At a glance.
- Royal Army accounts hijacked.
- A hacktivist group claims to have hit Iranian sites.
- Very large database of PII for sale on the dark web.
- Rogue employee makes off with bug reports.
- Threats and vulnerabilities surrounding cryptocurrency wallets.
- CISA adds a Windows issue to its Known Exploited Vulnerabilities Catalog.
- Ukrainian energy firm reports Russian cyberattack.
- NCSC updates its guidance on preparing for a Russian cyber threat.
Royal Army accounts hijacked.
Sunday afternoon the British Ministry of Defence Press Office tweeted a terse announcement that the MoD was aware of a cyber incident: "We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until their investigation is complete it would be inappropriate to comment further." The Army's own feed took an apologetic line towards any disappointed followers: "Apologies for the temporary interruption to our feed. We will conduct a full investigation and learn from this incident. Thanks for following us and normal service will now resume." It took the British Army about five hours to wrest back control of its Twitter account, the Telegraph reports.
It's unknown who hijacked the accounts or why, and the MoD isn't saying anything until it understands what happened. The Telegram, quick to suspect the worst of the Russians, asked if the incident was a Russian operation, but the MoD had no comment--as they've said, they're not jumping to conclusions until they know more. Bitdefender notes that many have jumped to the conclusion that the incident must have been the work of a nation-state's espionage services, but it has an alternative explanation, arguably more probable: it was possibly crypto bros working an NFT scam. They note that the hijacked YouTube account featured an NFT come-on with the inevitable bogus Elon Musk attribution.
A hacktivist group claims to have hit Iranian sites.
According to reports over the weekend, the group “Ghiam Sarnegouni” ("Uprising till Overthrow," apparently a group of anti-Tehran hacktivists), conducted a large operation against Iran's Islamic Culture and Communication Organization (ICCO). Six sites were hijacked and fifteen others were defaced with pictures of Iranian Resistance leaders Massoud Rajaivi and Maryam Rajavi. Forty-four servers, a large number of endpoints, and at least thirty-five ICCO databases were wiped. Before the systems were wiped, the hacktivists are believed to have obtained ICCO data that include information about money laundering, front groups, and espionage and terrorist networks. The operation is said to have begun in the last week of January.
In an apparent response to recent nominally hacktivist actions, not only those by Uprising till Overthrow, but also operations attributed last week to Predatory Sparrow, Iran Wire reports that Tehran has temporarily suspended Iranians' ability to access bank accounts from abroad. It's a measure whose purpose, the authorities say, is “preventing cyber attacks.”
Very large database of PII for sale on the dark web.
Also on Sunday, Binance's threat research team found a very large database of personally identifiable information exposed in the dark web. "Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elasticsearch deployment by a gov agency. This has impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc. It is important for all platforms to enhance their security measures in this area. @Binance has already stepped up verifications for users potentially affected."
Binance is reticent about the source of the data, but others say it came from the Shanghai National Police. It's not clear who's obtained the information, but according to Bloomberg the data are being offered for ten bitcoin, roughly $200,000. HackRead reports that the data include the following kinds of information:
- Mobile number
- National ID Number
- All crime and case details
As Binance's tweet suggests, the data exposure appears to be traceable to a misconfiguration, and not a compromise or a breach proper. Reuters put the total number of people affected by the data exposure at about one billion, but this is in any case based on the claims of someone offering the data for sale. Someone using the nom-de-hack "China Dan" posted this message to Breach Forums late last week: "In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen. Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details." Reuters sensibly points out that these claims are so far unverified. The data offered for sale are said to amount in the aggregate to some twenty-three terabytes. It's obviously difficult to confirm the legitimacy of the sample data "China Dan" posted to show that he had the goods, but the Wall Street Journal spot-checked a few of the items by calling some people whose phone numbers appeared in the tease. The Journal found that in that tiny fraction of a billion or so people, the data were indeed genuine. Chinese authorities have issued no statement so far on the incident.
Rogue employee makes off with bug reports.
HackerOne disclosed this past Friday that a rogue insider, "a then-employee," as the company puts it, had been improperly accessing the bug-bounty platform's vulnerability disclosures with the aim of collecting "additional bounties" from HackerOne customers. Alerted to the problem by a customer (who reported an implausible disclosure, offered with uncharacteristically threatening language), HackerOne investigated and found that an employee had "improperly accessed security reports for personal gain." The improper access ran from April 4th through June 23rd of this year. HackerOne fired the employee, upgraded its security, and is considering referring the former employee for criminal prosecution.
Threats and vulnerabilities surrounding cryptocurrency wallets.
Vade has observed a phishing scam consisting of a wave of more than 50,000 emails sent from a malicious Zendesk account. In one campaign, the hacker is seen to be impersonating TrustWallet, an ethereum wallet and cryptocurrency wallet store. The email contains the TrustWallet official logo along with a support link, as well as Zendesk’s legitimate footer. The email says that an NFT update requires the wallet to be verified and that inaction will result in account suspension. The link provided says “Verify your wallet,” and is shortened with s.id., which hides the malicious link and provides the phisher with a dashboard of analytics. The page, when opened, displays a 10-second countdown to “open their secure internet environment,” in order to intentionally appear as a legitimate safety precaution, but rather, leads to the malicious site. The victim is then tasked with entering their recovery phrase to unlock the wallet, accepting both 12 and 24-word variations. The phishing email isn’t marred by extensive grammatical errors, as many phishing emails are, but it’s also not perfect.
CISA adds a Known Exploited Vulnerability to its catalog.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added an entry to its Known Exploited Vulnerabilities Catalog: CVE-2022-26925, an issue with Microsoft Windows Local Security Authority (LSA) that amounts to "a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM." The prescribed mitigation is to apply Microsoft's June patch, which agencies under CISA oversight must do by close-of-business, July 22, 2022.
Cyberattack hits Ukrainian energy provider.
DTEK Group, Ukraine's largest private energy firm, an operator of power plants in various parts of Ukraine, Friday said that it had been the victim of a cyberattack. The attack, in CNN's account, had complicated goals. It aimed to, as DTEK put it, “'destabilize the technological processes' of its distribution and generation firms, spread propaganda about the company’s operations, and 'to leave Ukrainian consumers without electricity.'” XakNet ("HackNet"), a hacktivist organization that's transparently a GRU front (whatever its denials on Telegram may say), claimed last week to have penetrated DTEK's networks and published some screenshots as coup-counting evidence of its success, but the actual consequences of the operation, if any, remain unclear.
Vosvete IT, relying in part on information from Slovakia's National Security Authority, makes two points that seem to position the incident in the larger context of both lawfare and kinetic combat. "These cyber attacks on the consortium occurred just days after Rinat Akhmetov, one of the richest men in Ukraine and a shareholder of DTEK, sued Russia at the European Court of Human Rights for causing billions in damages to his assets," and they also occurred at about the same time Russian forces shelled a DTEK power plant in Kryvyi Rih, a mining and industrial city in Dniepro region.
NCSC updates its guidance on preparing for a long-term Russian cyber campaign.
The UK's National Cyber Security Centre (NCSC) has updated its earlier guidance on preparing for the consequences of a long-running, extensive Russian cyber campaign. The update focuses on how a heightened state of alert can be maintained for an indefinite period of time, in the face of a complicated threat whose outlines remain unclear:
"That is why we have published the new guidance on maintaining a strengthened cyber security posture in a sustainable way. It contains advice for business leaders and managers about how to manage the residual risk from an extended period of heightened cyber threat whilst prioritising staff wellbeing, and stresses the importance of:
- "revisiting risk-based decisions to ensure defences are implemented in an efficient way for the long term
- "empowering frontline staff to take decisions about prioritisation
- "ensuring that workloads are spread across individuals and teams and that frontline staff can take breaks to recharge
- "providing resources to managers and teams to recognise the signs of someone who is struggling".
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.