Newsletters

GoodRx fine: The US Federal Trade Commission has fined GoodRx, a telehealth and prescription drug discount provider, $1.5 million for sharing the personal and health information of its customers with online advertisers. The FTC says that in 2019, GoodRx compiled lists of its users who used their apps or visited their site to purchase particular medications, such as those used to treat heart disease and blood pressure. These lists included a buyer's email address, phone number, and mobile advertising ID. The FTC says GoodRx uploaded these lists to Facebook's ad platform so it could identify its users' real-world profiles and names and then re-advertise its products to the same users with targeted advertising.

Chrome updates: Google has changed how new Chrome releases are coming out. Starting with Chrome 110, Google says it will ship its stable version to a small percentage of users ahead of everyone else. This should technically allow Google to catch issues before they affect all its users during the normally scheduled release.

Tor donations: The Tor Project says it received only $367,674 from user donations last year. The sum represents the lowest sum received from donations over the past three years. The organization said the dip came following the cryptocurrency crash of last year.

Last week the FBI announced the conclusion of a months-long disruption campaign targeting the Hive ransomware group that culminated in the seizure of the group's servers.

Hive was the world's most commonly deployed ransomware strain.

In addition to seizing control of the IT infrastructure that Hive used to communicate with its members, the FBI had been passing decryption keys to Hive victims for several months. From the FBI's press release:

Google did not name the upstream operator by name, but its Fi service uses only two upstream providers, namely T-Mobile and US Cellular, and T-Mobile disclosed a security breach to the SEC earlier this month—so connecting the dots is definitely not rocket science.

While Google told customers they should be wary of possible phishing emails trying to leverage this incident, at least one Reddit user says the email they received from Google Fi also included an additional line notifying them that their Fi service was changed to a new SIM card as part of what looks like a SIM swapping incident. However, this scenario is currently being called into question as, per Google's email, the supposed stolen data would not have been enough to perform a SIM-swapping attack.

GitHub breach: GitHub says that a threat actor breached internal source code repositories and stole two code-signing certificates. The breach took place last year on December 7. GitHub says the certificates were encrypted and password-protected, and as a result, they haven't seen any sign they were misused in the wild. Furthermore, both certificates were about to expire in January and February this year and will become useless to the intruder either way. The breached repositories contained the source code of the GitHub Desktop app and the GitHub Atom code editor. GitHub's security team says it did not find any unauthorized edits to the code, and both apps remain safe to use.

Hive reward: The US State Department is offering a $10 million reward for any information that can reveal the identity and location of members of the recently-disrupted Hive ransomware group or information that could help link the gang's members with a foreign government.

Golden Chickens: Something we missed last August is this eSentire report, where the company claims to have tracked down the person behind the Golden Chickens Malware-as-a-Service (MaaS). eSentire researchers believe the malware's creator (badbullzvenom) is a Moldovan national living in Canada or a Canadian sharing their account with someone in Moldova. The Golden Chickens malware has been linked to attacks carried out by three major threat actors known as FIN6, the Cobalt Group, and Evilnum.

StreamJacking: Guardio Security says it is seeing hundreds of YouTube accounts getting hijacked each day to promote Elon Musk-themed cryptocurrency scams. Researchers say the threat actor behind these attacks, which they are calling StreamHacking, is making as much as $100,000 per day via "donations" and "investments" from gullible cryptocurrency users. In some cases, users are also lured to phishing sites that prompt them for personal data and crypto-wallet passphrases, allowing the threat actor to easily empty out their accounts.

Killnet DDoS attacks (yawn): Following Germany's decision to deliver Leopard 2 tanks to Ukraine, disguised intelligence operation "hacktivist group" Killnet launched DDoS attacks against German government websites and called it a great victory on their Telegram channel. Nobody cares about two-hour outages, Killnet. Give it a rest! Also, it's never Russia until Russia denies it.

CISA K12 resource: CISA has published a report to help K-12 institutions assess and protect their networks against cybersecurity threats.

NIST AI guidance: US NIST released its AI Risk Management Framework along with a companion playbook, explainer video, and an AI RMF Roadmap for organizations looking into working with AI toolsets.

Riot Games extorted: Riot Games says it received a ransom demand via email from the threat actor who hacked one of its employees and then gained access to one of its game development environments. Riot says the hacker is asking the company to pay a ransom demand, or they will release the source code for the League of Legends and Teamfight Tactics games and the source code of a legacy anti-cheat platform. The company says it does not intend to pay the ransom and expects the leaked source code to "increase the likelihood of new cheats emerging."

GoTo breach update: GoTo, the company that owns LastPass, updated a data breach notification it published last year when it said that some of its cloud hosting services were also impacted as part of the LastPass intrusion. GoTo says a recent investigation has found that the intruders managed to steal encrypted backups from its cloud storage. The backups contained data, including user information, for GoTo products such as Central, Pro, join.me, Hamachi, and RemotelyAnywhere. The company said the backups were encrypted, but the threat actor also stole an encryption key that would allow them to decrypt "a portion of the encrypted backups."

FanDuel breach: Sports-betting platform FanDuel emailed customers last week to let them know that their names and email addresses were stolen from the company's Mailchimp account. FanDuel joins e-commerce service WooCommerce as the second major company known to be affected by MailChimp's breach. Mailchimp, an email and newsletter platform, disclosed a security breach two weeks ago when it said that a threat actor hacked one of its employees and stole data from 133 Mailchimp customers.

The reasons for this demise are layered and complex and not the simple and straightforward answer that we can usually find in most cases.

The war in Ukraine, the US Treasury's sanctions crackdown on cryptocurrency money launderers, major law enforcement busts, and the general collapse of the cryptocurrency ecosystem as a whole have all had their role in slowing down criminal operations.

For example, as Chainalysis experts put it—people are less likely to fall for scams if they think the entire ecosystem is down and aren't interested in making new investments.

Blockchain analysis firm Elliptic, which documented and confirmed the hack, says Solaris was one of the largest drug markets on the dark web last year, processing around $150 million in sales of drugs and other illegal goods and services in its short lifespan.

Elliptic says the market was closely associated with Killnet, a pro-Kremlin hacktivist group, although it's unclear if the group was also in charge of the market itself.

In December last year, Alex Holden, a US security researcher with Ukrainian roots, claimed to have hacked Solaris and stolen $25,000 worth of cryptocurrency, which he later donated to Ukrainian charity organizations.

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.

Russian cyber security firms have found that hackers have used the fear of "moblisation", i.e. conscription into Russia's war effort, to steal Telegram credentials in a successful large-scale campaign. The lure used was a link to a site that purportedly contained the list of people who could be drafted into the Russian army to fight in Ukraine this February.

Primarily because of its dominance in both online search and ads, Google hosts most of these campaigns.

The most annoying part of all of this is that Google's support and security teams appear to have been caught on the back foot and are completely unprepared for what's currently going on. Both security researchers and companies who had their brands abused say they've found it difficult to get Google to act and remove the malicious content from search results, a situation that invites more abuse for the foreseeable future.

Hacked Harmony funds move: North Korean hackers have moved and laundered more than $63.5 million worth of Ether from funds stolen in June last year from the Harmony bridge platform. The stolen funds were laundered and then deposited in accounts at cryptocurrency platforms Binance, Huobi, and OKX. Binance and Huobi froze a small portion of the funds, but the bulk is still under the hackers' control. The hack is believed to have been carried out by the Lazarus Group, a group of government-backed North Korean hackers.