French police arrest alleged Hive banker
A Russian national arrested in Paris last week is being described as being suspected of acting as a banker for Hive affiliates. The stolen cryptocurrencies were discovered during a search of his phone. An official from the French Ministry of the Interior stated the individual was “identified thanks to his activity on social networks” and was subsequently arrested and placed in police custody. It has been estimated by US cyberintelligence authorities that the Hive gang has extorted more than $100m in ransomware payments before being shut down this past January.
Train bricking accusations lead to lawsuit against ethical hackers
A Polish ethical hacking group, Dragon Sector, is being sued by Newag, a manufacturer of trains after alleging that the manufacturer had installed software into the trains to make them unusable if GPS detected that the trains were parked at a repair shop not owned by Newag. Newag has not only denied these accusations but has threatened to sue Dragon Sector for hacking the IT systems of Poland’s trains, claiming that the Dragon Sector report had been commissioned by one of Newag’s competitors. Ultimately, Dragon Sector got the trains running again after discovering an undocumented unlock code. The full story is available at ArsTechnica.
New hacker group ‘GambleForce’ targets APAC through SQL injection
According to a report from cybersecurity firm Group-IB based in Singapore, this group “uses SQL injections and the exploitation of vulnerable website content management systems to steal sensitive information, such as user credentials.” Victims include gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. The group is using open source pentesting tool along with a Chinese language version of Cobalt Strike.
(Group-IB)
Microsoft seizes Storm-1152 Outlook infrastructure
According to an announcement from Microsoft on Wednesday, the seizure involved disrupting the groups activities. It said, “to date, Storm-1152 created for sale approximately 750 million fraudulent Microsoft accounts, earning the group millions of dollars in illicit revenue, and costing Microsoft and other companies even more to combat their criminal activity.” On December 7, Microsoft “obtained a court order from the Southern District of New York to seize the infrastructure in the US used by the threat actors and take the websites offline.” This seizure also included Hotmailbox.me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, websites that sell CAPTCHA solve services, and social media sites that were being used to market the gang’s services.
Huge thanks to this week’s episode sponsor, Barricade Cyber Solutions
Avira antivirus causes Windows freeze
Over the past week, some users have complained of a freeze up in the Windows operating system which happens shortly after boot up of Windows plus the activation of the Avira security software. This issue has now been linked to a faulty update in Avira, “caused by the Avira internal firewall under a rare condition,” according to Avira speaking to Bleeping Computer. An update was deployed quickly, two days after the discovery of the problem on December 9.
Russian spies seen exploiting JetBrains TeamCity vulnerability
Following up on a story we brought you in mid-October, intelligence services in the US. UK and Poland have announced that Russia’s Foreign Intelligence service SVR has been seen exploiting a vulnerability in JetBrains, and is warning organizations across the world due to the large number of compromised devices, despite the release of a patch. In September, Microsoft had first warned about North Korea’s use of the vulnerability, tracked as CVE-2023-42793, which affects a product called TeamCity, used for testing software code before release. According to The Record, SVR is using the vulnerability to “exfiltrate files that provide insight into a victim’s operating system” and use several techniques to “disable or outright kill endpoint detection and response (EDR) and antivirus (AV) software.”
KraftHeinz possibly suffers ransomware attack
According to Cybernews, the world’s fifth largest food and beverage company, KraftHeinz, has appeared on the leak site of the Snatch gang, in an entry that appears to have first been posted in August and has now been updated. The posting does not show file samples or any other type of proof of a successful attack, and there has not been any confirmation from KraftHeinz as of this recording.
LinkedIn reversed plans to migrate to Azure
The Microsoft-owned business networking platform had announced plans to move fully to Azure back in 2019 – a project named Blueshift. LinkedIn currently uses Azure for specific tasks. The change in plans seems to not be a rejection of Azure outright, but instead making it available to other Microsoft customers. The agreement to hold off on the migration was agreed to by LinkedIn and Microsoft together, and according to a memo from LinkedIn Chief Technology Officer Raghu Hiremagalur to R&D employees in June 2022, they decided to pause the planned migration of LinkedIn to “allocate resources to external Azure customers.”
(CNBC)