Hackers Stole LastPass Parent Company's Encrypted Customer Back Ups, Encryption Key
Hackers demand $10 million for League of Legends source code, Massive wave of N. Korean phishing emails appeared last month, Chinese hackers targeted 12 S. Korean institutions, much more
LastPass’ parent company GoTo, formerly LogMeIn, has confirmed that cybercriminals stole customers’ encrypted backups and the company’s encryption key during a recent breach of its systems.
On November 30, LastPass chief executive Karim Toubba said an “unauthorized party” had accessed some customers’ information in a third-party cloud service shared by LastPass and GoT. Now, however, the company says the cyberattack impacted several of its products, including business communications tool Central; online meetings service Join.me; hosted VPN service Hamachi; and its Remotely Anywhere remote access tool.
GoTo said the intruders exfiltrated customers’ encrypted backups from these services and the company’s encryption key for securing the data. GoTo did not say how many customers are affected. The company has 800,000 customers, including enterprises. Despite the delay, GoTo provided no remediation guidance or advice for affected customers. (Carly Page / TechCrunch)
Related: PC Mag, The Verge, Bleeping Computer, The Record, GoTo, Security Affairs, PCMag, iPhone in Canada Blog, 9to5Mac, SecurityWeek Security News | Tech Times, CRN, Decipher, The Hacker News, Silicon UK, Naked Security, CNET News, Reddit, Silicon Republic, The Register - Security, Techradar
Hackers who stole the source code for League of Legends from Riot Games are demanding $10 million in ransom.
The ransom note sent by the attacks said, “We have obtained your valuable data, including the precious anti-cheat source code and the entire game code for League of Legends and its tools, as well as Packman, your usermode anti-cheat. We understand the significance of these artifacts and the impact their release to the public would have on your major titles, Valorant and League of Legends. In light of this, we are making a small request for an exchange of $10,000,000.”
The hackers provided Riot Games with two large PDFs they said would prove they had access to Packman and the League of Legends source code. If paid, the hackers promised to scrub the code from their servers and “provide insight into how the breach occurred and offer advice on preventing future breaches,” according to the ransom note.
The hackers included a link to a Telegram chat where they said Riot Games could speak with them. Its members included usernames that matched Riot Games employees' names. (Joseph Cox and Matthew Gault / Motherboard)
Related: The Record, TechCrunch, PCWorld, PCMag, The Verge, GameRevolution, Game Developer, GameSpot, TheGamer, Dexerto, PC Gamer, Dot Esports, Polygon, Wccftech, Kotaku, Appuals.com, Bleeping Computer, PCWorld, Kotaku, PCMag.com, WCCFtech
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Researchers at Proofpoint say they observed in early December a massive wave of phishing emails from a cluster of North Korea-related hacking activity linked to TA444, the firm’s name for the group.
The latest campaign, which blasted more emails than researchers attributed to that group in all of 2022, tried to entice users to click a URL that redirected to a credential harvesting page. The activity could be a sign that the group, which is suspected in two high-profile cryptocurrency hacks in 2022, may have even bigger plans for 2023.
Moreover, this latest campaign deviates from the group’s previous activity in that the hackers focused on trying to steal the target’s login and passwords rather than a direct deployment of malware. (Tonya Riley / Cyberscoop)
South Korea’s internet watchdog, the Korea Internet & Security Agency (KISA), said that a Chinese hacking group that calls itself the Cyber Security Team has launched cyberattacks against South Korean academic institutions, hacking into the websites of 12 institutions, which included some departments of Jeju University and the Korea National University of Education.
Most of the 12 websites, including that of the Korea Research Institute for Construction Policy, were still unavailable for access as of 10 a.m. Wednesday. Although KISA's website was not affected, KISA said the Chinese hacking group had warned of a cyberattack against multiple S. Korean agencies, including KISA itself. (Yonhap News Agency)
CronUp researcher Germán Fernández discovered that recent Google ads promoting popular software led to malicious sites utilizing infrastructure operated by the DEV-0569 threat actors, who are among many threat actors abusing Google ads to spread malware.
DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims' passwords, and ultimately breach networks for ransomware attacks. While malicious installers in this latest campaign no longer use BatLoader, like previous campaigns seen by Microsoft, they install an information-stealer (RedLine Stealer) and then a malware downloader (Gozi/Ursnif).
The current campaign uses RedLine to steal data, such as passwords, cookies, and cryptocurrency wallets, while Gozi/Ursnif is used to download further malware. Fernández also discovered that a similar Google ads campaign was using an infrastructure previously used by a threat group tracked as TA505, known to distribute the CLOP ransomware. (Lawrence Abrams / Bleeping Computer)
More than two years after a ransomware cyberattack forced Baltimore County Public Schools to shut down district-wide, the Maryland Inspector General's Office released a six-page report that provides a clearer picture of what happened that day.
According to the report, the attack originated from an unsolicited phishing attachment addressed to an Education Professional. Despite being unable to open the attachment, an attempt to investigate the suspicious email by a BCPS security contractor misfired, as they opened the email with the attachment using their unsecured BCPS email domain account, thus delivering undetected malware into the BCPS IT network.
Recovering from the incident ultimately cost the school system nearly $10 million. (Nicky Zizaza / CBS News)
Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that injected malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom and faces up to twenty years in prison.
The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.” RSOCKS was the web-based storefront for hacked computers that were sold as “proxies” to cybercriminals looking for ways to route their Web traffic through someone else’s device.
Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was also a significant player in the Russian email spam industry for over a decade. It’s unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The U.S. Attorney’s Office is prosecuting the case for the Southern District of California. (Brian Krebs / Krebs on Security)
Cyber recovery startup CYGNVS (an acronym of CYber GuidaNce Virtual Space) announced its emergence from stealth, saying it raised $55 million in series A venture funding.
Andreessen Horowitz led the round with participation from Stone Point Ventures and EOS Venture Partners. (Jon Gold / CSO Online)
Image by Hoko, CC BY-SA 4.0 via Wikimedia Commons