Newsletters

SeaFlower group: Confiant said in a report last week that it detected a new threat actor—that it named SeaFlower—targeting cryptocurrency users. Since at least March this year, the group has operated websites cloned after legitimate cryptocurrency wallets. These websites, which target Chinese-speaking audiences, host backdoored wallet apps that steal users' private wallet seeds.

ASyncRAT stats: Malwarebytes reported this week that its telemetry indicated that ASyncRAT had become the most widespread malware payload delivered via email spam in the first half of 2022. ASyncRAT was ranked #3 throughout 2021, behind Dridex and TrickBot.

Finland arrest: An online scammer was detained in Finland last week after defrauding local car dealerships. Investigators said they were able to identify the suspect after they took a high-quality photo of a fake check where one of their fingertips was also visible, allowing them to identify them based on police records. (h/t @mikko)

Optimism hack: In one of the most facepalm-worthy crypto-hacks of all time, the Optimism cryptocurrency project said it lost $19 million worth of funds after one of its partners sent funds to an Ethereum wallet they didn't yet have full control of. The cringeworthy IR report is here, and, according to Motherboard, the Optimism project is now pleading with the person who spotted and hijacked the errant transfer to return some of the stolen funds.

Mobike leak: Bike-sharing service Mobike leaked the passports, driver's licenses, and identity documents of more than 120,000 customers. Almost all of the identity documents were for users in Latin America, including Argentina and Brazil, TechCrunch reported, which worked for months with the vendor to have the leaky server secured.

TheTruthSpy leak: TheTruthSpy, a quite popular stalkerware app, also left servers exposed on the internet. Per Motherboard, the company leaked data from smartphones where the app was installed. Leaked data included photos of children, pets, and others related to babies, per the news outlet.

"Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education," Hogan-Burney said.

The Microsoft exec said the group's members used fake social media profiles, often posing as recruiters, and lured employees at targeted organisations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.

To date, Microsoft's DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.

Palermo: The IT infrastructure of the city of Palermo, Italy, has been down since last Friday following a cyber-attack.

Maiar hack: DeFi platform Maiar said on Monday that a threat actor exploited a vulnerability on its platform and stole more than $113 million worth of cryptocurrency from its wallets. In a YouTube video published on Tuesday, the platform's CEO said they had already recovered 95% of the stolen funds.

Schulte profile: The New Yorker has a fantastic profile of Joshua Schulte, the former CIA agent behind the WikiLeaks Vault7 leak.

"Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education," Hogan-Burney said.

The Microsoft exec said the group's members used fake social media profiles, often posing as recruiters, and lured employees at targeted organizations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.

To date, Microsoft's DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.

In a statement posted on its website, the political group claimed they carried out the attack with the help of "a network of dissidents inside Iran."

MEK said they timed the attack to take place on the eve of Ayatollah Khomeini's death, mourned/celebrated each year across Iran on June 3.

As part of their intrusion, MEK said they also used the compromised servers of the Tehran municipality to send SMS messages to more than 585,000 Iranian phones. The messages read: "Damned be Khomeini, death to Khamenei and Raisi, Hail to Rajavi," according to a video the organization published on YouTube.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray, and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

Hacked documents released last week have shed light on the extent, brutality, and official government support for the PRC's oppression of its Uyghur population. Given the long history of states pretending to be hacktivists, we thought we'd examine the incident to see if there are any red flags a state might be behind the hack.

The documents, released as the Xinjiang Police Files, contain a range of different file types, including transcripts of not-for-publication speeches from Chinese officials, operational directives for police, detainee photos and personal records, and also internal police PowerPoint files. These files were provided to Dr. Adrian Zenz, Director in China Studies at the Victims of Communism Memorial Foundation and a leading researcher of China's Xinjiang re-education camps. Zenz stated on Twitter that the files were provided by an individual who got access "by hacking into Xinjiang police/re-education camp computers" in two separate counties. In a journal article, Zenz expands on how he acquired the files:

Mirror Protocol hack #2: ...and then the same person who found the first attack found a second one.

Portland falls to BEC: The US city of Portland, Oregon, said it lost $1.4 million to a BEC scammer last month, in April 2022. In a press release last week, city officials said they identified that they sent city funds to the wrong bank account after the threat actor attempted to scam the city a second time.

Hackers-for-hire: Reuters is reporting on a court case where independent journalist Scott Stedman testified that Israeli jailed private detective Aviram Azari worked to hire Indian hackers to carry out espionage operations on behalf of several Russian oligarchs. Azari pleaded guilty last month to working for BellTroX, a New Delhi-based hacker-for-hire company.

Infraud sentence: A 37-year-old named John "Peterelliot" Telusma was sentenced last week to four years in prison. Telusma was a member of the Infraud cyber crime ring, which dabbled in the sale of stolen credit card data.

DOJ goes after BEC actor's funds: The US Department of Justice moved last month to seize almost $4.5 million (151.85 BTC) in funds that are owned by a suspect accused of BEC schemes. Olalkan Jacob Ponle, who went online as "Mr. Woodbery," was charged and arrested in June 2020. As cybersecurity veteran Gary Warner pointed out on Friday, the DOJ intervened to seize the funds after a mysterious entity moved the Bitcoin to a new address.

FBI alert: The FBI said in a PIN alert last week that credentials for US colleges and universities are being widely advertised across Russian cybercrime forums. The agency is now warning organizations about a possible rise in attacks targeting their institutions. The full alert is here: PDF.

Verizon employee breach: A hacker has obtained a database that includes the full name, email address, corporate ID numbers, and phone numbers of hundreds of Verizon employees. Motherboard reported that the threat actor got their hands on the data after tricking a Verizon employee into giving them remote access to their computer.

SpiceJet: Indian low-cost airline SpiceJet said it was hit by an "attempted" ransomware attack on Wednesday that disrupted some of its operations and delayed some flights.

MGM Resorts data dumped: The data of more than 142 million guests who stayed at MGM hotels in the past was released for free on a Telegram channel earlier this week. The data comes from a 2019 security breach, which came to light in early 2020 after a data broker began advertising the data on cybercrime forums.