FBI Confirms North Korea's Lazarus Group Pulled Off $100M Horizon Bridge Heist

$321 million Wormhole bridge hackers move a lot of currency, MailChimp breach affects FanDuel, New whistleblower says Twitter still uses GodMode, Kristi Noem claims she was hacked, much more

Jan 24

white concrete monument under blue sky during daytime — Photo by Micha Brändli on Unsplash

(Note: the following item was corrected post-publication to clarify that only one hacking group, the Lazarus Group, also known as APT28, was behind the Horizon Bridge theft.)

Affirming earlier findings from cryptocurrency analysis firm Elliptic, the FBI announced that North Korea’s Lazarus Group, also known as APT28, was behind the theft of $100 million in crypto assets last June from Horizon Bridge.

Horizon Bridge, a service enabling crypto assets to be traded between the Harmony blockchain and other blockchains, was drained of ether (ETH), tether (USDT), and wrapped bitcoin (wBTC). The FBI said that the hackers were “cyber actors associated with the [Democratic People's Republic of Korea]” who relied on a malware campaign known as “TraderTraitor” in the Harmony attack.

The FBI also said that two weeks ago, a privacy protocol, Railgun, was used to launder more than $60 million in ETH stolen during last year’s theft. A portion of the ETH was sent to other service providers and changed to bitcoin. Some funds were frozen, and others were moved to addresses identified in the agency’s statement. (Jesse Hamilton / CoinDesk)

The hacker behind the $321 million Wormhole bridge attack, the third largest cryptocurrency hack of 2022, has shifted a large chunk of stolen funds, with transaction data showing that $155 million worth of Ether (ETH) was transferred to a decentralized exchange (DEX) on January 23 and subsequently converted to other assets.

Highlighting how powerless cryptocurrency firms are to retrieve the massive funds stolen from them during hacks, the Wormhole team has taken the opportunity to offer the hacker once again a bounty of $10 million if they return all the funds, leaving an embedded message conveying such in a transaction.

With the Wormhole hack likely to catch more attention in light of the latest incident, blockchain security firms such as Ancilia Inc. warned on January 19 that searching keywords “Wormhole Bridge” in Google is currently showing promoted ad websites that are phishing operations. (Brian Quarmby / Cointelegraph)

Related: The Economic Times, Investing.com

The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails.

"Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its clients like FanDuel that they had experienced a security breach within their system that impacted several of their clients," reads a FanDuel Notice of Third-Party Vendor Security Incident.

Hackers stole a MailChimp employee’s credentials and accessed an internal MailChimp customer support and administration tool to steal the "audience data" for 133 customers, one of which was FanDuel. FanDuel urges customers to "remain vigilant" against phishing attacks and attempted account takeovers after their data was exposed in this recent breach. (Lawrence Abrams / Bleeping Computer)

A former Twitter employee turned whistleblower told the Senate Judiciary Committee, the House Energy and Commerce Committee, and staff at the Federal Trade Commission that any Twitter engineer can activate an internal program until recently called “GodMode” and tweet from any account today, three months after Musk’s takeover.

“After the 2020 hack in which teenagers were able to tweet as any account, Twitter publicly stated that the problems were fixed,” the complaint says. “However, the existence of GodMode is one more example that Twitter’s public statements to users and investors were false and/or misleading.”

The new whistleblower said that following internal objections about the program, engineers changed its name to “privileged mode.” The whistleblower said the program's purpose was to allow Twitter staff to tweet on behalf of advertisers unable to do it themselves.

Although former whistleblower Peiter Zatko, also known as Mudge, told Congress that Twitter failed to implement protections from such account access abuse, the new whistleblower complaint says the GodMode code remains on the laptop of any engineer who wants it. The allegation was also made in a complaint filed in October by the nonprofit law firm Whistleblower Aid with the FTC, which is continuing to interview former employees.

The company’s current head of trust and safety, Ella Irwin, didn’t respond to an email seeking comment. (Joseph Menn / Washington Post)

Related: The Cybersecurity 202

South Dakota Governor Kristi Noem claimed that her personal cell phone number had been hacked and used to make hoax phone calls and blamed it on the release of her Social Security number amid hundreds of documents that the House January 6 committee released last year.

Noem said that South Dakota’s Fusion Center, a state agency that compiles criminal intelligence, has been notified of the cell phone hack. Her office did not offer further evidence that the release of her personal information led to the hack. (Associated Press)

Europol announced that it seized about €18 million ($19.5 million) worth of cryptocurrency and froze over 100 crypto accounts holding assets worth about €50 million ($54.3 million) following the U.S. Justice Department’s indictment of cryptocurrency exchange Bitzlato’s Russian owner, Anatoly Legkodymov.

The law enforcement organization also said it arrested five senior executives of the sanctioned Bitzlato exchange, including the CEO, financial director, and marketing director in Spain. It added that Bitzlato facilitated the laundering of various crypto-assets, including 119 Bitcoin worth €2.1 billion.

Further analysis by Europol disclosed that about 46% of the assets exchanged through Bitzlato worth roughly €1 billion ($1.08 billion) had links to criminal activities. (Christian Nwobodo / Cryptoslate)

Related: Europol

Researchers at ZScaler discovered a new attack involving unknown malware named Album Stealer that employs adult images to trick Facebook users into downloading a malicious ZIP archive and essentially infecting themselves with information-stealing malware.

The adversaries’ goal is to steal Facebook credentials and take over accounts, particularly business accounts that have access to ad and marketing campaigns. Then, the threat actors use that access to run malicious campaigns for their own benefit, directing the ad-generated revenue to their bank accounts.

The attack begins with the threat actors using fake Facebook profile pages containing adult images of women to lure users into clicking on them. Those profiles include a link to an archive that supposedly has an album of more pictures. Album Stealer targets valuable user data that, like account credentials, cookies, and login data, which are stored on web browsers like Chrome, Opera, Brave, Edge, and Firefox. (Heinrich Long / Restore Privacy)

Related: ZScaler

Meta Platforms announced that it has started to gradually expand global testing of end-to-end encryption (E2EE) in Messenger chats by default while also bringing some of its standard features to end-to-end encrypted chats, including chat themes, custom chat emojis and reactions, group profile photos, link previews, and active status.

Over the next few months, millions of users worldwide will continue to see some of their chats gradually upgraded with end-to-end encryption. Messenger will notify people in these individual chat threads as they are upgraded. (Aisha Malik / TechCrunch)

Apple released iOS 16.3 with long-awaited support for hardware security keys to provide extra protection against phishing attacks and unauthorized access to user devices.

To use a security key with iOS, Apple requires you to have two keys; one carried with you and another stored at home or in the office as a spare if you lose one. To set up security key authentication on an iPhone, go to Settings > Click your name > Password & Security > and then select Add Security Key.

The feature works with the YubiKey 5 NFC, YubiKey 5C NFC, and Google Titan. Apple says that the YubiKey 5Ci and FEITAN ePass K9 NFC security keys are also known to be compatible. (Lawrence Abrams / Bleeping Computer)

The Cybersecurity and Infrastructure Security Agency (CISA) added a remote code execution (RCE) affecting most Zoho ManageEngine products to its catalog of bugs known to be exploited in the wild.

The flaw is tracked as CVE-2022-47966 and was patched in several waves starting on October 27th, 2022. Unauthenticated threat actors can exploit it if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack to execute arbitrary code. (Sergiu Gatlan / Bleeping Computer)

Related: ManageEngine, Horizon3.ai

Users worldwide report that Google Ads invites are being abused to deliver email messages promoting spam and sex websites to users who are otherwise not necessarily using Google advertising platforms, with threat actors using the Google Ads admin interface to send bulk email invitations that, coming from Google, bypass recipient spam filters.

These bogus invite emails, sent from Google's servers, entice users to visit spam links contained in the email message. The URLs contained in these invite emails ultimately redirected users to dodgy websites pushing adult dating sites, with many appearing to be designed to collect personal information from visitors.

"Our security teams are aware of this spam content and are working hard, as always, to stay ahead and keep our users safe," a Google spokesperson said. (Ax Sharma / Bleeping Computer)

Related: Google Support

The National Security Agency (NSA) published guidance to help the Department of Defense (DoD) and other system administrators identify and mitigate cyber risks associated with transitioning to Internet Protocol version 6 (IPv6).

Developed by the Internet Engineering Task Force (IETF), IPv6 is the latest protocol iteration used to identify and locate systems and route traffic across the internet, offering technical benefits and security improvements over its predecessor, IPv4, including a much broader address space.

According to the NSA, among the issues that networks new to IPv6 are expected to encounter include the lack of mature configuration and network security tools and the lack of administrator experience in IPv6. (Ionut Arghire / Security Week)

Related: Meritalk, Help Net Security, NSA

Massachusetts-based medical device company Insulet Corporation reported a healthcare data breach to HHS impacting 29,000 individuals that use its Omnipod Insulin Management System, which provides continuous insulin delivery via a wearable insulin pump.

“We believe that the configuration of web pages used for receipt verification exposed some limited personal information about you to certain Insulet website performance and marketing partners,” the company explained in a letter to affected users. The receipt verification email contained a clickable link that led to a unique verification page on the Omnipod website. The unique URL for each customer included the customer’s IP address, whether the customer is an Omnipod DASH user, and whether the customer has a Personal Diabetes Manager.

The company said that after the privacy incident on December 6, 2022, it disabled all tracking codes on the MDC acknowledgment web page that same day so that no further exposure of private health information could occur. Insulet is also requesting partners delete logs of the IP addresses and unique URLs so that they would not continue to have access to that information. (Jill McKeon / Health IT Security)

Russia's largest internet service provider Rostelecom says 2022 was a record year for Distributed denial of service attacks (DDoS) targeting organizations in the country.

The company said its experts recorded 21.5 million critical web attacks aimed at roughly 600 Russian organizations from various industries, including telecom, retail, financial, and the public sector. The most powerful DDoS attack recorded by Rostelecom was 760 GB/sec, almost twice as big as the most potent attack of the previous year, while the longest DDoS lasted nearly three months.

The region most attacked in 2022 was Moscow, where Russia's top companies are. Rostelecom says it detected over 500,000 DDoS attempts targeting the city's entities.

About 80% of all cyberattacks targeting Russian entities were DDoS, but Rostelecom also recorded the targeting of website vulnerabilities. These vulnerabilities included arbitrary command execution after successfully exploiting a vulnerability (10%), path traversal (4%), local file inclusion (3%), SQL injection (3%), and cross-site scripting (1%). (Bill Toulas / Bleeping Computer)

Related: Rose Telecom, Infosecurity Magazine

The International Counter Ransomware Taskforce (ICRTF), envisioned by the International Counter Ransomware Initiative (CRI), kicked off its operations with Australia as its inaugural chair and coordinator.

The CRI was first brought together in October 2021 with a virtual meeting of 30 countries facilitated by the US White House National Security Council. The ICRTF will act as a medium for CRI to connect with industry for defensive and disruptive threat sharing and actions. The cyber security projects under ICRTF will be initiated in response to requests for assistance from members and support opportunities to disrupt malicious actors on a case-by-case basis, the Australia Department of Home Affairs said in a statement. (Samira Sarraf / CSO Online)

Related: The Record

Joe Berchtold, president of Ticketmaster's parent company Live Nation, will tell the Senate Judiciary Committee today that a cyberattack hit Ticketmaster in November that led to problems with ticket sales for Taylor Swift’s upcoming U.S. tour, sparking outrage among Swift fans.

During the Swift concert sales, Ticketmaster was “hit with three times the amount of bot traffic than we had ever experienced, and for the first time in 400 Verified Fan on-sales, they came after our Verified Fan access code servers,” Berchtold plans to say.

Berchtold emphasizes in his remarks that the hackers did not obtain any tickets illegally. “While the bots failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales,” Berchtold will say. (Josh Sisco and Maggie Miller / Politico)