North Korea's Lazarus Group Targeted DeBridge Finance in Likely Widespread Phishing Campaign
Likely ransomware attack on MSP disrupts UK's NHS 111 service, Twitter confirms zero day data breach, Slack exposed scrambled versions of user passwords, Twilio user creds exposed in breach, more
In a thwarted phishing campaign designed to install malicious files, North Korea’s Lazarus hacking group targeted DeBridge Finance, which provides a cross-chain interoperability and liquidity protocol for transferring data and assets between blockchains.
One DeBridge employee downloaded and opened the file, which prompted an investigation of its origin, how the hackers intended the attack to work, and potential consequences. Alex Smirnov, co-founder and project lead at DeBridge Finance, explained in a Twitter thread. Smirnov offered details on his company’s near-miss as a “PSA for all teams in Web3, this campaign is likely widespread.”
The Lazarus Group has allegedly been behind several high-profile crypto hacks, including the $622 million Axie Infinity. The State Department recently offered a $5 million reward for information on North Korean-linked cyberattacks on cryptocurrency exchanges that the country uses to fill its coffers, given the economic sanctions imposed on North Korea. (Jason Nelson / Decrypt)
Related: CoinDesk, Decrypt, Crypto Briefing, The Crypto Times, Tron Weekly, CoinRepublic, Cointelegraph, Investing.com, Daily Coin, Bitcoinist
Advanced, a British software and managed services provider (MSP) with 25,000 customers that provides service for the UK’s NHS 111, confirmed that a cyber-attack caused a service outage on the emergency service line, which experts say was likely a ransomware attack.
The attack, discovered on Thursday, targeted the system used to refer patients for care, including ambulance dispatch, out-of-hours appointment bookings, and emergency prescriptions. Advanced boss Simon Short said the disruption was minimal and was isolated to “a small number of servers.”
GP publication Pulse said that NHS England warned family doctors in London they could see an increased number of patients sent to them by NHS 111 due to the "significant technical issue.” Northern Ireland's Department of Health said that "As a precaution, to avoid risk to other critical systems and services, access to the company's services from the HSC (Health and Social Care system) has been disabled while the incident is contained.” (BBC News)
Related: Metro.co.uk, iNews, The Tech Outlook, The Guardian, Sky News, Bleeping Computer, ITV News, The Telegraph, Metro, Bloomberg, Homeland Security Today, John O’Groat Journal, Pulse, DataBreachToday, ITPro, Cyber Security Intelligence, The Stack, The Stack, The Register, IT Security Guru
Twitter confirmed that a recent data breach was caused by a now-patched zero-day vulnerability that links email addresses and phone numbers to users' accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.
This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account.
The vulnerability used by the threat actor in December is the same one reported to and fixed by them in January 2022 as part of their HackerOne bug bounty program. Twitter alerted impacted users about whether the data breach exposed their phone number or email address. It also warned that any user with a pseudonymous Twitter account to keep their identity as anonymous as possible by not using a publicly known phone number or email address on their Twitter account. (Lawrence Abrams / Bleeping Computer)
Related: Twitter, TechCrunch, The Record, Technology | The Hill, iTech Post, Security Affairs, Security Week, TechWorm, Axios, geekinteger, Digital Information World, Teiss, TechJuice, Decipher, DataBreachToday.com, RT News, Teiss, The Verge, Slashdot, Engadget, Cyberscoop
Office communication platform Slack said that one of its low-friction features known as the shared-invite link contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users' passwords.
Between April 17, 2017, and July 17, 2022, when users extended or revoked a shared invite link that others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator's hashed password to other members of that workspace.
The errant passwords weren't visible anywhere in Slack and could have only been apprehended by someone actively monitoring relevant encrypted network traffic from Slack's servers. Though the company says it's unlikely that the actual content of any passwords were compromised due to the flaw, it notified impacted users and forced password resets for all of them. (Lily Hay Newman / Wired)
Related: Decrypt, Fossbytes, Slack, Bleeping Computer
Panagiotis Kontoleon, chief of Greece’s EYP intelligence service, stepped down amid increased scrutiny of the agency's surveillance practices, including an accusation by an opposition party leader that he was wiretapped in 2021.
Two lawmakers said that Kontoleon had admitted during a parliamentary committee hearing on July 29 that his service had spied on Thanasis Koukakis, a financial journalist who works for CNN Greece. That closed-door hearing was called after the leader of the socialist opposition PASOK party Nikos Androulakis lodged a complaint with top court prosecutors over an attempt to bug his mobile phone with surveillance software in September 2021.
Androulakis called on the Greek parliament to set up an investigative committee to investigate the case and accused the government of downplaying the issue. (George Georgiopoulos and Karolina Tagaris / Reuters)
Related: Times of Israel, Haaretz, Greek City Times, Security Affairs
John Scott-Railton @jsrailton
BREAKING: 🇬🇷Greek intelligence chief quits amidst expanding mercenary spyware scandal. He'd admitted the targeting of journalist @nasoskook. Also, article notes: top aide to the Prime Minister resigned (without further details) By @ggeopo & @tagaris https://t.co/HVPcr1Na2i https://t.co/w5FRrb3OqTAccording to court filings and public records, the Trump-backed Republican nominee for Michigan attorney general, Matthew DePerno, led a team that gained unauthorized access to voting equipment while hunting for evidence to support former President Donald Trump’s false election-fraud claims.
An analysis of the records shows that DePerno examined a vote tabulator from Richfield Township, a conservative stronghold of 3,600 people in northern Michigan’s Roscommon County. Jake Rollow, a spokesperson for the secretary of state, said the office does not believe DePerno’s team had legal approval to access ES&S voting equipment. Under state law, it is a felony to seek or provide unauthorized access to voting equipment. (Nathan Layne / Reuters)
Related: Detroit Free Press, Axios, Washington Post, Daily Beast, Politico
According to early estimates, the smart contract auditing firm Paladin revealed a hack of DeFi yield farmer Reaper Farm that saw more than $1.7 million siphoned off.
The official Reaper Farm reported the hack less than twenty-four hours after spotting the attack. The team published a post-mortem, detailing the first details and immediately committing to reimburse injured users. The attackers discovered a vulnerability that allowed them to withdraw anyone else's funds. They then bridged funds to Ethereum, then laundered them through Tornado Cash. After discovering the exploit, Reaper Farms used the same vulnerability to remove funds from the remaining vulnerable vaults to prevent the attacker from stealing more. (Molly White / Web3isgoingjustgreat)
Related: Journal Du Coin, Reaper Post-Mortem, Reaper.Farm exploit recovery plan
Customer engagement platform Twilio issued a data breach notification saying it found that a weeks-long attack had tricked multiple employees into providing their log-in credentials to attackers.
"The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data," Twilio says. "Once Twilio confirmed the incident, our security team revoked access to the compromised employee accounts to mitigate the attack." (Mathew J. Schwartz / GovInfoSecurity)
Related: Twilio
Ethereum-based algorithmic stablecoin project Beanstalk Farms has relaunched its protocol just under four months after going offline in April following a devastating $77 million governance exploit.
“Beanstalk has come out on the other end of this ordeal stronger than ever. It is a testament to the creditworthiness of the protocol and its potential to help realize a permissionless future,” said Publius, the developer group behind the BEAN stablecoin and protocol. Publius stated that it has now moved protocol governance to a community-run multisig wallet until “a secure on-chain governance mechanism can be implemented.”
The team also stated that it had completed two protocol audits from “top not smart contract auditing firms” in Trail of Bits and Halborn. (Brian Quarmby / CoinTelegraph)
Related: Web3 is going just great
In January 2022, Kaspersky ICS CERT experts detected a wave of targeted attacks on military-industrial complex enterprises and public institutions in several countries, identifying over a dozen attacked organizations.
The attack targeted industrial plants, design bureaus, research institutes, government agencies, ministries, and departments in several East European countries (Belarus, Russia, and Ukraine) and Afghanistan.
The attackers penetrated the enterprise network using carefully crafted phishing emails, some of which use information specific to the organization under attack and not publicly available, indicating that the attackers did preparatory work before the attacks.
Five of the six backdoors identified on infected systems (PortDoor, nccTrojan, Logtu, Cotx, and DNSep) have been used earlier in attacks attributed by other researchers to China’s APT TA428. The sixth backdoor is new and has not been observed in other attacks. The attacks are highly likely to be an extension of a known campaign described in Cybereason, DrWeb, and NTTSecurity research and attributed with a high degree of confidence to APT TA428 activity. (Securelist)
Singapore-based crypto exchange Bitget has launched the Bitget Protection Fund, a $200 million fund to protect its users' assets.
The fund is currently worth about $200 million and consists of 6,000 BTC and 80 million USDT. The company has pledged to secure its value for the next three years. (Mike Millard / The Block)
Related: PR Newswire
A class action lawsuit has been filed in California Central District Court against consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts.
Citing from reporting by Krebs on Security, the lawsuit alleges that Experian’s documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes violates the Fair Credit Reporting Act. (Brian Krebs / Krebs on Security)
Related: PYMNTS.com
Home surveillance service Ring’s connection to law enforcement has drawn criticism since its explosion in popularity following its 2008 acquisition from Amazon.
Ring collects a massive amount of information from users, including name, phone number, email, postal address, and any other information a user provides it, including payment information or social media handles if a user links their Ring accounts to their social media accounts. It also obtains information about the user’s Wi-Fi network, its signal strength, the network name of video and audio camera records, and videos shared to Ring’s Neighbors’ app. Moreover, it keeps detailed records of people’s doorbell activity. (Matt Burgess / Wired)
Create your profile
Only paid subscribers can comment on this post
Check your email
For your security, we need to re-authenticate you.
Click the link we sent to , or click here to sign in.