An overview of security incidents from the 14th to the 20th of August

 A summary of the week's major events in the world of information security.

From August 14 to August 20, a number of interesting events occurred in the world of information security, including the world's first attack on a smart home using malicious advertising, the theft of data from 100 million T-Mobile subscribers as retaliation, the leak of the FBI wanted list of terrorists, and much more. In our review, you can read about these and other security incidents.

GeoEdge, an Israeli information security firm, announced the discovery of the world's first cyberattack on home IoT devices using malicious advertising. Since June of this year, a team of specialists from the company has investigated attacks on IoT smart home devices that use malicious advertising (so-called malvertising attacks). They are the world's first attacks to use online ads to silently install applications on Wi-Fi-enabled home devices.

Specialists from the Insikt Group division of the American information security firm Recorded Future discussed Operation Secondary Infektion, a "long-term operation with Russia" on disinformation. It was first reported by the Insikt Group in April 2020, and new details, including a tactics, techniques, and procedures (TTP) analysis, have now been released.

Cybercriminals hacked the Japanese cryptocurrency exchange Liquid last week. A total of $ 74 million in bitcoin, ether, XRP, and TRX assets were stolen as a result of the cyber attack. According to exchange representatives, experts track the movement of assets and collaborate with other exchanges to freeze stolen funds and return them to their rightful owners. The hackers were successful in transferring a portion of the illegally obtained funds to other accounts.

Volexity security researchers have documented attacks by a well-known North Korean hacker group on a limited number of victims using exploits for vulnerabilities in Microsoft web browsers. A hacker group known as InkySquid was able to compromise a new website in South Korea and inject malicious code into it. Since 2020, this exploit has been used in attacks against the Internet Explorer browser to download obfuscated Javascript code hidden within legitimate code. The same attack method was used against first-generation Edge users, but this time through a different vulnerability.

A security researcher going by the alias Imp0rtp3 discovered a web attack framework allegedly developed by Chinese government-funded hackers. The researcher claims that a tool called Tetris was used to exploit vulnerabilities in 58 sites in order to track political dissidents. 57 are popular Chinese portals, and one is the website of the American newspaper New York Times. Tetris not only exploits vulnerabilities, but it also uses legitimate browser functions to record keystrokes on the keyboard, steal information about the operating system and geolocation data, and take webcam snapshots of the victim's face.

Last week, it was revealed that on January 11, 2020, hackers breached the United States Census Bureau's servers. The attackers exploited a critical zero-day vulnerability in the Citrix Application Delivery Controller (ADC) ( CVE-2019-19781 ), but they failed to install the backdoor.

This week has been littered with reports of ransomware attacks, as is customary. The Brazilian government has reported a ransomware cyberattack on the National Treasury's computer systems. According to representatives of the Brazilian Ministry of Economy, immediate steps were taken to mitigate the effects of the cyberattack. According to the initial assessments, there was no damage to the National Treasury's structuring systems.

The nonprofit Memorial Health System's computer systems were allegedly hacked and encrypted by operators of the ransomware Hive, forcing staff to switch to manual mode. Memorial Health System is a small network of three hospitals in Ohio and West Virginia (USA) (Marietta Memorial Hospital, Selby General Hospital, and Sistersville General Hospital), as well as ambulatory services and clinics. The attack caused clinical and financial disruptions, forcing urgent surgeries and X-ray examinations to be canceled.

Heimdal Security specialists have discovered a new family of ransomware that employs a rare but troublesome data encryption technique in the attacked environment. Experts explained that DeepBlueMagic attacks corporate servers' hard drives rather than encrypting files on endpoints, as most ransomware does.

A 7 GB archive of confidential data, presumably belonging to the Taiwanese computer equipment manufacturer GIGABYTE, was published on one of the hacker forums. It is worth noting that the data leak occurred following the recent ransomEXX ransomware attack. The archive was first made public on the ransomEXX website, presumably after GIGABYTE refused to pay the ransomware.

The operators of a new botnet known as HolesWarm are exploiting more than 20 vulnerabilities in order to hack Windows and Linux servers and install malware for cryptocurrency mining. According to a report by Tencent cybersecurity experts, attacks were mostly recorded in China, but criminals will presumably start hacking into systems all over the world in the coming months. Docker, Jenkins, Apache Tomcat, Apache Struts, Apache Shiro, Apache Hadoop Yarn, Oracle WebLogic, Spring Boot, Zhiyuan OA, UFIDA, Panwei OA, and Yonyou GRP-U8 are all used by botnet operators to exploit vulnerabilities.

Data breaches are the traditional column for weekly security incidents. Colonial Pipeline, the largest fuel pipeline operator in the United States, for example, sends notifications to people affected by the DarkSide ransomware cyberattack in May. The company stated that it "recently learned" that during the attack, DarkSide operators were able to collect and extract documents containing personal information from 5,810 people, among other things. First and last names, contact information, health information (including insurance), taxpayer numbers, military IDs, and social security numbers, among other things, were stolen.

T-Mobile, a major American telecommunications company, is investigating a data leak after a hacker announced that T-Mobile servers had been hacked and databases containing the personal information of approximately 100 million subscribers had been stolen. On Saturday, August 14th, the first reports of the alleged leak appeared on one of the hacker forums. The hacker listed a T-Mobile database for sale for 6 bitcoins (approximately $ 280,000). According to him, the database contains 30 million people's dates of birth, driver's license numbers, and social insurance numbers. The ransom demand was not the hacker's intended target. According to the attacker, he hacked the T-Mobile servers as a form of retaliation.

Legalizer, one of the most popular drug distribution sites in the CIS, was hacked by an unknown hacker. The attacker provided a link to the site, as well as information about the site's de-anonymized creators, such as their full name, phone number, address, and country of residence, as well as passport data. The hacker also provided examples of private message correspondence, which included, among other things, the users' own nicknames. According to reports, at the moment, each member of the forum team points at the other, referring to the other as the founder.

Not without exaggeration. For example, the Raccoon info-creator stealer's inadvertently "leaked" information about him to information security experts. During testing, the developer infected a test computer with malware, which was detected by the Hudson Rock Cavalier cybersecurity platform.

Bob Diachenko, a security researcher, discovered a copy of the FBI wanted terrorists database on an IP address in Bahrain. According to him, the unsecured Elasticsearch cluster contained 1.9 million records. This cluster's contribution to the overall database is unknown, but it is likely to be the entire database, according to Dyachenko. Full names and surnames, ID on the TSC list, citizenship and gender information, dates of birth, passport numbers, countries where passports were issued, and a No-fly ID are among the leaked details.