Tag: cybercrime

Posted on

Twilio hacked by phishing campaign targeting internet companies

Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. 

The San Francisco-based company, which allows users to build voice and SMS capabilities — such as two-factor authentication (2FA) — into applications, said in a blog post published Monday that it became aware that someone gained “unauthorized access” to information related to some Twilio customer accounts on August 4.

Twilio has more than 150,000 customers, including Facebook and Uber.

According to the company, the as-yet-unidentified threat actor convinced multiple Twilio employees into handing over their credentials, which allowed access to the company’s internal systems.

The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls. 

Twilio said that the attackers sent these messages to look legitimate, including words such as “Okta” and “SSO,” referring to single sign-on, which many companies use to secure access to their internal apps. (Okta was itself hit by a breach earlier this year, which saw hackers gain access to its internal systems.) Twilio said it worked with U.S. carriers to stop the malicious messages, as well as registrars and hosting providers to shut down the malicious URLs used in the campaign.

But the company said the threat actors seemed undeterred. “Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks,” Twilio’s blog post said. “Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions.”

TechCrunch has since learned that the same actor also set up phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, though what impact on these organizations — if any — isn’t currently known.

When reached, Twilio spokesperson Laurelle Remzi declined to say how many customers were affected or what data was accessed by the threat actors. Twilio’s privacy policy says the information it collects includes addresses, payment details, IP addresses, and in some cases proof of identity.

Twilio said since the attack, it has revoked access to the compromised employee accounts and has increased its security training to ensure employees are on “high alert” for social engineering attacks. The company said it has begun contacting affected customers on an individual basis.

Okta says hundreds of companies impacted by security breach

Posted on

Twitter fixes security bug that exposed at least 5.4 million accounts

Twitter says it has fixed a security vulnerability that allowed threat actors to compile information of 5.4 million Twitter accounts, which were listed for sale on a known cybercrime forum.

The vulnerability allowed anyone to enter a phone number or an email address of a known user and learn if it was tied to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.

In a brief statement published Friday, the microblogging giant said, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”

Twitter said it fixed the bug in January — six months after the bug was initially introduced to its codebase — after a bug bounty report by a security researcher, who was awarded $6,000 for disclosing the vulnerability.

According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a big chunk of the Twitter user base.” It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers to Twitter accounts.

But the researcher’s warning came too late. Hackers had already exploited the vulnerability during that six-month window to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.

Twitter said it learned about the exploitation from an unspecified press report in July, which found a listing on a cybercrime forum claiming to have user data “from celebrities to companies,” and OGs, referring to custom or highly sought-after social media and gaming usernames.

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.”

It’s the latest security incident to hit Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users submitted for setting up two-factor authentication, for targeted advertising.

Twitter says Android security bug gave access to direct messages

Posted on

German semiconductor giant Semikron says hackers encrypted its network

Semikron, a German manufacturer that produces semiconductors for electric vehicles and industrial automation systems, has confirmed it has fallen victim to a cyberattack that has resulted in data encryption.

“Semikron is already in the process of dealing with the situation so that workflows and all related processes can continue without disruption for both employees and customers as soon as possible,” a Semikron spokesperson told TechCrunch.

Semikron declined to disclose the nature of the cyberattack, but all signs point to ransomware. The semiconductor maker said in a statement that hackers claim to have “exfiltrated data from our system,” adding that the incident has led to a “partial encryption of our IT systems and files.” This suggests the malicious actor behind the attack has used the double extortion ransomware tactic, whereby cybercriminals exfiltrate a victim’s sensitive data in addition to encrypting it.

The Nuremberg-based group company, which claims to power 35% of the wind turbines installed globally each year, declined to say who was behind the attack nor whether it received a ransom demand. However, Bleeping Computer reports that Semikron was the victim of the LV ransomware, with the hackers apparently stealing 2 terabytes of documents.

LV ransomware has been in operation since at least 2020 and uses a modified variant of REvil ransomware, according to cybersecurity company Secureworks. According to the group’s dark web blog, which doesn’t yet list Semikron as a victim, the gang targets companies that allegedly do not meet data protection obligations.

“They rejected to fix their mistakes, they rejected to protect this data in the case when they could and had to protect it,” its dark web blog states. “These companies preferred to sell their private information, their employees’ and customers’ personal data.”

It’s unclear what data was exfiltrated from Semikron’s systems, and the company declined to say how many customers and employees are potentially impacted. Semikron has over 3,000 employees in 24 offices and 8 production sites worldwide across Germany, Brazil, China, France, India, Italy, Slovakia, and the United States.

“With the support of external cyber security and forensic experts, we are investigating the incident,” Semikron added. “At the same time, we are working to restore the ability to work in order to minimize the disruption to our employees, customers and partners and to ensure the security of our IT systems as best as possible.”

A ransomware attack on a debt collection firm is one of 2022’s biggest health data breaches

Posted on

Microsoft links Windows zero-day hacks to Austrian spyware maker

Microsoft has linked the exploitation of several Windows and Adobe zero-days targeting organizations in Europe and Central America to a little-known Austrian spyware maker.

The technology giant’s threat intelligence and security response units have linked a number of cyberattacks to a threat actor it calls “Knotweed,” better known as the Vienna-based intelligence-gathering company, Decision Supporting Information Research Forensic, or DSIRF. On its website, DSIRF says it was founded in 2016 but claims to have over two decades of experience delivering “data-driven intelligence to multinational corporations in the technology, retail, energy and financial sectors,” as well as offering red team testing, where hackers are given permission to find and exploit security vulnerabilities during product testing.

Microsoft said in its report out Wednesday that Knotweed has been active since at least 2020 and developed spyware — dubbed Subzero — that allows its customers to remotely and silently break into a victim’s computer, phone, network infrastructure and internet-connected devices. Subzero is similar to NSO Group’s Pegasus and Candiru’s DevilsTongue spyware in functionality, and is often used by governments to monitor journalists, activists, and human rights defenders.

According to a copy of an internal presentation published by Netzpolitik in 2021, DSIRF advertises Subzero as a “next generation cyber warfare” tool that can take full control of a target’s PC, steal passwords, and reveal its real-time location. The report claims that DSIRF,  which reportedly has links to the Russian government, advertised its tool for use during the 2016 U.S. presidential election. The report states that Germany was also considering the purchase and use of Subzero for use by its police and intelligence services.

Microsoft notes that as well as selling the Subzero malware, DSIRF — a.k.a. Knotweed — was observed using its own infrastructure in some of the attacks, suggesting more direct involvement in the targeting of victims, which included law firms, banks, and strategic consultancies with known victims in Austria, Panama, and the United Kingdom.

But the technology giant said it has confirmed with a victim targeted by Subzero that they had “not commissioned any red teaming or penetration testing,” and that the activity was unauthorized and malicious.

Subzero is distributed through a number of vectors, according to the report, including multiple zero-day exploits in Windows and Adobe. This includes the recently patched CVE-2022-22047 flaw, a bug in the Windows client-server runtime subsystem (CSRSS) , which can be used to obtain a higher level of access to the victim’s device than the logged-in user. Microsoft said it had patched at least four zero-days used by DSIRF since 2021.

Knotweed also embedded malicious macros in Excel documents, which included second-stage malware hidden inside a regular-looking but “abnormally large” JPEG image that was disguised as a meme. Macros are a common way for malicious actors to gain access to deploy malware and ransomware, but were recently blocked by Microsoft in Office apps by default.

A meme of Kim Jong-un with the words, "Can I eat this?"

This “abnormally large” JPEG is disguised as second-stage malware that pulls the main spyware binary from the attackers’ command and control servers. Image Credits: Microsoft

When reached by phone, a DSIRF representative said they would provide TechCrunch with a response to Microsoft’s report, but the response was not provided by press time.

To defend against these attacks, Microsoft recommends that organizations patch CVE-2022-22047, keep antivirus software up to date, and enable multi-factor authentication.

The tech giant is also calling for more action to be taken against spyware makers, warning that DSIRF will not be the last cyber mercenary to come to light.

“We are increasingly seeing [private-sector offensive actors] selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms, where they are used to target human rights advocates, journalists, dissidents and others involved in civil society,” said Chris Goodwin, general manager at Microsoft’s Digital Security Unit. “We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world.”

Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states

Posted on

Cybersecurity vendor Entrust tells customers data was stolen during June cyberattack

Minneapolis-based cybersecurity giant Entrust has confirmed it was hit by a cyberattack last month.

Entrust, which describes itself as a global leader in identities, payments and data protection, told TechCrunch that an “unauthorized party” was able to access parts of its system that are used for the internal operations on June 18.

“We promptly began an investigation with the assistance of a leading third-party cybersecurity firm and have informed law enforcement,” Ken Kadet, vice president of communications at Entrust, said in a statement. “While our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems and are fully operational.”

Cybersecurity researcher Dominic Alvieri obtained and published a July 6 notice sent to Entrust customers, which cited Entrust CEO Todd Wilkinson saying that “some files were taken from our internal systems.”

“As we continue to investigate the issue, we will contact you directly if we learn information that we believe would affect the security of the products and services we provide to your organization,” Wilkinson added in its note to customers.

When asked by TechCrunch, Entrust declined to confirm if data was stolen or say what kind of data was stolen. Entrust also would not say if the intrusion was related to ransomware. It doesn’t appear any ransomware gang has yet claimed responsibility for the attack.

Entrust says on its website that it has more than 10,000 customers, including Microsoft, VMware and a number of U.S. government agencies such as the Department of Homeland Security and the Treasury.

While bruising for any cybersecurity company facing its own data security incident, Entrust is not the first cybersecurity giant to be breached this year. Back in March, authentication giant Okta admitted that 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network. And in 2020, cybersecurity insurance giant CNA was hit by ransomware.

Posted on

A newly discovered malware hijacks Facebook Business accounts

An ongoing cybercriminal operation is targeting digital marketing and human resources professionals in an effort to hijack Facebook Business accounts using a newly discovered data-stealing malware.

Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail, and found evidence to suggest that a Vietnamese threat actor has been developing and distributing the malware since the latter half of 2021. The firm added that the operations’ motives appear to be purely financially driven.

The threat actor first scouts targets via LinkedIn where it selects employees likely to have high-level access to Facebook Business accounts, particularly those with the highest level of access.

“We believe that the Ducktail operators carefully select a small number of targets to increase their chances of success and remain unnoticed,” said Mohammad Kazem Hassan Nejad, a researcher and malware analyst at WithSecure Intelligence. “We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted.”

The threat actor then uses social engineering to convince the target to download a file hosted on a legitimate cloud host, like Dropbox or iCloud. While the file features keywords related to brands, products, and project planning in an attempt to appear legitimate, it contains data-stealing malware that WithSecure says is the first malware that they have seen specifically designed to hijack Facebook Business accounts.

Once installed on a victim’s system, the Ducktail malware steals browser cookies and hijacks authenticated Facebook sessions to steal information from the victim’s Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has sufficient access to simply by adding their email address to the compromised account, which prompts Facebook to to send a link, via email, to the same email address.

“The recipient — in this case, the threat actor — then interacts with the emailed link to gain access to that Facebook Business. This mechanism represents the standard process used to grant individuals access to a Facebook Business, and thus circumvents security features implemented by Meta to protect against such abuse,” Nejad says.

The threat actors then leverage their new privileges to replace the account’s set financial details in order to direct payments to their accounts or to run Facebook Ad campaigns using money from the victimized firms.

WithSecure, which shared its research with Meta, said it was “unable to determine the success, or lack thereof” of the Ducktail campaign and couldn’t say how many users have potentially been affected, but noted that it has not seen a regional pattern in Ducktail’s targeting, with potential victims spread across Europe, the Middle East, Africa and North America.

A spokesperson for Meta told TechCrunch in a statement: “We welcome security research into the threats targeting our industry. This is a highly adversarial space and we know these malicious groups will keep trying to evade our detection. We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices.”

If you can’t leave Facebook, know these Facebook privacy settings

Posted on

FBI warns hackers are using fake crypto apps to defraud investors

The FBI has issued a public warning about fraudulent cryptocurrency investment apps after hackers posing as legitimate services stole tens of millions of dollars from U.S. investors.

In an advisory published on Monday, the law enforcement agency said hackers have been posing as legitimate cryptocurrency investment organizations in an effort to convince investors to download fraudulent apps. After downloading the apps — which use the names, logos and other identifying information of legitimate services — victims found themselves unable to withdraw funds supposedly deposited into their accounts. When they attempted to do so, they received messages stating that they needed to pay taxes on their investments first. Even when they paid, the FBI said the funds remained locked.

The FBI says cybercriminals have been using these apps with “increasing success” to defraud investors and estimates that roughly $42.7 million has been stolen from 244 victims in an eight-month window between October 2021 and May 2022.

In one particular case, cybercriminals posed as employees of the company YiBit, a cryptocurrency exchange that went out of business in 2018. Using a fake app, criminals stole about $5.5 million from four different victims. In another, they posted as Supayos or Supay, the name of a currency exchange provider in Australia, to defraud two victims.

In another case, observed between December 2021 and May 2022, unidentified hackers took some $3.7 million from 28 individuals over the course of six months by pretending to be representatives from a legitimate, unnamed financial entity.

The FBI is advising investors to be wary of prompts to install investment apps from unknown individuals, to verify that the company behind such apps is legitimate, and to treat apps with broken or limited functionality with skepticism.

Although the FBI did not name or attribute the hackers to a particular group or nation-state, several U.S. government agencies — including CISA and the FBI — have warned in recent months of North Korean hackers targeting cryptocurrency and blockchain companies with malicious crypto-stealing apps. North Korea has long used cryptocurrency-stealing operations to fund its nuclear weapons program.

While cybercriminals have long relied on cryptocurrency as a means of financial extraction, they are increasingly turning their attention to targeting crypto wallets and Blockchain bridges, tools that enable users to transfer their crypto assets from one blockchain to another. Last month, hackers exploited a vulnerability to steal $100 million from Harmony’s Blockchain Bridge, an attack that has since been linked to the North Korean-backed Lazarus group.

Q1 crypto losses spike 695% on year following massive hacks

Posted on

China-backed hackers targeted White House journalists before January 6

Researchers at cybersecurity company Proofpoint said they have observed the China-backed advanced persistent threat group, TA412, also known as Zirconium, engaging in several reconnaissance phishing campaigns since early last year.

Proofpoint says it witnessed five separate phishing campaigns in January and February 2021 targeting U.S.-based journalists, notably those covering U.S. politics and national security. However, the researchers noted a “very abrupt shift in targeting of reconnaissance phishing” in the days leading up to the January 6 attack on the U.S. Capitol, with the hackers focusing on Washington D.C. and White House correspondents.

The China-backed hackers utilized subject lines pulled from recent U.S. news articles, such as “Jobless Benefits Run Out as Trump Resists Signing Relief Bill,” “US issues Russia threat to China,” and “Trump Call to Georgia Official Might Violate State and Federal Law,” according to the researchers.

Then, months later in August 2021, Zirconium turned its attention to journalists working on cybersecurity, surveillance, and privacy issues with a focus on China. The group resumed its activity in February 2022 following a months-long pause to target U.S.-based media organizations reporting on Russia’s then-anticipated invasion of Ukraine.

Proofpoint observed another China-backed threat group, known as TA459, targeting journalists and media personnel in late April 2022 with malware that, if opened, gave the attackers a backdoor to a victim’s machine. This campaign used a potentially compromised Pakistani government email address to send the emails and looked to entice victims with a lure on foreign policy in Afghanistan.

The researchers said it has seen a “sustained effort” by advanced threat groups around the world targeting or leveraging journalists, and found similar cyber-operations launched by state-sponsored hackers in North Korea, Turkey and Iran.

The North Korean-aligned TA404 hacking group, better known as Lazarus, was also active in targeting American journalists. The group, which was recently linked to the $100 million Harmony bridge theft, is said to have targeted a media organization with job opportunity-themed phishing after it published an article critical of North Korean leader Kim Jong-un. While Proofpoint did not see follow-up emails, its researchers note that the attack shares indicators of compromise with a North Korean campaign observed by Google threat researchers earlier this year.

In Turkey, a threat actor that Proofpoint tracks at TA482 and associates with the Turkish government was observed engaging in credential harvesting campaigns that targeted the social media accounts of mostly U.S.-based journalists and media organizations. The researchers also report that TA453, another hacking group that is believed to support the Iran’s Islamic Revolutionary Guard Corps intelligence collection efforts, is masquerading as journalists before deploying credential harvesting malware.

Proofpoint said that while targeting journalists and media organizations is not novel, those operating in the media space should assess their level of risk. “If you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future,” the researchers warn.

A huge data leak of 1 billion records exposes China’s vast surveillance state

Posted on

A ransomware attack on a debt collection firm could be one of 2022’s biggest health data breaches

A ransomware attack on a little-known debt collection firm that serves hundreds of hospitals and medical facilities across the U.S. could be one of the biggest data breaches of personal and health information this year.

The Colorado-based Professional Finance Company, known as PFC, which contracts with “thousands” of organizations to process customer and patient unpaid bills and outstanding balances, disclosed on July 1 that it had been hit by ransomware months earlier in February.

PFC said in its data breach notice that more than 650 healthcare providers are affected by its ransomware attack, adding that the attackers took patient names, addresses, their outstanding balance and information relating to their account. PFC said that in “some cases” dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.

In a separate filing with the U.S. Department of Health and Human Services, PFC confirmed that over 1.91 million patients are affected by the cyberattack.

At least two healthcare organizations listed as affected by PFC have issued their own data breach notifications. Bayhealth Medical Center in Delaware said 17,481 patients were affected by the PFC breach, while Coleman County Medical Center in Texas disclosed the breach to 1,159 patients.

The attack on PFC is second only in size to a March 2022 data breach at Shields Health Care Group, a medical imaging company with facilities across New England, affecting an estimated two million patients.

PFC chief executive Michael Shoop did not respond to our email asking for information about its ransomware attack. Instead, the company’s general counsel Nick Prola reiterated its boilerplate statement in an email but declined to answer our specific questions, including why it took the company four months to notify affected healthcare providers and whether the stolen data was encrypted.

It’s not the first time a debt collection firm has been targeted by cybercriminals and resulted in a massive theft of personal information. At least 20 million patients had data stolen when AMCA, a medical debt collector contracted with laboratory testing giants LabCorp and Quest Diagnostics, was hit by a data breach. AMCA subsequently filed for bankruptcy following the breach.

You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

Posted on

‘Elden Ring’ gaming giant Bandai Namco says hackers may have stolen customer data

Bandai Namco, the Japanese video game publisher behind titles including Pac-Man, Tekken and Elden Ring, has admitted that hackers accessed its systems and potentially made off with customer data.

In a statement shared with TechCrunch, Bandai Namco said it detected “unauthorized access” to its systems by a third party on July 3, adding that it has since taken measures, such as blocking access to the affected servers, to “prevent the damage from spreading.” The confirmation comes days after the Alphv ransomware gang, also known as BlackCat, added the Japanese company to its dark web leak site.

Bandai Namco declined to elaborate on the nature of the cyberattack or how hackers were able to access its systems, but warned customer data may have been stolen, all but confirming that it was hit by ransomware.

“There is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage [sic], scope of the damage, and investigating the cause,” Bandai Namco said.

The Alphv ransomware group — believed to be the latest incarnation of the DarkSide ransomware gang responsible for the Colonial Pipeline attack — has threatened that the stolen data will be released “soon”, but no exact deadline has been given. Bandai Namco declined to say whether it had been given a ransom demand.

“We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate,” Bandai Namco added. “We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence. We offer our sincerest apologies to everyone involved for any complications or concerns caused by this incident.”

Bandai Namco is the latest in a long line of gaming companies to be targeted by hackers. CD Project Red, the studio behind The Witcher 3 and Cyberpunk 2077, was last year hit by a ransomware attack, which saw hackers leak data related to its games, contractors, and employees. Electronic Arts was also hit by a cyberattack last June, an incident that is believed to be linked to the once-notorious Lapsus$ hacking group.

CD Projekt hit by ransomware attack, refuses to pay ransom