AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/19/2022

Social Blade Confirms Breach After Hacker Offers to Sell User Data

Social media analytics service Social Blade has confirmed a security breach after a hacker offered to sell a database allegedly stolen from the company’s systems. Social Blade monitors tens of millions of social media accounts, including on YouTube, Twitter, Twitch, Instagram, Facebook, and TikTok. The company helps content creators boost their channel’s popularity. The Social Blade database was offered for sale on a hacker forum on Monday. The seller provided a sample of table names and content, claiming to have obtained 5.6 million records dated September 2022. The sample data suggests that many of the records contain user information.

Executives take more cybersecurity risks than office workers

Ivanti worked with cybersecurity experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and find out how companies are preparing for yet-unknown future threats. The report revealed that despite 97% of leaders and security professionals reporting their organization is as prepared or more prepared to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar they could prevent a damaging breach. In fact, the study finds that organizations are racing to fortify against cyber attacks, but the industry still struggles with a reactive, checklist mentality.

Raising the bar for software security: next steps for GitHub.com 2FA

GitHub is committed to raising the bar for the security of the software development ecosystem, and that starts with the developer. We continue to improve the npm 2FA experience, and now require maintainers of packages with more than 1 million weekly downloads or more than 500 dependents to enable 2FA. To better protect developers from account theft, we announced our intention to require all developers who contribute code on GitHub.com to enable one or more forms of 2FA by the end of 2023. Read on to learn more about how GitHub is approaching this challenge, and what you can expect as we begin requiring 2FA in March 2023.

DarkTortilla malware spreads on phishing sites masquerading as legitimate domains

Researchers reported on a campaign where they observed threat actors dropping DarkTortilla malware on phishing sites masquerading as legitimate Grammarly and Cisco sites.  In a Dec. 16 blog post, Cyble Research and Intelligence Labs (CRIL) described DarkTortilla as a complex, .Net-based malware that has been active since 2015. The researchers said that malware has been best known to drop malware stealers and remote access trojans (RATs) such as AgentTesla, AsyncRAT, and NanoCore. During the summer, security researchers at Secureworks published a blog about DarkTortilla and detailed its behavior. While the Secureworks researchers said DarkTortilla uses spam email with malicious attachments to reach users, it was CRIL researchers who found that the bad actors around DarkTortilla created phishing sites for distributing the malware.

Corsair says bug, not keylogger, behind some K100 keyboards’ creepy behavior

Keylogger-like behavior has some Corsair K100 keyboard customers concerned. Several users have reported their peripheral randomly entering text into their computer that they previously typed days or weeks ago. However, Corsair told Ars Technica that the behavior is a bug, not keylogging, and it’s possibly related to the keyboard’s macro recording feature. A reader tipped us off to an ongoing thread on Corsair’s support forum that a user started in August. The user claimed that their K100 started typing on its own while they use it with a MacBook Pro, gaming computer, and KVM switch.

Colombian energy supplier EPM hit by BlackCat ransomware attack

Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on Monday, disrupting the company’s operations and taking down online services. EPM is one of Colombia’s largest public energy, water, and gas providers, providing services to 123 municipalities. The company generated over $25 billion in revenue in 2022 and is owned by the Colombian Municipality of Medellin. On Tuesday, the company told approximately 4,000 employees to work from home, with IT infrastructure down and the company’s websites no longer available.

Email hijackers scam food out of businesses, not just money

Business email compromise (BEC) continues to be a multibillion-dollar threat, but it’s evolving, with the FBI and other federal agencies warning that cybercriminals have started using spoofed emails to steal shipments of physical goods – in this case, food. Along with the Food and Drug Administration’s Office of Criminal Investigations and the US Department of Agriculture, the FBI said several US food manufacturers have already fallen victim to scams, many of which involved fake orders for hundreds of thousands of dollars worth of a single item: powdered milk. The FBI considers BEC attacks to be one of the most financially devastating online crimes, claiming it netted criminals nearly $2.4 billion in 2021 alone. The method involves a criminal compromising a legitimate account and, traditionally, using it to send fake invoices to trick a busy business into paying for a service that wasn’t provided.

Hacker Halts Sale of FBI’s High-Profile InfraGard Database

As reported by Hackread.com on December 14, 2022, a hacker going by the online handle of “USDoD” was selling a database belonging to InfraGard, an FBI (Federal Bureau of Investigation) program initially launched in 1996. The database contained contact details of more than 87,000 InfraGard members, while the price for it was set to $50,000 However, Hackread.com can now exclusively confirm that the hacker updated their post yesterday stating that the stolen InfraGard database would ‘no longer be posted for sale’ as it would ‘‘cause more harm to everyone’’ than benefiting the hacker themself. 

Bugs in Lego Resale Site Allowed Hackers to Hijack Accounts

Security analysts have found bugs in Lego’s second-hand online marketplace that left its users at risk of account hijacking and data leakage. Salt Labs said that the issues, now resolved, affected Lego-owned BrickLink.com, the world’s largest official marketplace for Lego bricks.

The security researchers said that two API security issues could have enabled an attacker to take over BrickLink accounts, and access and steal personally identifiable information stored on the site. The vulnerabilities could have also allowed attackers to gain access to internal production data and compromise internal servers, Bleeping Computer reports. The BrickLink bugs were spotted when Salt Lab analysts were experimenting with user input fields on the marketplace site. 

Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale

Restaurant customer management platform SevenRooms has confirmed it suffered a data breach after a threat actor began selling stolen data on a hacking forum. SevenRooms is a restaurant customer relationship management (CRM) platform used by international restaurant chains and hospitality service providers, such as MGM Resorts, Bloomin’ Brands, Mandarin Oriental, Wolfgang Puck, and many more. On December 15, a threat actor posted data samples on the Breached hacking forum, claiming to have stolen a 427 GB backup database with thousands of files containing information about SevenRooms customers.

T-Mobile hacker gets 10 years for $25 million phone unlock scheme

Argishti Khudaverdyan, the former owner of a T-Mobile retail store, was sentenced to 10 years in prison for a $25 million scheme where he unlocked and unblocked cellphones by hacking into T-Mobile’s internal systems. Between August 2014 and June 2019, the 44-year-old man behind the scheme, who was also ordered to pay $28,473,535 in restitution, “cleaned” hundreds of thousands of cellphones for his “customers.” Khudaverdyan’s contract as the owner of the Top Tier Solutions T-Mobile retail store in California was terminated by the wireless carrier in June 2017 due to his suspicious computer behavior and association with unauthorized unlocking of cellphones.

Related Posts