At a glance.
- Tencent now surveilling non-domestic users of WeChat.
- Snake ransomware has become a doxing tool as well.
- "Shiny Hunters" sell stolen personal information on the dark web.
- MobiFriends breached.
Tencent now surveilling non-domestic users of WeChat.
The University of Toronto's Citizen Lab is warning of another ongoing Chinese campaign, this one involving Tencent's use of its popular WeChat app to monitor social media content exchanged within the Chinese diaspora. Content moderation, essentially suppression of politically sensitive topics, has long been practiced on WeChat. What's new is the extension of surveillance to users outside of China proper. Citizen Lab thinks the effort is designed to train censorship algorithms.
Snake ransomware has become a doxing tool as well.
Tripwire says that Snake has apparently joined other ransomware families in stealing sensitive data, then threatening to publish it on victim-shaming sites.
The ransomware strain MalwareHunter warned against back in January, has been noted for the attention it pays to obfuscation as well as for its ability to reach into and encrypt files on all devices connected to a victim's network. Dragos, which called the malware "Ekans" reported its activity against industrial control systems. Ekans is "Snake" spelled backwards to avoid confusion with other, unrelated malware also called "Snake" or some variation thereof, that was associated with the Turla threat actor, and whose researchers were probably the first to observe the strain.
KrebsOnSecurity reported that Snake was implicated in an attack against Germany-based Fresenius Group, Europe's largest private hospital network. Fresenius declined to go into much detail about the incident, but a company spokesman told KrebsOnSecurity “I can confirm that Fresenius’ IT security detected a computer virus on company computers. As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”
The campaign is unlikely to be an isolated attack on Fresenius. While Fresenius is a big enterprise, the current Snake outbreak seems to be part of a larger effort against healthcare organizations working to provide emergency care during the COVID-19 pandemic. Data availability is of course immediately threatened by any ransomware attack, but the threat that follows in its train is now a risk to data privacy.
"Shiny Hunters" sell stolen personal information on the dark web.
ZeeBusiness reports that the online learning service Unacademy, active principally in India, has apparently been hacked. Researchers at Cyble say they've found personal information taken from the platform offered for sale in dark web markets. The data include "usernames, hashed passwords, email addresses, and first and last names of users." Unacademy has acknowledged the breach, and said that some eleven-million users were affected.
According to BleepingComputer, the group behind the theft and sale of Unacademy data calls itself "Shiny Hunters." They've also claimed responsibility for the Tokopedia hack. Their most recent offerings come from three hacks, the victims of which are HomeChef (a meal kit delivery outfit), ChatBooks (which prints photos), and Chronicle.com (a news source). The three stolen databases include in the aggregate some twenty-six million accounts. The Shiny Hunters tell BleepingComputer (which hasn't been able to verify the gangs' claims or the authenticity of the data being sold) that they have other databases in hand that they intend to begin selling shortly.
MobiFriends breached.
Barcelona-based online dating service MobiFriends has apparently been breached. Risk Based Security reports that it's found nearly four-million stolen credentials on a dark web forum. The credentials had originally been offered for sale, but the hackers are now simply making them freely available. The researchers say the data appear to be authentic.