Threat Intel Roundup

Published: 30 September 2022

Content

01. Summary
02. Threat Spotlight
  •  Uber and Rockstar Games Breaches

  • Optus Breach could be ‘worse data breach in Australian History’

  • Credential stuffing attack compromises 200,000 North Face accounts

03. Quick News Bites
  • Hacking Group ‘neutralized’ by Ukrainian Authorities 
  • Phishing warning as Revolut admits details of 50,000 of its customers were exposed
  • Seven Public and private sector organisations in hot water with ICO over GDPR failures
04. Conclusion

A Note From The Cyber Threat Response Team

Sometimes criminal organisations are interested in more than just monetary gain. We are observing more and more instances where a victim has been ransomed after a successful breach but won’t pay the ransom. The threat actor gradually releases more and more stolen data into the public domain in order to increase pressure, but the victim still won’t budge.

Eventually, the threat actor gets bored and/or moves onto another victim they’re ransoming but just before they do, they release ALL the stolen data to the public in one big go. This gives them a sudden burst of media attention which is the second best thing after monetary gain they can gain from the situation; exposure and infamy. Infamy is useful for threat actors because if they are widely feared and shown to be successful, then their victims are more likely to submit to the ransom if they get breached.

Threat Spotlight

Uber and Rockstar Games Breaches

The most high profile data breaches to occur this month involved two well-known companies in the form of Uber and Rockstar Games. Both incidents support the above in that neither breach was just for monetary gain but rather a way for the hacker in question to show off and boast about their ‘accomplishments’.

The hacker using the name teapotuberhacker gained access to Rockstar’s systems by breaching its internal feed via the third party Slack messaging app. Whilst boasting about the breach they to leak the game’s source code and left a message inviting Rockstar Games executives to negotiate in order to prevent them making more leaks. 

Over 90 images and footage of the highly anticipated next entry in Rockstar Games Grand Theft Auto series were leaked online by a hacker. The footage and images were then spread across social media. Whilst the breach made headlines across the world and knocked Rockstar’s share price it’s unlikely to impact sales of the highly anticipated game when it does eventually hit the shelves.

  • Since the leak was first discovered the USA’s Federal Bureau of Investigation (FBI)began investigating the matter.  
  • Meanwhile on a blog on its website, Uber revealed that those responsible for the breach it suffered was also carried out by the same hacker/s behind the Grand Theft Auto 6 leaks. 
  • The Lapsus$ hacker group has been increasingly active over the past year and is thought to have also been behind cyber-attacks against other technology companies this year such as Microsoft, Samsung and Nvidia.  
  • In the week after the Rockstar breach City of London Police arrested a 17-year old teenager in Oxfordshire last week on suspicion of being involved in the high profile breaches at Rockstar Games and Uber. The suspect, whose name has not been released pleaded not guilty to charges of breaches of their bail conditions and multiple counts of computer misuse.
  • The charges of multiple computer misuse were linked to a series of arrests earlier this year which saw Police arrest seven teenagers for suspected connections to the Lapsus$ hacking group.

This incident highlights the fact that a large proportion of cyber attacks are carried out by ‘script kiddies’ and that it does not take a lot of sophistication to breach large organisations.

Optus Breach could be ‘worse data breach in Australian History’

In what some in the media are calling the ‘worst data breach in Australian History’ the nations second largest telecoms provider, Optus revealed that a data breach had potentially exposed current and former customers data including names, home addresses, passport and driving licence numbers and phone and email contacts. While the true figure is not known, the Australian government said that around 2.8 million people are now at significant risk from identity theft and fraud.

As in line with what we have been noticing in the trend regarding ransoms since the company announced the breach, the hacker(s) behind the incident demanded $1 million in cryptocurrency after briefly releasing the sensitive details of over 10,000 of Optus’ customers. The move prompted Australian authorities to warn customers to be aware of an increase in fraudulent emails and text messages. 

On Tuesday, however, news broke that the hacker behind the breach had seemingly had a change of heart.  

They announced that they have deleted the compromised data and apologized to Optus saying: “Too many eyes. We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy).“Sorry too 10,200 Australian who’s data was leaked. Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.” 

Despite this the pressure has mounted on Optus with Australians venting their anger over the incident online and the Australian government demanding that the company foots the bill for impacted people who need to change their IDs and passports as a result of the breach. 

Optus claims the breach occurred due to a “sophisticated attack”, but the federal government has publicly disagreed stating that ‘it was due to an error by the company that had left the data accessible online’. Either way the reputational and financial damage to the company is likely to be immense.  

Sydney-based tech reporter Jeremy Kirk put further pressure on Optus after he contacted the purported hacker and said the person gave him a detailed explanation of how they stole the data. The user contradicted Optus's claims the breach was "sophisticated", saying they pulled the data from a freely accessible software interface.

Credential stuffing attack compromises 200,000 North Face accounts

Sept 7th,2022 - Outdoor apparel brand ‘The North Face’ revealed that it was targeted in a large-scale credential stuffing attack that resulted in the compromise of 194,905 accounts on the thenorthface.com website.

An attacker used usernames/email addresses and password combinations taken from other data breaches to hack into North Face customer accounts. This form of attack relies on the fact that many people use the same passwords for multiple accounts and across online platforms.

North Face revealed that the attack was first detected on July 26, 2022 but was not stopped until August 19, 2022.

Our advice is to change your passwords regularly or use a password manager vault to avoid repetition.

British “111” NHS hit by cyber attack

On 04 Aug 2022, a cyber attack targeted Advanced, a managed service provider (MSP) that provides IT and software services to clients including the UK’s National Health Service (NHS). The attack impacted the NHS 111 emergency service, causing severe delays to ambulances and general practitioners’ appointments. This instance highlights how MSPs can be valuable targets for threat actors, propagating their attacks’ impacts to multiple victims at the same time.

Gamaredon Group delivers infostealer to Ukrainian targets

On 15 Aug 2022, security researchers reported that “Gamaredon Group” has been conducting a cyber-espionage campaign targeting Ukraine. Activity was first observed on 15 Jul 2022, and most recently on 08 Aug 2022. The group reportedly delivered variants of a PowerShell information stealer (infostealer) to Ukrainian targets, as well as custom backdoors, including “Pterodo” and “Giddome”. Researchers believe that the malware was delivered via spearphishing emails, likely with lures pertaining to the Russia-Ukraine war.

Lazarus Group lures job seekers with fake employee prospects

On 17 Aug 2022, researchers reported that the North Korea-linked APT “Lazarus Group” had been using a signed malicious executable designed to target macOS systems. Lazarus Group members were impersonating employees of the cryptocurrency-exchange company Coinbase, targeting job seekers in the financial technology sector. The campaign targeted new and old macOS versions, and used malware disguised as a PDF file containing a fake job description. The macOS malware was code-signed on 21 Jul 2022 with a certificate that was issued five months prior to a developer using the name Shankey Nohria. As of 12 Aug 2022, the certificate had not been revoked by Apple, but had not been checked by Apple’s process to discover malicious software components.

Quick News Bites

Hacking Group ‘neutralized’ by Ukrainian Authorities  

The conflict between Ukraine and Russia continues to rage online after the Ukrainian authorities announced that it had ‘neutralized’ a hacker group that was claimed to have been responsible for operating bot farms used to produce and spread information aimed to destabilize the political situation in Ukraine. 

“Their wholesale clients were pro-kremlin propagandists. It was them who used the received identification data of Ukrainian and foreign citizens to spread fake news from the front lines and spread panic,” said the Ukrainian law enforcement agency. 

Phishing warning as Revolut admits details of 50,000 of its customers were exposed 

A phishing warning has been made after financial technology firm Revolut revealed that it had suffered a cyberattack that saw hackers gain access to its internal systems via phishing.  According to the company the hackers gained access to the personal information of up to 32,000 of its clients. Revolut has warned its users to be wary of any messages requesting personal details or passwords. Revolut said that it will not call customers about the incident and will never ask for sensitive information. 

Seven Public and private sector organisations in hot water with ICO over GDPR failures 

The UK’s Information Commissioner’s Office (ICO) took action against several organisations for failing to meet their GDPR obligations

The main issue was a failure to respond to Subject Access Requests (SARs) within the one to three months’ timeframe stipulated within the regulation. The organisations in question received numerous complaints that forced the ICO to intervene. All seven organisations were issued with reprimands which could be increased to fines if they continue to fail to adhere to the GDPR rules.  

Closing Summary

If you are worried about any of the threats outlined in this bulletin, or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively email us at TBD@integrity360.com for a complimentary, no-commitments consultation. Also feel free to explore the many cyber security resources available on our website at https://www.integrity360.com/resources.

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.