At a glance.
- Notes on the Robinhood attackers' technique.
- Trickbot, Shatak, and Conti, together at last...
- Hong Kong watering hole campaign.
Robinhood attackers appropriated internal employee tool.
As we noted earlier this week, popular commission-free stock trading website Robinhood Market suffered a data breach that potentially compromised the data of nearly 7 million users. The investigation has revealed that the threat actors gained access to Robinhood’s systems by taking advantage of an internal tool that gives employees the power to access user accounts to conduct administrative activities, including the ability to remove account security protections. A Robinhood spokesperson told Vice, “Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms.” Though Robinhood says the hackers didn’t make any changes to user accounts, the attack demonstrates how damaging such tools can be if they fall into the wrong hands.
Trickbot and Shatak conspire with Conti.
Research from IBM X-ForceProlific reveals that cybercriminal gang Trickbot has joined forces with a threat actor known as Shatak to distribute Conti ransomware in an operation that has been underway since July. Bleeping Computer reports, the campaign begins with a Shatak phishing email, likely sent using reply-chain emails stolen from previous victims. The email contains a password-protected archive attachment embedded with malicious code that deploys TrickBot or BazarBackdoor malware from a remote distribution site based in European countries like Germany, Slovakia, and the Netherlands. Once the machine is compromised, Trickbot deploys a Cobalt Strike beacon on the system, and Conti conducts network reconnaissance, swiping user credentials and spreading laterally. Cybereason has released a technical analysis with further details.
Zero-day attack preys on Hong Kong website visitors.
The Google Threat Analysis Group has detected a watering hole attack targeting Hong Kong users by exploiting a zero-day vulnerability in Apple’s Mac operating system. Though the researchers do not identify the threat actors, they say the hackers are “a well resourced group, likely state backed.” As Vice explains, the attackers embedded malware on the websites of a “media outlet and a prominent pro-democracy labor and political group” based in Hong Kong. Patrick Wardle, a researcher who specializes in Apple products, said that what’s unique about this attack is that the actors combined the zero-day with a known vulnerability, or N-day, previously presented by cybersecurity research group Pangu Lab at a security conference in China earlier this year. “Leveraging both N-days and what appeared to be a publicly presented zero-day highlights how attackers may not have to utilize their own zero-days to successfully infect remote targets,” Wardle explains.