Signal clone gets hacked
TeleMessage is an Israeli company that sells modified versions of messaging apps, with customers including the US government. 404 Media reported that a threat actor breached and stole customer data from the company, including direct messages and group chats sent from its cloned Signal, Telegram, WeChat, and WhatsApp versions. Data leaked by the hacker shows that archived chat logs are not end-to-end encrypted when sent from the app to archive servers. Screenshots of data from US Customs and Border Protection and financial institutions, including Coinbase, were shown to 404 Media. The hacker informed the news outlet that accessing and exfiltrating data took 15-20 minutes and “wasn’t much effort at all.” Former National Security Adviser Mike Waltz was seen using TeleMessage apps in a cabinet meeting, but there’s no indication any of his information was leaked in this breach.
Sounding the alarm on easyjson
Researchers at Hunted Labs warned that the open-source package easyjson could put organizations at risk due to its links to Russia. Easyjson is a code serialization tool for Go that is used in cloud environments across defense, finance, technology, and healthcare sectors. The package is hosted on GitHub by a MailRu account, owned by the Russian social media giant VK Group. VK’s CEO is Vladimir Kiriyenko, the son of one of Vladimir Putin’s top aides. Both father and son were sanctioned by the US Treasury in 2022. Hunted Labs found no evidence of malicious code added to easyjson, but noted that its widespread use could make it a strategic asset for a broader campaign. If nothing else,this shows that the politics of open source are getting increasingly murky.
(Wired, Hunted Labs)
Ransomware group takes credit for UK retail attacks
In the last week, we covered a rash of cyber attacks against UK-based retailers, including M&S, Co-op, and Harrods. Now, the DragonForce ransomware group claims it orchestrated the attacks in a statement to the BBC. DragonForce first appeared in August 2023, initially as a hacktivist group, although now working for financial gain, using ransomware developed from leaked LockBit and Conti code. Earlier this year, it started offering “white-label” branding to affiliates as part of a rebrand into a “ransomware cartel.”
Heavy is the head of Black Kingdom ransomware
The U.S. Attorney’s Office for the Central District of California indicted Rami Khaled Ahmed for allegedly deploying Black Kingdom on over 1,500 computer systems between March 2021 and June 2023. Victims ranged from a school district in Pennsylvania to medical support businesses in Wisconsin and California to a ski resort in Oregon. Once infected, Black Kingdom operators demanded a $10,000 Bitcoin ransom, although it’s unclear how many victims ultimately paid. The FBI investigated Ahmed with the help of the New Zealand Police, however, he is believed to be located in Yemen, which doesn’t extradite to the US.
Thanks to today’s episode sponsor, ThreatLocker
The beating hearts of deepfakes
While video deepfakes are becoming increasingly common, researchers had previously thought one way to detect them would be to look for subtle skin color changes caused by a pulse, which these models weren’t trained to produce. However, Bruce Schneier passed on a report from the journal Frontiers in Imaging, which found that high-quality deepfakes can already beat these checks, unintentionally retaining heartbeat patterns from training videos. These signals were notably weaker than real video footage. The researchers say another method to detect deepfakes could be to look for natural pulse behavior across different facial regions.
(Schneier on Security, Frontiers in Imaging)
Russians be hacking
Before presidential elections in Romania, the Russian-linked hacktivist group NoName057 claimed credit for DDoS attacks against the website for the country’s Ministry of Foreign Affairs, the Romanian government, the Constitutional Court, and several presidential candidates. Romania’s National Directorate for Cyber Security confirmed the attacks but noted that all access has been restored to the public. Last week, the group attacked the Dutch and other European organizations for military support for Ukraine.
Not to be left out, Azerbaijan’s head of parliament, Ramid Namazov, accused the Russian APT29, aka CozyBear, of attacks on local media outlets on February 20th. These attacks attempted to spread misinformation across TV and news sites. Namazov suspected these attacks came in response to the closure of the Russian House, a state-funded cultural center in Baku.
Golden Chickens lay new malware eggs
Researchers at Recorded Future’s Insikt Group attributed two new malware families to the threat actors known as Golden Chickens or Spider Venom, depending on how scary you want them to sound. TerraStealerV2 is a tool that can help you find browser credentials, crypto wallet data, and extension information. Captured info is then exfiltrated to Telegram and a wetransfers.io domain. Meanwhile, TerraLogger is a standalone keylogger, which is notable for not including any way to exfiltrate data, indicating its under active development. Both pieces of malware show signs of the group iterating and advancing its malware-as-a-service portfolio.
Goodbye to a VOIP OG
Did you wake up today and feel the world was a little emptier? That may be because Microsoft officially shuttered Skype yesterday, May 5th. Users now have 60 days to export data or migrate to Teams. Skype was first released in August 2003, acquired by eBay in 2005 for $2.6 billion, and then acquired by Microsoft for $8.5 billion in 2011. It now joins Windows Live Messenger in the hallowed ground of the Redmond graveyard: goodnight, sweet prince.