Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Breach Roundup: More Fallout From the LockBit Takedown

Also: Avast Agrees to $16.5 Million Civil Penalty to Settle Privacy Investigation
Breach Roundup: More Fallout From the LockBit Takedown
Image: Shutterstock

This week: more fallout from LockBit, Avast to pay $16.5M, Russia-linked group targeted mail servers, no indication that AT&T was hacked, analysis of a patched Apple flaw, Microsoft enhanced logging, Android banking Trojan evolved, North Korean hackers targeted defense sector and baking giant fell to ransomware.

See Also: The Cost of Underpreparedness to Your Business

LockBit Takedown Shutters 14,000 Email Accounts

Authorities shuttered 14,000 email accounts linked to ransomware-as-a-service group LockBit, which authorities in an international law enforcement operation infiltrated and took down earlier this week.

Police from the United Kingdom, the United States and Europe seized more than 35 LockBit servers and replaced the group's dark web leak page with a seizure notice as part of an action dubbed Operation Cronos (see: Arrests and Indictments in LockBit Crackdown).

In a Thursday update posted to the seized LockBit leak site, authorities said they had identified and referred for removal more than 14,000 email accounts from providers Mega, Tutanota and Protonmail.

A Proton spokesperson refused to comment on the development or the nature of the law enforcement inquiry, citing "privacy reasons" and legal limitations. "We take our responsibilities extremely seriously and when we receive reports of illegal activity, we investigate and suspend any accounts found to be breaking our rules," the spokesperson said.

Data seized from the ransomware group shows it was at work on a "next-generation" crypto-locking malware, dubbed LockBit-NG-Dev, "which could be an upcoming version the group might consider as a true 4.0 version once complete," said Trend Micro (see: LockBit Group Prepared New Crypto-Locker Before Takedown).

LockBit was behind a slew of destructive attacks including a January attack against a Chicago children's hospital. In November, the group disrupted the U.S. Treasuries market through an attack on the New York financial services subsidiary of the Industrial and Commercial Bank of China. The U.S. Department of the Treasury on Tuesday said the attack had affected the settlement of more than $9 billion worth of Treasury-backed assets.

Operation Cronos has resulted in the arrest in Poland of a 38-year-old man, and police in Ukraine detained a father-and-son hacking team. Police also posted a snapshot of approximately 200 affiliates who had worked with LockBit over the past two years. When LockBit affiliates log onto the LockBit administrative panel now, they see a message stating that police have "details of the victims you have attacked, the amount of money extorted, the data stolen, chats and much, much more."

"We may be in touch with you very soon. If you would like to contact us directly, please get in touch," the message says.

Avast to Pay $16.5 Million to End US FTC Investigation

Gen Digital, the U.S. parent company of Czech antivirus firm Avast, agreed to pay $16.5 million in civil penalties to the U.S. Federal Trade Commission to settle accusations that it sold detailed online behavior gathered from Avast antivirus software and browser extensions.

The consumer protection agency in a complaint detailed how for about seven years starting in 2014, Avast used access to millions of consumer desktops and mobile devices - oftentimes under the guise of stopping online tracking - to sell to third parties, including what web pages users visited and what search queries they used. Avast in January 2020 wound down its data-harvesting program after the program was revealed in an investigation by PCMag and Motherboard.

Under a consent order - formally subject to a final vote after a 30-day public comment period - Avast must also delete the data, models and algorithms developed using consumer data gleaned through its antivirus apps. It must also contact the third parties that bought that information and ensure that they do the same.

"Businesses by default cannot sell people's sensitive data or disclose it to third parties for advertising purposes," said FTC Chair Lina Khan in a statement with by Commissioners Rebecca Slaughter and Alvaro Bedoya. "A record of the websites someone visits can divulge everything from someone's romantic interests, financial struggles, and unpopular political views to their weight-loss efforts, job rejections, and gambling addiction," she said.

Gen Digital in an emailed statement said that while it disagrees "with the FTC's allegation and characterization of the facts," it is "pleased to resolve this matter and looks forward to continuing to serve our millions of customers around the world."

Russia-Linked Group Targets European Mail Servers

The Russia-linked threat group tracked by Recorded Future as TAG-70 orchestrated a cyberespionage campaign that targeted mail servers across Ukraine, Georgia and Poland, the cybersecurity company said. Also tracked as Winter Vivern, TA-473, and UAC-0114, the hacking group had been exploiting cross-site scripting vulnerabilities in Roundcube webmail servers since at least October, Recorded Future said. The group focuses on acquiring intelligence related to European political and military activities, particularly concerning Ukraine's war efforts.

The campaign has affected at least 80 organizations, primarily organizations in Georgia, Poland and Ukraine. The hacking group is a well-known cyberespionage group with a history of targeting European and central Asian governments since 2020. Recorded Future isn't the only company to have spotted the campaign: Eset reported on it in October (see: Breach Roundup: Winter Vivern Hunting for Emails).

No Indication That AT&T Outage Is a Cyberattack

Update Feb. 23, 2024 21:43 UTC: AT&T said that after an initial review, it believes "the outage was caused by the application & execution of an incorrect process used as we were expanding our network, not a cyber attack."

A Thursday morning network outage at AT&T, the largest U.S. cellular carrier, shows no evidence of being the work of a cyberattacker. As of late morning, the telecom giant said that it had restored three-quarters of its network. AT&T serves 217 million mobile customers, according to its most recent annual report.

"The FBI is in contact with AT&T regarding today's network outage. Should we learn of any malicious activity we will respond accordingly," a bureau spokesperson said in an emailed statement.

ABC News reported that the U.S. Cybersecurity and Infrastructure Security Agency in an early morning memo concluded that "there are no indications of malicious activity."

Sources told CNN the issue appears to stem from a flaw in the peering handoff between networks. An academic told the network that the outage may have been caused in the company's cloud-based networking system. "The dirty secret of telecom networks these days is they are just a bunch of wires and towers connected to the cloud," said Lee McKnight, an associate professor at the Syracuse University School of Information Studies.

An astrophysicist took to Twitter to debunk a suggestion that a massive solar flare had caused the interruption. Although there was a large flare, it occurred while North America was in night time. "Flares only cause radio degradation on the *dayside* of the Earth," said Ryan French.

U.S. Sen. Marco Rubio said on Twitter that he doesn't know the cause of the outage. "But I do know it will be 100 times worse when #China launches a cyber attack on America on the eve of a #Taiwan invasion And it won’t be just cell service they hit, it will be your power, your water and your bank," wrote the Florida Republican.

A Look Into The Patched Apple Shortcuts Vulnerability

A vulnerability in Apple's Shortcuts automation application could allow attackers to access sensitive user data, Bitdefender said in a Thursday blog post. Tracked as CVE-2024-23204, the vulnerability allows an attacker to create on unpatched Apple devices a Shortcuts file that can bypass Apple's security framework and access sensitive data on the target system. Apple patched the flaw on Jan. 22.

Shortcuts is an app designed for macOS and iOS devices that enables users to automate a wide range of actions, from simple tasks such as sending messages to complex operations involving multiple applications. The vulnerability allows attackers to craft a Shortcuts file that bypasses the Apple Transparency, Consent and Control security framework, which ensures that apps obtain user permission before accessing data. Bitdefender researchers said were able to use the Expand URL function to bypass TCC. "The method involves selecting any sensitive data (Photos, Contacts, Files and Clipboard Data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server."

Bitdefender urged users to ensure they are running the latest macOS, iOS and iPadOS software.

Microsoft Enhances Logging Capabilities for Federal Agencies

Microsoft on Wednesday unveiled expanded logging capabilities for federal agencies, after a successful pilot involving the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget and the Office of the National Coordinator for Health Information Technology. The enhanced logging features will be available to all agencies that use Microsoft Purview Audit, without additional cost.

The computing giant in July pledged to expand access to logs at no additional cost after lower-tier customers were unable to detect a Chinese cyberattack due to a paucity of logging data. "Asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents," CISA Executive Assistant Director Eric Goldstein said in a blog post at the time (see: Microsoft Expands Logging Access After Chinese Hack Blowback).

Microsoft's announcement didn't earn it universal plaudits. "Microsoft doesn't deserve any praise for caving to pressure and announcing that it will no longer gouge its customers for additional fees for basic features like security logs," U.S. Sen. Ron Wyden told CyberScoop. "Like an arsonist selling firefighting services, Microsoft has profited from the vulnerabilities in its own products and built a security business generating tens of billions of dollars a year. There is no clearer example of the need to hold software companies liable for their negligent cybersecurity," the Oregon Democrat added.

Android Banking Trojan Anatsa Evolves

Android banking Trojan Anatsa is a threat to users across Europe through malicious apps distributed through the Google app store, online fraud detection firm ThreatFabric reported.

Company researchers in November detected a resurgence of the Trojan and a push by its operators to move away from targeting victims in the United Kingdom, Germany and Spain by including mobile device users in Slovakia, Slovenia and the Czech Republic.

The Trojan gets around some Android security features by first holding back on delivering malicious code. In one case, developers posted onto Google Play a harmless cleaner app. Like many Trojans, the app requested access to the Android AccessibilityService, an operating system feature meant to allow developers to adapt apps to users with disabilities. Google has cracked down on AccessibilityService abuse by requiring developers to provide a clear explanation for why the app needs access.

Anatsa developers told users the cleaner app needed access to" hibernate draining apps." Because the app was not malicious, it apparently raised no flags. "However, a week after its release, an update introduced malicious code," ThreatFabric said.

ThreatFabric said the Trojan's latest campaign involves five droppers that have been installed more than 100,000 times. "We anticipate the continuation of this campaign, with new droppers appearing in the official store and an expansion into additional targeted regions," the firm said.

North Korean State Hackers Target Global Defense Sector

A joint advisory from German domestic intelligence service the Federal Office for the Protection of the Constitution - known as the BfV - and South Korea's NIS revealed a cyberespionage campaign orchestrated by North Korean state-sponsored threat actors targeting defense sectors worldwide. The alert highlighted an attack against a maritime technology research center made through a third-party web server maintenance firm.

North Korean hackers breached the company and stole secure shell credentials to remotely access the research center's web server and initiated lateral movement by stealing account credentials of a security manager. They impersonated the manager to email the maintenance firm a request to distribute a patch file containing malicious functions. The genuine security manager was able to block the attempt in time, the advisory says.

Medusa Targets Grupo Bimbo

Hold on to your conchas - baking giant Grupo Bimbo has suffered a ransomware attack by the Medusa ransomware group. According to various reports, the attack targeted critical systems within the organization, potentially exposing sensitive data.

The ransomware group demanded a payment of $6,500,000 in exchange for returning control over exfiltrated data. Grupo Bimbo began as a bakery in Mexico City in 1945 and has since expanded into a global presence through brands that include Tía Rosa, Pullman, Sara Lee, Thomas' and Arnold, as well as baked goods sold under the Bimbo brand.

Other Coverage From Last Week

With reporting from Information Security Media Group's Akshaya Asokan in southern England; David Perera in Washington, D.C.; Mihir Bagwe in Mumbai, India; and Prajeet Nair in Bengaluru, India.

About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.