Cybersecurity Weekly: DarkSide quits, STRRAT attacks, Mercari data breach
The DarkSide ransomware gang quits after their servers and Bitcoin stash are seized. The STRRAT RAT is masquerading as ransomware. An e-commerce giant suffers a major data breach in the Codecov incident. All this, and more, in this week’s edition of Cybersecurity Weekly.
1. DarkSide ransomware gang quits after servers, Bitcoin stash seized
The DarkSide ransomware gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates. The farewell message includes passages apparently written by a leader of the REvil ransomware-as-a-service platform.
2. STRRAT RAT masquerading as ransomware
Microsoft Security Intelligence researchers uncovered a malware campaign that is spreading a remote access trojan tracked as STRRAT. The RAT was designed to steal data from victims while masquerading as a ransomware attack. The malware shows ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.
3. E-commerce giant suffers major data breach in Codecov incident
E-commerce platform Mercari disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack. The company confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.
4. Comcast now blocks BGP hijacking attacks and route leaks with RPKI
Comcast recently deployed RPKI on its network to defend against BGP route hijacks and leaks. BGP route hijacks is a networking problem that occurs when a particular network on the internet falsely advertises that it supports certain routes or prefixes that it actually does not. Left unchecked, a BGP route hijack can cause a drastic surge in misdirected internet traffic.
5. CNA Financial reportedly paid hackers $40 million in ransom
U.S. insurance giant CNA Financial reportedly paid $40 million to a ransomware gang to recover access to its systems following an attack in March, making it one of the most expensive ransoms paid to date. The company’s public statement said no evidence was found to indicate that external customers were at risk of infection due to the incident.
6. Air India hack exposes credit card and passport info of 4.5 million passengers
India's flag carrier airline, Air India, disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years after its Passenger Service System provider fell victim to a cyber attack earlier this year. The breach involves personal data registered between August 2011 and February 2021.
7. 23 Android apps expose over 100 million users' personal data
Misconfigurations in multiple Android apps leaked sensitive data of more than 100 million users, making them a lucrative target for malicious actors. The issues stem from misconfiguring real-time databases, push notification and cloud storage keys, resulting in spillage of emails, phone numbers, chat messages, location, passwords, backups, browser histories and photos.
8. Watering hole attack was used to target Florida water utilities
An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what's known as a watering hole attack. The infected website didn't deliver exploit code or attempt to achieve access to visitors' systems.
9. Zeppelin ransomware comes back to life with updated versions
The developers of Zeppelin ransomware resumed their activity after a period of relative silence and started to advertise new versions of the malware. A recent variant of the malware became available on a hacker forum at the end of last month, offering cybercriminals in the ransomware business complete independence.
10. Indonesia blocks access to RaidForums hacking forum after data leak
The Indonesian government is blocking access to the RaidForums hacking forum after the alleged personal information of Indonesian citizens was posted online. The threat actor claims the database contains Indonesians' KTP NIK number, KK number, full name, place of birth, date of birth and other sensitive and personal information.