AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/09/2021

Robinhood Announces Data Security Incident

Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident. The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.


BlackBerry Uncovers Initial Access Broker Linked to 3 Distinct Hacker Groups

A previously undocumented initial access broker has been unmasked as providing entry points to three different threat actors for mounting intrusions that range from financially motivated ransomware attacks to phishing campaigns. BlackBerry’s research and intelligence team dubbed the entity “Zebra2104,” with the group responsible for offering a means of a digital approach to ransomware syndicates such as MountLocker and Phobos, as well as the advanced persistent threat (APT) tracked under the moniker StrongPity (aka Promethium). The threat landscape as we know it has been increasingly dominated by a category of players known as the initial access brokers (IABs), who are known to provide other cyber-criminal groups, including ransomware affiliates, with a foothold to an infinite pool of potential organizations belonging to diverse geographies and sectors via persistent backdoors into the victim networks, effectively building a pricing model for remote access.


US government is going after REvil ransomware hackers

The US government has indicted a Ukrainian national and a Russian national that are believed to be part of the REvil cybercriminal group which is responsible for a series of major ransomware attacks. According to US Attorney General Merrick Garland, 22-year-old Ukranian Yaroslav Vasinkyi was arrested when trying to enter Poland while 28-year-old Yevgeniy Polyanin is believed to be abroad though the US government was able to seize 6.1m from him. These indictments are part of the US government’s attempt to crack down on cybercriminals worldwide following a string of cyberattacks on the Colonial Pipeline and other critical infrastructure.


China says a foreign spy agency hacked its airlines, stole passenger records

Chinese officials said last week that a foreign intelligence agency hacked several of its airlines in 2020 and stole passenger travel records. The hacking campaign was disclosed last week by officials from the Ministry of State Security, China’s civilian intelligence, security, and secret police agency. The hacking campaign was discovered after one of China’s airlines reported a security breach to MSS officials in January 2020. Investigators said they linked the hacks to a custom trojan that the attackers used to exfiltrate passenger details and other data from this first target. A subsequent investigation found other airlines compromised in the same way. “After an in-depth investigation, it was confirmed that the attacks were carefully planned and secretly carried out by an overseas spy intelligence agency,” the MSS said in a press release distributed via state news channels last Monday. The MSS did not formally attribute the attack to any foreign agency or country.


MediaMarkt hit by Hive ransomware, initial $240 million ransom

Electronics retail giant MediaMarkt has suffered a Hive ransomware with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany. MediaMarkt is Europe’s largest consumer electronics retailer, with over 1,000 stores in 13 countries. MediaMarkt employs approximately 53,000 employees and has a total sales of €20.8 billion. MediaMarkt suffered a ransomware attack late Sunday evening into Monday morning that encrypted servers and workstations and led to the shutdown of IT systems to prevent the attack’s spread. BleepingComputer has learned that the attack affected numerous retail stores throughout Europe, primarily those in the Netherlands.


Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice

Trend Micro’s ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DC’s Thunderstruck on the contest’s third day. Contestants earned $70,000 during the fourth day, $238,750 on the third day, $415,000 on the second, and $362,500 during the first day. The Synacktiv team won the contest after getting $197,000 in cash for their zero-days and 20 Master of Pwn points, with a six-point lead over the DEVCORE team, which finished with 14 points and earned a total of $140,000. Over the four days of competition, the contestants compromised printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR after exploiting 61 previously unknown security flaws known as zero-day vulnerabilities.

Related Posts