Blog

Imagine this, you buy a webcam off Amazon, you don’t really think much of it, and then a couple of years later, it’s no longer getting updates. You still don’t think anything of it. But then, suddenly you find out that you’re not the only one who’s looking through the webcam. It’s creepy. Not only that, but we have another article that we’re gonna touch on where over 900, 000 people’s medical information got shared or breached.

So imagine your private, intimate information going back and forth with the doctor, or stuff like your prescriptions, or what you’ve been Diagnosed with has kind of been thrown out on the internet There’s been a new breach and we need to talk about it today We’re facing an unprecedented array of data breaches hacking attempts and surges in digital crime Why is there such a widespread amount and how little is noticed in our everyday lives?

Malware dark sites brute forcing zero day script kitties and nation state hackers are all on the rise Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey everyone, another episode of Exploit Brokers is coming to you now. Welcome to another episode of Exploit Brokers.

I’m your host, Cipherceval, and if you could please do me a big favor because it helps the channel grow, if you can hit that like, subscribe, and bell notification icon, and If you’re on YouTube, if you’re on a podcast platform like Spotify or Apple Podcasts, if you could please give us a subscribe or a follow, and give us a 5 star rating if you think we deserve it.

With that said, if you are on YouTube, check out our podcast, which is the audio version of this, and if you’re on the podcast, check out our YouTube. I’m hoping to try to get some educational content out, and as much as I can, But with that, let’s jump into it. So, let’s talk about the first article by Bleeping Computer.

FBI spots hiatus rat malware attacks targeting web cameras, DVRs. I know, creepy, but let’s jump into it. The FBI warned today that the new hiatus rat malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online. As a private industry notification, a pin, published on Monday explains the attackers focus their attacks on Chinese branded devices that are still waiting for security patches or have already reached end of life.

So, when you have a lot of devices that reach end of life, and this is also for software, for devices, devices are kind of a bit different. More extreme because if the devices don’t have a very good way of updating over there, updates or stuff like that, they can get out of a, you know, stable and safe operating system or safe firmware software that they’re running quicker.

But what’s happening is you have a lot of these devices that either users aren’t technically aware how, or there’s just no good method of updating or patching the firmware. Or, if they’ve reached end of life, there’s just no more firmware that’s gonna be made for these devices. You see this a lot with like, older devices, as well as devices whose company just decided it wasn’t worth the effort, or the time, or the money, to keep updating these devices.

In March 2024, Hiatus Rat Actors conducted a scanning campaign targeting Internet of Things, IOT devices. In the us, Australia, Canada, New Zealand, and the United Kingdom. The FBI said, the actors scanned we cameras and DVRs, which is I believe digital video recorders for vulnerabilities including CVE 20 17, 7 9 2 1 CVE 20 18, 9 9 9 5.

There’s three nines, CV 20 22, 5 0 7, 8 C, V, 20, 21, 3, 3, 0, 4, 4, C, v, 20, 21, 3, 6, 2, 6, 0. And weak vendor supply passwords. Yes. The admin admin is, I know, shocking. The threat actors predominantly targeted HikeVision and Zhongmai devices with Telnet access using Ingram, an open source webcam vulnerability scanning tool, and Medusa, an open source authentication brute force tool.

So the CVEs are as old as 2017 kind of gets at what I’m saying, right? You have a vulnerability that was found back in 2017 at this point. It’s no longer a zero day It is a known vulnerability. I would have assumed at some point after a patch would have been made available But if a camera or device is still vulnerable to the cve It’s been what we’re in 2024.

So you’re talking like seven ish years if they couldn’t Find a way to patch that device or if they don’t have a good over the air update method You Or if it’s just a very, you know, not straightforward user friendly way for that device to get updated, like a lot of IOT devices are, um, I’m not an IOT expert, so if you know about IOT devices and you think there’s a easy way for a bunch of them to get updated, please reach out to me.

I’d love to find out more, but. In this case, there’s 2017, right? Followed by a 2018, 2020. CVEs, for those of my listeners who are not aware of the nomenclature, is essentially CVE dash the year it was found, and then I believe the next number is the number in the list of vulnerabilities found in that year.

Now, their attacks targeted web cameras and DVRs with the 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 TCP ports exposed to internet access. So, whenever you expose any port to the internet, you are bound to get a flood of bots, a flood of Hacking attempts on that because you’re opening up to the internet, right?

This isn’t something that’s kept within your internal network If these devices are purposefully exposing them to stream data to open up an admin Website to do anything like that, right? You’re opening up a new way for people to hit it Which is probably where some of these CVEs are located if I had to be honest Now, the FBI advised network defenders to limit the use of devices mentioned in today’s PIN and or isolate them from the rest of their networks to block breach and lateral movement attempts following successful hiatus rat malware attacks.

It has also urged system administrators and cybersecurity professionals to send suspected indications of compromise, IOC, to the FBI’s Internet Crime Complaint Center or their local FBI field office. So the isolation part, I want to touch on that because some people might know what that is. Some people might not.

Whenever you break into or a hacker breaks into a system, right? Ultimately IOT devices and all this, they generally will run some kind of Linux or something else in them. Or if not, they still run a way to be able to run a shell. So when you do a lateral movement, that’s you’ve successfully breached. A computer in this case, let’s, let’s assume for simplicity sake, the camera is running a Linux operating system.

So you’re in the camera and it has Linux operating system. And because it has something, some kind of Linux on there, you have a shell and some other capabilities. Now that you have a pivot point on a network, you can start to scan other devices. And if another device on that network also has some kind of CVE or also is weak password or something, then you can start hopping between the initial entry point and other devices on the network.

And the reason that’s bad is right. Say your camera is mostly locked down. You have a mostly locked on camera. But there’s a CVE so they get it. If they’re able to pivot to another machine and that machine has higher privileges Then you can start to kind of work laterally and start to get more information and eventually you’ll be able to get us like Really really interesting data.

I’m oversimplifying that but that’s kind of why this is bad No, that is why this is bad Now if we keep going the campaign followed two other series of attacks one that also targeted a Defense Department server in a reconnaissance attack and an earlier wave of attacks in which more than a hundred businesses from North America Europe and And South America had their Draytek Vigor VPN routers infected with HiatusRat to create a covert proxy network.

So proxy networks being, you know, you have a machine in between you and the target server that you’re trying to get to, so you use that as a way to bounce the traffic off. Lumen, the cyber security company that first spotted HiatusRat, said the malware is mainly used to deploy additional payloads on infected devices.

Converting the Compromise Systems into SOCKS 5 proxies for command and control server communication. HIDAS RAT shifting in targeting preference and information gathering aligns with Chinese strategic interests. A link also highlighted in the Office of the Director of National Intelligence’s 2023 Annual Threat Assessment.

So when you have threat actors, like in this case, China, they are trying to get Intel, anything that could potentially give them an edge, anything they can find that is worth a lot of money. So if they’re deploying these rats and all this other stuff through their threat actors and efforts to get as much information, right?

The more devices you have hacked, especially stuff like webcams, the more information you can literally see, right? A webcam, if you hack it, you can get a bunch of data. Now, the reason that’s also very. Interesting and important, right? You have a lot of IOT devices that may go years with never being touched, right?

It’s not like your computer where you get a virus, you notice it’s slower, you take it to Geek Squad, and stuff like that, right? There’s IOT devices, and just their devices in general, have this kind of set it and forget it that I think a lot of average consumers and just most consumers have that mentality.

There was um, there’s two interesting things that come to mind one was a Twitter post and if I can find it I’ll tag it in the description, but there was a Twitter post that was showing how someone’s washing machine was like downloading three gigs of data a day and I don’t remember what the reason was it might have been something legitimate might have been malware.

I don’t remember But the fact that your washing machine can download any kind of data over the internet is just miles, right? We went from Devices being like these huge things that would fit, you know in a bag or somewhere else So, I mean almost everything’s internet connected now you have stuff like stoves which are concerning to me You have the fridges you have smart air fryers.

Everything has a chip in it Now everything’s an IOT device technically But You are seeing the shift with that and that’s where it’s just, it’s concerning, right? You don’t want your microwave to phone home to some threat actor and get information or, you know, maybe there’s other things that they can steal from the network, move laterally from your coffee machine to your computer devices.

There’s so much to this. I could probably list a bunch of things and keep going, but. Let’s jump into the next article because it’s just as concerning as someone looking at you through your webcam. So, in an article by Bleeping Computer, again, Connect on Call breach exposes health data of over 910, 000 patients.

Healthcare software as a service company, Freesia, is notifying over 910, 000 people that their personal and health data was exposed in a May breach of its subsidiary, Connect on Call, acquired in October 2023. Connect OnCall is a telehealth platform and after hours on call answering service with automated patient call tracking for healthcare providers.

So, for my listeners in the other parts of the world, in the U. S. you have, uh, telehealth, which I imagine different countries, uh, probably do also have telehealth. I’m not familiar with telehealth. Other countries health, but for this case, I just kind of want to give some context the u. s A lot of insurance providers and there’s a lot of these popping up where you can call a doctor, right?

If you have something like a ear infection Or a throat infection stuff that’s kind of easy to diagnose Then stuff like a telehealth visit is sometimes more accessible and easier to get to especially with the I believe it was like 24 7 or at least I know there’s some services that are 24 7 where you just need maybe some nausea meds or you need some cortical steroid or you need Antibiotics something right where getting to a doctor would be prohibitively expensive Otherwise, because some of these services are offered through insurance providers for free, or maybe you have to take half a day from work to go to this doctor when you could just telehealth and get something in a couple of hours.

Um, it’s just becoming more, more ubiquitous. Now, on May 12th, 2024, Connect On Call learned of an issue impacting Connect On Call and immediately began an investigation and took steps to secure the product and overall security of its environment the company revealed. Connect on Call’s investigation revealed that between February 16th, 2024 and May 12th, 2024, which is several months mind you, an unknown third party had access to Connect on Call and certain data within the application including certain information in provider patient communications.

After discovering the breach, Freesia notified federal law enforcement of the incident and hired external cybersecurity specialists to investigate its nature and impact. So, at that point, you have to escalate. If you have, especially when it comes to healthcare, you have such sensitive information that if exposed, it just becomes more problematic.

And I’ll get to why I think it’s problematic in a minute. So, Freesia also took Connect On Call offline and has since been working to restore the systems within a new and more secure environment. Be cool to see a write up on what they did, but don’t worry. I don’t know if they would release that. While the statement does not include the total number of people impacted, Kinect On Call told the U.

S. Department of Health and Human Services. Or the HHS, that the breach affected the protected health information of 914, 138 patients. The personal information exposed during the almost 3 month long breach, not an insignificant amount of time, includes information shared in communication between patients and their healthcare providers, such as names and phone numbers.

But wait, there’s more! This may have also included medical record numbers. dates of birth, as well as information related to health conditions, treatments, or prescriptions. And in a small number of cases, the affected individual’s social security number. Oh my. This is, this is where it gets bad. Like, it wasn’t bad enough that there’s another data breach.

It’s bad, right? You have more information that you can use to build a profile on potential victims. Which is just, oh my, that’s horrible. Okay. So, you already have a bunch of social securities. Social security numbers that are out there. If you can start correlating someone’s social security number. With their conditions, their treatments, their prescriptions, their house location, their phone number.

You can start to build a very, very detailed profile on some individuals. Which, I mean, it’s no surprise that people’s data is out there on the dark web and on the internet. Fine. But now you’re getting stuff that should be better secured. Stuff that should be encrypted and hard to get to. And it’s just out there.

I mean, oh my, it’s just out there. And this is where I’m going to put on my developer hat for a second. This is where I think best practices would be a great way to kind of mitigate some of this, right? If we do proper encryption, if we do proper storing of data, if we do more things to protect the information, so if it gets leaked or, you know, Breached or whatever, then it just becomes harder for a hacker to use.

If a hacker pulls something with a 256 bit encryption on all of the data, and you know, assuming you’re doing it properly and other stuff, then it It’s almost garbage to them. If the keys are properly sanit Not sanitized, but if the keys are properly loaded in a way that doesn’t expose them. You have stuff like AWS secrets and other things you can do where they would have to not only breach the server, but they’d also have to breach an AWS account.

There’s, like, other things that a hacker would have to breach into. But even then, three months is not an insignificant amount of time. To get data. Um, I think it was Kali Linux that popularized it around or who popularized it, but it was the quieter you are, the more you can listen to. And I, yeah, I mean, three months, they were either really good at hiding or the mechanisms that they had for finding like individuals that shouldn’t be on the network on the network were just lacking.

I don’t know. It’s one of the two, either they were really good or the company was not as good as they need it to be. The connect on call service is separate from freesia’s other services including our patient intake platform based on an investigation to date there is no evidence that our other services has been affected freesia said in a separate statement on its official website so freesia Acquire Connect On Call.

So that kind of doesn’t surprise me. When you have a company acquire another company, generally the way that I know, you don’t have an instant like, oh, they’re integrated, they’re in next day, right? You have these two different entities that are merging, right? An acquisition. But that means you have employees that have to get onboarded to the new one, assuming they’re not laid off.

You have different resources, different systems, even just simple stuff like, well not simple, but even stuff like payroll, from one company to another, or the HR software, or the IT software, or the ticketing software. There’s like dozens upon dozens of different things that need to get migrated, and merged together, and even then you can’t just smush it together and hope it works, because if you lose critical information, that’s bad.

Continuing, we understand the importance of this service to our client’s business and we are working to restore the Connect On Call service as quickly as possible. Freesia also advised to potentially impact individuals to report suspected identity theft or fraud to their insurer, health plan, or financial institution even though the company has no evidence that the exposed personal information has been misused.

Just because you don’t have any evidence it’s been misused doesn’t mean it’s not going. If the data was breached, it’s gonna end up on a dump somewhere. And when I say dump, I mean literally a copy paste dump. Like, that information’s somewhere on the dark web, normal web, somewhere. Pastebin. So, the fact that they don’t know of any that hasn’t been misused doesn’t mean it’s not going to be.

It, it’s out there now. And just like everything else, there’s gonna be more and more data that’s out there. So, the advice I would give, Is always check your credit scores, always check your stuff and find a way to get access to it. Um, not sponsored, but you know, stuff like Experian, even Credit Karma, just something that lets you view your credit reports.

And if you see an account that you don’t know, or that shouldn’t be there, You can start to take action against it, right? Identity theft sucks. It’s not good, but there is ways we can do to kind of fight back against that. Freezing your credit helps. There’s different things. I’m not a financial advisor, but you know, there’s a huge financial burden that comes with identity.

Now putting my developer hat back on, there was probably a lot of mistakes that were made on the connect on call, right? The fact that they caught acquired means that there was probably a bunch of scrambling. You might have had IT that wasn’t sure on the best way or the most timely way to migrate the systems.

Maybe they were just running old systems and they didn’t have the capabilities or the resources to patch everything. There, there could be dozens of ways, right? If they got in, I don’t think I saw any reason or any, any information on how they were breached, right? Could it be, you know, some user reused passwords and they got in that way?

I don’t know. If you guys know anything about that, please feel free to leave a comment in the, send me a message or leave a comment on the YouTube comments. But, this is something that we’re seeing more and more. There is more data breaches. There is more stuff that’s out there to build profiles on potential victims.

And, it’s, it’s gonna get easier for some threat actors and some hackers to just get that and abuse it. And, we We, the collective we, we as whether you’re a developer or a cybersecurity person just someone who’s interested in this and wanting to find out more. I think it’s up to people who know about it to spread it to other people who may not, right?

Granny may not know, now granted, I don’t know if granny would be using connect on call, but granny won’t know that it was breached. I know a lot of these companies send out email, or not emails, but letters saying, hey, We had a breach and we’re offering like three months of identity theft or something like that.

We’re, I get those cards go out, right? But that’s not going to be enough. And I don’t think we’re going to get to a point where we have no data breaches. And that’s just the reality of it. Um, bugs exist, bugs will always exist and we’ll always have to patch them. Um, and that’s kind of, kind of the gist of it.

Um, now. To circle back to the first article, if you have a webcam by HikeVision or the other one, so pulling that name up, HikeVision or Zhongmai Devices. I would decommission it, if you can’t patch it, right? If it’s one of their end of life devices, just, just dump it. Uh, get rid of it. If it’s, needs a security patch, patch it.

And this goes for any of your devices, right? Make sure your stuff’s up to date, make sure you’re running updates on everything. And if it’s connected to Wi Fi, see if you can update it. Um, there’s another horror story that I read a while back where, um, there’s certain light bulbs, I would assume a lot of the light bulbs, when you connect it up to Wi Fi and all this other stuff, that Wi Fi information is stored on the light bulb.

So if you were to go throw it away, there is a way to pull the Wi Fi and Wi Fi password off the device, and now you have an entry point into the Wi Fi, right? Granted, stuff like WEP and all that, there is ways to hack Wi Fi, that isn’t new. Now you can literally just go and try to pull it off the device itself, for, you know, for the case of the lightbulb, not pertaining to this per se.

But here, if they’re opening up to the internet, and there’s already tools, Ingram and Medusa, then, it’s really, really the best way to combat this. From a consumer perspective is to pull vulnerable and end of life devices offline, try to patch the ones that can be patched and upgrade to either newer stuff, a different vendor.

There’s just a couple of different avenues. And if you’re a cybersecurity researcher and you find indicators compromise, send them over to the right people. See if we can get more information on it. And if you were hit with, uh, if you were using connect on call or know someone who was, uh, affected by the connect on call thing.

Just check your credit reports and that’s all we really can do. It’s up to us to put pressure on these kinds of companies to make sure that companies are more responsible in the way they develop their software to make sure that we’re encrypting sensitive information and making environments as secure as possible.

There will never be a 100 percent unhackable system. There just won’t be. But if we can make it harder and harder, then I’m hoping we can see less and less data breaches. But guys, With that, it’s been fun. I am your host Cipherceval, also known as Lauro, and I will see you in the next one.

Note: This is a transcript

🔗 References & Sources

* Webcams Hacked: https://www.bleepingcomputer.com/news/security/fbi-spots-hiatusrat-malware-attacks-targeting-web-cameras-dvrs/

* Health Data breach: https://www.bleepingcomputer.com/news/security/connectoncall-breach-exposes-health-data-of-over-910-000-patients/

 

Hey guys, welcome back. I have another episode for you. I got two articles to talk about, both game related. We have one from Bleeping Computer and one from Dark Reading, both involving video games. One is about the FTC distributing 72 million in Fortnite refunds. And the other is about a cryptocurrency game, or crypto game, that is being exploited to pretty much steal money.

But it’s not by the developer and you’ll see what I mean when I talk about it today. We’re facing an unprecedented array of data breaches hacking attempts and surges in digital crime Why is there such a widespread amount and how little is noticed in our everyday lives? Malware dark sites brute forcing zero day script kiddies and nation state hackers are all on the rise Learn more about the threats we face and gain a bit more knowledge than yesterday Hey everyone, another episode of Exploit Brokers is coming to you now.

Hey guys, if you can do me a favor because it helps the channel grow, if you can hit like, subscribe, and the bell notification icon if you’re on YouTube. If you’re on the podcast platforms like Spotify or Apple Podcast or any of those, please give us a follow or subscribe and give us a five star rating.

It helps the show if you think we deserve it. And with that said, let’s get into it. So, the first article is by Bleeping Computer, FTC distributes 72 million in Fortnite refunds from Epic Games. So, the Federal Trade Commission, FTC, is distributing over 72 million in Epic Game Fortnite refunds for the company’s use of Dark Patterns to trick players into making unwanted purchases.

So Dark Patterns, this kind of goes more into the world of social engineering, which is kind of like human hacking, if you want to call it that. But Dark Patterns is any kind of pattern, and I’m pretty sure you’ve seen them before. That kind of gets the player to go in a direction that favors the business or the company or the entity leveraging dark patterns If you’ve ever seen like a big button that says, you know continue with pay and then at the very bottom in almost transparent letters um, like cancel or in emails if you’ve ever seen the unsubscribe button is kind of Like built into that long text at the bottom with the same color, and it’s not very obvious.

That’s a dark pattern a lot of the Loot boxes and things that make it very flashy and almost like gambling is also a dark pattern. You’re exploiting human behavior and human emotions to try to get some kind of outcome that the business or entity wants. It is commonplace, it probably shouldn’t be, but it is pretty commonplace in a lot of places.

And now, you know, we’re seeing Epic Games. They’re being forced to pretty much give money back because of this. So, this is part of the record breaking 245 million settlement the agency reached with the game publisher in December 2022. The settlement addressed allegations That Epic games used dark patterns to trick players into unwanted purchases.

The FTC alleged that fortnight’s counterintuitive, inconsistent, and confusing button configuration led to players of all ages to incur unwanted charges based on the press of a single button reads the FTC press release. For example, players could be charged while attempting to wake the game from sleep mode while the game was in a loading screen.

Or pressing the Jason button while attempting to simply preview an item. Additionally, epic Games was accused of allowing unauthorized charges by children and restricting access to purchase content for users who disputed those charges. So as far as I’m aware, when you’re talking about Fortnite, it is very popular among younger crowds.

Granted, there’s probably adults who play it. I’m not saying that it’s only for younger, you know, younger audience kids and stuff like that. But it seems to be that Fortnite specifically has a lot of young audience that are attracted to it, right? You also have stuff like Call of Duty that also brings out some young audience who want to play it, but Fortnite Tends to be this very cartoony over the top game, right?

It’s a battle royale, which for my listeners, um, a battle royale is kind of like, if you’ve ever heard of a first person shooter, a battle royale is like, I don’t know, I think maybe 50, a hundred people, it’s a lot of players that get thrown into a match and then it’s one, one to rule them all pretty much King of the Hill.

And. With that, you have a lot of cosmetic items that go into it, and that’s where the money is getting spent, because Fortnite is a free game to play, but where the money comes in is the skins. You can buy skins and other stuff to give your cosmetic upgrades, and that’s something you’re seeing in a lot of video games now.

Call of Duty does it, Halo Infinite does it. And several other, um, several other genres do it as well. I’m more familiar with the, uh, first person shooter, the FBS genre, but they’re starting to do that where, you know, there’s season passes and the season passes lets you get cosmetic items and stuff like that.

Well, the dark patterns is essentially ways to trick into buying these cosmetic upgrades and other stuff by pretty much making it harder to say no. With through loot boxes through, you know, inconsistent UI according to the FTC. Now, I haven’t played Fortnite enough to tell you, but this is something that we’ve been seeing across the board on several games now using it.

So Fortnite players received the first 72 mil. That’s the subheader. The FTC announced that the first round of refunds has started. 629, 344 Fortnite players who previously submitted a request for reimbursement will receive an average of 114 dollars. Now, I kind of find that significant, and for a very bad reason.

Depending on when you would have played video games, if you ever played video games, video games in the 2000s were like 60. And DLC content wasn’t that, the downloadable content wasn’t really that big. In the early 2000s, once you got to like the mid to late 2000s, I think the DLC content got a bit more, but game passes and all this, or it’s pretty much just DLC content taken up another notch.

And the fact that they’re spending 114, I think right now, if you wanted to buy. Call of Duty outright. It’s like 70 plus thing about the season pass and all that. But you, you have people that are spending on average, according to this 114 on a free to play game to buy cosmetics. And I mean, they, they really figured out the strategy, right?

You get as many people to play on it free, and then you get a bunch of money out of it anyways. So you get a bigger audience reach. Now, those who opted for PayPal payments are given 30 days to redeem the amount while those who chose checks have 90 days to cash the checks. I could understand that if you don’t have PayPal, a check is a check.

I’m gonna skip some part about the money, but if you are affected check out the article in the link description It’s linked in the description and there talk about where to email and stuff like that for the refund Now to continue if you’re an adult who got charged in game currency for unwanted items on fortnight between January 2017 and September 2022 your child made an unauthorized charges to your credit card between January 2017 and November 2018 You’re not eligible for a refund Or, your account was locked between January 2017 and September 2022, after disputing wrongful charges, you may be eligible for a refund.

I know, it’s kind of giving those vibes of like the early 2000’s uh, Mesothelioma campaign. I’m not going to say anymore because I, I, I just, I thought that was a funny comparison. Um, ultimately guys, this is stuff that is Just it’s happening, right? There’s claims that are being made against it and there was a settlement.

That’s just kind of where life is. Now, something that the article says, and I am definitely gonna like double down in a second. The article states, beware of scammers using FTC’s refund round to trick people into giving away personal information, account passwords, or money under the pretense of clearance fees.

Guys, you will always have scammers trying to scam. Scammer no scamming. But what we see often is whenever there’s government programs, I think we saw it during the pandemic in the U. S. when they were giving out stimulus checks, and I figure other countries have similar problems, but whenever the government or any government tries to do something, um, Scammer will take that as a way to impersonate a government because now it gives them authority and right there’s money on the line There’s a deadline.

This is kind of like prime fuel because scammers rely on urgency They rely on a fake authority and several other things to try to get their point across and get your money So if you were affected by this, there is no clearance fees. Go check out the FTC Go straight to the trusted source. Don’t believe anything that you’re just getting a random email about or otherwise.

And be careful the websites you click because I’m assuming there’s probably gonna be a dozen websites all pretending to be Fortnite refund that you can be eligible even if you never played. Something like that. Not sure. With that, let’s go on to the next one. So, our second article is by Dark Reading.

Lazarus Group exploits Chrome Zero Day in latest campaign. The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine looking game site and AI generated content and images. And before we even jump into the article, I want to break down two things, right? Crypto or cryptocurrency has a lot of avenues that it’s been used, right?

You have the currency itself, think Bitcoin, Ethereum, and then you have stuff that got built on top of it, which is where you get like NFTs, crypto games, and other stuff. And all that to say, right, you have the extension of this technology into. Similar things, right? You have the NFTs and distributed applications, the dApps and stuff like that.

And they’re all tied to the underlying cryptocurrency mechanism. Now the AI generated content, this is something I think I said a couple of episodes ago and check out the other episodes if you guys haven’t, but it’s something I’ve been saying and something that I stand heavily behind, right? AI. Whether you like it or hate it is changing the game.

In this case, AI is being used by a threat actor, North Korea, and that’s who Lazarus is, but you have it being used by this threat actor to generate marketing campaign material, to generate stuff. I believe there was a recent thing I read where You even had a major splash screen of a major game that might be under fire because the zombie had like six fingers and you know Human zombies don’t have six figures, but AI is really horrible at fingers So it kind of became obvious that they most likely use that.

I haven’t looked into it heavily. I’m just kind of going by it based on what I was kind of skimming the other day, but here a threat actor is using AI in both content and images to further expand on their capabilities, right? North Korea is not going to be the most fluent English speaking country. And I would argue, you know, their citizens are oppressed, et cetera.

They don’t have the best education system. There’s a bunch of things going on here, but with. With the advent of AI, you now have a bunch of threat actors, not just, uh, Lazarus, but you have any threat actor in the world, or even any cyber criminal, or just anyone, can take this AI and generate a bunch of content, whether that’s images, video now, which is really cool, or text information, which you can then expand on, right?

So, I think we’re going to see a lot of scams and other stuff leveraging AI because it just becomes really powerful. But with that, let’s kind of go into this case. And don’t worry, I’ll bring up AI and cybercrime down the road again anyway. North Korea’s infamous Lazarus Group is using a well designed fake game website, a now patched Chrome Zero Debug, Professional LinkedIn accounts, AI generated images, and other tricks to try and steal cryptocurrency from users worldwide.

The group appears to have launched the Elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space. to promote their malware infected crypto game site. There’s a lot to unpack. So they’re using LinkedIn, they’re using AI, they’re using X, they’re using as many avenues to spread this, right?

And that’s something you see with video games, right? The really popular video games that are like really trying to squeeze as much money, like pay to win style do really, really good guerrilla. I don’t even want to say guerrilla marketing, but guerrilla marketing, viral marketing, whatever you want to call it to get to the end users who are going to spend money.

In this case, They’re trying to get to users who are going to install it and they can steal money from, right? It’s an interesting different way to go, but it makes sense, right? They’re not in the game development or in any of this other they’re in the hacking game. Over the years We have uncovered many Lazarus attacks on the cryptocurrency industry and one thing is certain these attacks are not going away Said researchers at Kaspersky.

After discovering the latest campaign while investigating a recent malware infection Lazarus has already successfully started using generative AI You And we predict they will come up with even more elaborate attacks using it, the security vendor noted. Yes, I am 100 percent on this. I think we’re gonna see AI just completely augment and enhance and transform the cyber security space.

It’s not just the generative AI, it’s the large language models. It’s just every aspect of AI is being used, right? From the generative side, to the LLMs, to pretty much anything else you can imagine, they’re gonna definitely start to bring this up. Whether it’s code development tools, it’s just gonna keep going, and going, and going.

Now granted, with the current iteration of AI that they may hit a stalemate until, you know, The next generation of GPT model, or the next generation of Lama model comes out and it has better capabilities. But that just means they’re gonna go really quick, hit a plateau, and then go really quick again. The state sponsored group Lazarus Group may not be quite a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation.

Which again, Lazarus is North Korea’s, one of their threat actors. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus and subgroups such as Andoril, and Blunarov, have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the 81 million heist at Bank of Bangladesh, and attempts to steal COVID vaccine related secrets from major pharmaceutical companies during the height of the pandemic.

So threat actors will always carry out the will and the wants of the nation that they And in this case, it’s North Korea, and North Korea has, I would argue, a handful of reasons why they’d be doing different things. The article goes into it, so I’ll circle back in a second. Analysts believe that many of the group’s financially motivated attacks include those involving ransomware, card skimming, and cryptocurrency users are really attempts to generate revenue for the money strapped North Korean government’s missile program.

We, you know, it’s no secret, North Korea wants to fund and build out their nuclear and their missile programs, and All their, all their military, right? Major country doesn’t, but I digress here. They’re using a lot of hacker methods because they can get a 1000 X return, right? You spend, call it a hundred thousand for like 10 mil in stolen cryptocurrency, which is already, you know, when you talk about like the banking system, right?

You have Swift and bricks and all these other ones. These are all controlled by major companies, or by major, not companies, these are all controlled by major countries. But cryptocurrency is distributed, right? So, if you can steal something, it’s gone. There is no way to get that money refunded, there’s no way to cancel that transaction once it’s been thrown on the ledger.

It’s, it’s governed by all the entity that exists within, you know, within crypto. It’s, it’s a distributed ledger, right? And if you, once you get that transaction in there, that’s it. You can’t undo it. You can do another transaction to refund the money, but then that’s a new transaction. It’s not undoing of the previous transaction.

In the latest campaign, the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detangzone. com. A professionally designed product page that invites visitors to download an NFT based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source of a legitimate game to build it.

And that’s something you see with threat actors, right? Sometimes they’ll buy it, build it, make it, blah blah. Now, Kaspersky found the website to contain exploit for two Chrome vulnerabilities. One of them is tracked as CVE 4947. It was a previously unknown zero day bug in Chrome’s v8 browser engine. It gave attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page.

Google addressed the vulnerability in May after Kaspersky reported the flaw to the company. So, most web browsers now use a sandbox. A sandbox is essentially a segmented piece of memory where you can run stuff in. And that’s beneficial because you need to take advantage of flaws to break out of that sandbox.

Inherently, the sandbox makes the web browser safer. You need more sophistication to do more damage, right? You can’t just run a random virus in a sandbox and hope you can do stuff. It really involves doing more. Now, the other Chrome vulnerability, which kind of comes into the sandbox, that Kaspersky observed in the latest Lazarus Group exploit, is that it does not appear to have a formal identifier.

It gave the attackers a way to escape the Chrome V8 sandbox entirely. And gain full access to the system. This is where you see a lot of, a lot of vulnerability chains happen, right? A vulnerability chain, right? You’re chaining one room vulnerability to another vulnerability to another vulnerability.

Maybe one vulnerability gives you access to the system. One vulnerability lets you escalate privileges. One vulnerability lets you break out into a remote code execution. You keep chaining them to get to the ultimate goal, which is control of a system. That’s oversimplifying, but you get where I’m going.

The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscript. Shellcode is a piece of software that gives you a shell. A shell being the command line, the CLI, the terminal, depending on the operating system you’re using, different nomenclature, but it all means a a text based way of interacting with the computer that is more powerful than just GUIs.

And I know there’s probably going to be someone listening that can do like GUI stuff on a Linux terminal, I’m talking about just the general run of the mill shell. And a backdoor Most likely, you know, stuff you can call like rats, Trojans, etc. There’s a backdoor that gets installed called Manuscript, and that’s a variant I think that we’ve been seeing Lazarus use.

What makes the campaign noteworthy is the effort that Lazarus group’s actors appear to have into its social engineering angle. They focus on building a sense of trust to maximize the campaign’s effectiveness. Designing details to make the promotional activities appear as genuine as possible. Kaspersky researchers Boris Larin and Vasily Berdkanov wrote, They use multiple fake accounts to promote their site via X and LinkedIn along AI generated content and images to create an illusion of authenticity around their fake game site.

Back to what I was kinda saying earlier, you have these technical AI to be creative on their behalf, right? Once you get really good at prompting, once you get really good at this, You can create something that’s like 80 percent as good as you need, or 90 percent as good as you need to fool most people, right?

There’s this whole debate on whether AI stuff is real art and blah blah blah, but I’m not talking about the, the validity of it being art or not. I’m talking about AI being used. And it’s good enough to make something look really good. That makes most people want to click because most people are not going to look at an AI generated image of a tank and realize that there’s something off about the tracks or realize there’s something off about the driver.

They’re going to glance at, they’re going to say, look, school, they’re going to click and download. Right. And that’s what a lot of these scams, we’re not scams, but that’s what a lot of these campaigns kind of work on, right? Social engineering, you’re. Attacking or you’re hacking the weakest point in security, which most of the time is humans.

A human will click and that’s where it all kind of goes through. Now, the attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence, not only to distribute the threat, but also to target their crypto accounts directly. Laren and Bernankoff.

And this is why for any people who do YouTube or any people who are active on the internet, I know you’re listening to this, but to anyone who’s active, You always have to be careful of who you trust and what you click. Just because an influencer says, go do this thing. Don’t do it. There’s been so many scams and so many shill coins that it’s not even funny.

Crypto could be a very cool and useful piece of tech, but there’s so much scam and so much fraud around it that most people I think are starting to shy away from it. And that’s a shame because crypto really holds a useful application, right? And it’s, it’s just a cool piece of tech, right? When you talk about the distributed apps or the dApps, right?

There’s a lot of good use that you can for them. Not just to make a quick buck and not just to make a game. There’s always a use for different things, especially when you consider that the whole point of crypto was a trustless system, right? You don’t have to trust a central authority. It’s all generally approved by the whole network.

Now there’s, I believe, proof of work versus proof of stake. There’s different mechanisms that go into that, but as a general rule, it’s a way for you to be able to buy into a system without having to have inherent trust In a single entity, but guys, I want to thank you for tuning in. This has been Cipherceval, also known as Lauro, and this has been another episode.

I will catch you in the next one.

Note: This is a transcript of the show.

🔗 References & Sources

* Fortnite Refunds: https://www.bleepingcomputer.com/news/gaming/ftc-distributes-72-million-in-fortnite-refunds-from-epic-games/

* Defi Lazarus: https://www.bleepingcomputer.com/news/security/lazarus-hackers-used-fake-defi-game-to-exploit-google-chrome-zero-day/

Welcome to another captivating episode of Exploit Brokers! In this installment, we delve deep into the ever-evolving world of cybercrime and digital security. Join us as we unravel two gripping stories that shed light on the precarious nature of our online existence.

First up, we explore the dark corners of the internet where cybercriminals flood the dark web with stolen X/Twitter gold accounts. Verified accounts, belonging to celebrities and organizations, have become a lucrative target for crooks. Learn how they compromise these accounts, what they do with them, and how you can protect yourself from falling victim to these scams. #Cybercrime #DarkWeb #TwitterGoldAccounts #OnlineSecurity

Next, we tackle the concerning vulnerability in Google’s OAuth system. Password changes are often seen as a quick fix to account compromise, but malicious actors have found a way to circumvent this. Discover how an exploit allows hackers to regain access to your account even after you change your password. We break down the details and share tips on how to safeguard your online presence effectively. #GoogleSecurity #PasswordReset #OnlinePrivacy #cybersecurity  #DigitalThreats #Malware #Cyberattacks #OnlineSafety

Join us as we navigate the complex web of cybercrime and digital security, arming you with the information you need to stay one step ahead of hackers and scammers. Don’t forget to hit that subscribe button and ring the notification bell to stay updated on all things cybersecurity. Your online safety is our priority! #ExploitBrokers #TechNews #CybersecurityAwareness #staysafeonline #oauth #cybercrime #hackers #hackingnews

Sources:

Stolen Twitter/X Accounts: https://www.darkreading.com/application-security/cybercriminals-flood-dark-web-x-twitter-gold-accounts

Google Password Vuln: https://www.theregister.com/2024/01/02/infostealer_google_account_exploit/

In this episode of Exploit Brokers, we delve into a recent online uproar surrounding T-Mobile and its alleged imposition of fines for text messages containing hate speech and other violations. We take a closer look at the image that sparked the controversy, which led many to fear that T-Mobile was turning into a “Big Brother” figure, constantly monitoring and fining consumers. However, as we investigate further, we find that the situation is not as dire as it initially seemed

As we dissect the details, we emphasize the importance of staying informed about evolving policies and industry practices. While there is no immediate cause for consumer alarm, it’s crucial to keep an eye on developments in the telecommunications sector to ensure that user privacy and freedom of communication are protected.

Join us as we separate fact from fiction in this intriguing story of T-Mobile, potential fines, and the evolving landscape of digital communication. Please subscribe to our podcast or YouTube channel for more thought-provoking discussions on tech and cybersecurity.

#tmobile #privacyconcerns #telecommunications #datasecurity #bigbrother #digitalprivacy #internetsecurity #onlineprivacy