ransomware-as-a-service operation Hive shut down.
- I predict a riot. Video game developer Riot Games falls victim to cyber attack.
- In the spotlight. T-Mobile and Arnold Clark under pressure following data breaches.
- Coin trace. The FBI traces USD 100 million of stolen funds to North Korean hackers.
- Get stuffed. ‘Credential stuffing’ used to breach 35,000 PayPal accounts.
- Lunar-cy. Chinese hackers deface South Korean state institution websites over New Year.
- Noted! Microsoft OneNote attachments become the newest vector for malware.
1. Hive ransomware network shut down and decryptor leaked
The US Department of Justice has shut down the website of a major ransomware network, Hive. The FBI penetrated the network in July 2022, capturing over 300 decryption keys that were then handed over to companies compromised by the gang. The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims.
Hive is believed to have extorted more than USD 100 million from victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure. So, the shutdown is welcome news!
2. Riot Games hacked
Video game developer Riot Games has confirmed that a threat actor compromised their development environment last week. The hackers gained access through social engineering and exfiltrated source code of popular games, including League of Legends. The threat actor has demanded USD 10 million to prevent source code from being leaked and deleted from their servers.
Social engineering remains a favourite point of entry for threat actors, with emails being a common delivery method. Organisations must secure their email environment through measures such as conditional access policies, email filtering solutions, and employee training programmes.
3. T-Mobile and Arnold Clark customer data leaked
The Play ransomware group has leaked customer data belonging to British car dealership Arnold Clark, including passport and bank details. Play has allegedly threatened to leak further tranches of data if the ransom is not paid.
Separately, telecommunications giant T-Mobile has disclosed a data breach going back to November 2022, affecting 37 million customer accounts. The attackers reportedly accessed personal customer information, including names, addresses, emails, phone numbers, and dates of birth.
Data breaches can be particularly damaging to a company's reputation. The extent of reputational damage is often dependant on how an organisation reacts in the immediate stages of a breach. Incident response and crisis management plans are crucial components for managing reputational risk.
4. The FBI traces stolen funds to North Korea
The FBI has traced USD 100 million worth of Ethereum stolen from the cryptocurrency firm Harmony Horizon back to the North Korean government-linked Lazarus Group. Investigators identified the hackers when they moved part of the funds through Railgun, a privacy enhancing system, before depositing the funds to addresses associated with the group.
Cryptocurrency was once considered anonymous, but advances in tracing methodologies mean that it is possible for law enforcement agencies to track down and seize the proceeds of crime.
5. Credential attack at PayPal
Online payment platform PayPal has announced that hackers breached nearly 35,000 user accounts in December. The attack technique involved so called ‘credential stuffing’ where the hackers accessed previously leaked PayPal login information. The hackers accessed sensitive data such as full names, social security numbers, card details, and transaction histories.
Credential stuffing attacks demonstrate the importance of good password management. On top of enforcing multi-factor authentication, organisations should ensure password policies and their subsequent implementation follow industry best practice.
6. Chinese hackers deface websites
A Chinese hacking group dubbed Xiaoqiying has claimed responsibility for an attack that defaced the websites of 12 South Korean state-run institutions over the Lunar New Year holiday. Authorities have been put on high alert after the group announced it would target over 2,000 Korean organisations, in what it called ‘an invasion into Korea’s internet’.
A common method of attacking websites involves exploiting outdated third-party software. Ensuring that you regularly apply security updates and patches is an easy way to protect your website from attack.
7. Microsoft OneNote attachments used in phishing attacks
Recent trends indicate that threat actors have begun using Microsoft OneNote attachments in phishing emails to distribute malware. It appears that organisations such as DHL are being spoofed to encourage users to click through the OneNote attachment.
Caution and suspicion should be employed when receiving unprompted emails containing attachments and links. Organisational investment in phishing awareness training and simulations will help employees identify fraudulent requests and reduce the likelihood of a successful phishing attack.