Feds Recovered More Than $30 Million Stolen from Axie Infinity by North Korean Hackers
Twitter paid Mudge more than $7 million in confidential settlement agreement, Classified NATO documents stolen from Portugal now for sale on dark web, Medical devices' flaws reported, much more
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Cryptocurrency intelligence firm Chainalysis announced that U.S. authorities had seized more than $30 million in cryptocurrency plundered earlier this year from an online game platform, Axie Infinity, by hackers linked to North Korea, one of the most significant successes in clawing back digital revenue from Pyongyang.
The sum recovered is far higher than previously known. It reflects the growing capabilities of the Federal Bureau of Investigation and other agencies and the priority the U.S. is giving to thwarting North Korean hackers.
In March, North Korean hackers had infiltrated part of Axie Infinity’s Ronin Network, the blockchain, or digital ledger, on which the game runs, and stole 173,600 ether and 25.5 million of the stablecoin USDC worth about $540 million at the time of the theft. Chainalysis traced the stolen funds to points where the thieves attempted to convert them to fiat currency. From there, law enforcement and partners in the cryptocurrency industry were able to freeze the money.
The recovered cryptocurrency includes about $5.8 million seized by Binance, a major cryptocurrency exchange, in April and several other seizures at different exchanges. The FBI was involved in all of the cases. (Dustin Volz and Caitlin Ostroff / Wall Street Journal)
Microsoft issued a technical report that offered more details on its investigation into the Iranian cyberattack on Albania, revealing that the Albanian government brought it in to investigate the incident and that the hackers entrenched themselves in Albania’s systems for longer than a year.
Microsoft also found evidence of email data being exfiltrated as early as October 2021 and this persisted until January 2022. Exchange logs also revealed the same Iran-linked hackers exfiltrated data from other victims between November 2021 and May 2022 that were consistent with Iran’s past interests, Microsoft said, such as Jordan, Kuwait, and UAE, among others. (Connor Jones / IT Pro)
Twitter agreed in June to pay roughly $7 million to the whistleblower Peiter Zatko, also known as Mudge, whose allegations will be part of Elon Musk’s case against the company, according to people familiar with the matter.
The settlement was completed days before Zatko filed his whistleblower complaint in July. The people said that Twitter’s confidential June settlement was related to Mr. Zatko’s lost compensation and followed monthslong mediation over tens of millions of dollars in potential pay.
The people said that Zatko agreed to a nondisclosure agreement that forbids him from speaking publicly about his time at Twitter or disparaging the company. Congressional hearings and governmental whistleblower complaints are two of the few venues in which he is permitted to speak openly. Zatko is set to testify before the U.S. Senate Judiciary Committee on Tuesday to discuss his allegations of security failures at Twitter. (Cara Lombardo / Wall Street Journal)
Cybersecurity consultant and pentester Bobby Rauch discovered a new attack technique called GIFShell that allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using GIFs.
The attack technique utilizes a variety of Microsoft Teams flaws and vulnerabilities that can be chained together to bypass Microsoft Teams security controls to allow external users to send attachments to Microsoft Teams users, modify sent attachments to have users download files from an external URL rather than the generated SharePoint link and much more.
The main component of the attack is GIFShell which allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft's own infrastructure. Microsoft acknowledged the research but said it would not be fixed as no security boundaries were bypassed. (Lawrence Abrams / Bleeping Computer)
Portuguese local news organization Diario de Noticias reported that the Armed Forces General Staff agency of Portugal (EMGFA), responsible for the control, planning, and operations of the armed forces of Portugal, suffered a cyberattack that allegedly allowed the theft of classified NATO documents, which are now sold on the dark web.
American cyber-intelligence agents noticed the sale of stolen documents and alerted the U.S. embassy in Lisbon, warning the Portuguese government about the data breach. After that, a team of experts from the National Security Office (GNS) and Portugal’s national cybersecurity center was dispatched to EMGFA to carry out a complete screening of the body’s entire network.
Unnamed sources close to the investigation told the news outlet that the leaked documents are of “extreme gravity,” so their dissemination might cause a crisis with the country’s credibility in the military alliance. No officials from the Portuguese government have spoken out about the incident. (Bill Toulas / Bleeping Computer)
VF Corporation, the parent company of Outdoor apparel brand The North Face, is sending out notices saying that North Face was targeted in a large-scale credential stuffing attack that has resulted in the hacking of 194,905 accounts on the thenorthface.com website.
North Face discovered that attackers managed to breach close to 200,000 accounts using valid credentials, potentially accessing a wide range of customer information, including names, purchase histories, addresses, phone numbers, and rewards records. North Face reset all user passwords and wiped all payment card tokens on accounts accessed by unauthorized intruders. (Bill Toulas / Bleeping Computer)
Researchers at Secureworks attributed to a Chinese hacking group called Bronze President a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX.
The researchers discovered the intrusions in June and July 2022. Secureworks says that PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering. (Ravie Lakshmanan / The Hacker News)
Researchers at Rapid7 discovered multiple vulnerabilities in two medical devices, the Sigma Spectrum Infusion Pump and the Sigma WiFi battery, produced by billion-dollar healthcare company Baxter International.
Four bugs revolve around the secure decommissioning of Wireless Battery Modules (WBMs). Medical devices typically contain network credentials or other private information that should be removed before a device is transferred to a new user. The flaws offer attackers information about the network, but none of them can be exploited over the internet or at great distances.
Baxter said it would release a software update for the Spectrum pump platforms and Wireless Battery Modules in October 2022, which they believe will further mitigate some vulnerabilities. (Jonathan Greig / The Record)
Anand Prakash, the founder of cloud security solution Ping Safe, discovered a leaked AWS account credential on a public code repository for the cryptocurrency Shibu Inu.
His company tried without success to find a bug bounty program or responsible disclosure policy to contact the Shiba Inu team to warn them of the serious exposure before publishing the details of the event to enable the broader web3 community to become aware of the dangers of leaked secrets & cloud credentials on public source code repositories. (Anand Prakash / Ping Security)
Ethereum team lead Peter Szilagyi highlighted an attack that could have exploited a vulnerability that might have taken down the entire Avalanche Network, one of the largest Layer 1 blockchains.
Szilagyi discovered the vulnerability on March 29, and he immediately suggested that Avalanche should push through a patch to fix it. The team responded quickly, patching the vulnerability that same day. (Mike Truppa / The Block)
A class action lawsuit privacy lawsuit has been filed against video game and merchandising company GameStop in the U.S. Central District Court of California alleging that the company has been "wiretapping" online customer service chats and selling the transcripts to a third-party marketing firm Zendesk.
According to the lawsuit, GameStop's customer service chat feature does not inform or gain consent to use customer conversations for marketing or any other reason. The complaint does not list specific damages, but California’s Invasion of Privacy Act allows for one year in jail and a $2,500 fine in criminal cases. However, civil courts can access $5,000 or three times the amount of actual damages per "wiretap," whichever is greater. (Cal Jeffrey / TechSpot)