MobiKwik Show Us How Not to Handle a Data Breach 💳, Attackers Edit PHP Source Code 💾, Ransomware Gang "Refunds" Victims?! 💰

CyberLite Apr 6, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

📰 News

Catching you up on everything important that happened this week…

💳 Indian Payment Platform MobiKwik Breached

The customer details for 3.5 million users have been leaked on the dark web after MobiKwik suffered a breach at the start of March. The full extent of the attack is only now becoming clear as attackers have started posting about the stolen data which includes email and residential addresses as well as the bank details for millions of users.

MobiKwik's response to the breach has been a true masterclass in mistakes. At the start of March they were warned of the breach and put out the following statement:

"A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention”

That's not a statement that ages well when customers find their home addresses leaked online. Link.

💻 Attackers Edit PHP’s Source Code

Attackers impersonated two developers with access to PHP's source code on Github and published malicious updates adding a backdoor. PHP is one of the most popular languages used in web development and provides "behind-the-scenes" functionality (e.g. connecting to databases) for lots of well-known websites.

In an attempt to remain undetected the attackers named the changes "Fix Typo", but thankfully maintainers of the PHP source code noticed the changes and reverted them. Keeping your Github accounts secure and managing which accounts have access to your repositories is incredibly important. Compromising Github repositories isn’t an attack trend that’s going to lose steam anytime soon; it’s hardly a reach to say that all organizations use software whose source code is hosted on Github. Link.

💰 Ziggy Ransomware Gang “Refunds” Victims

The Ziggy ransomware gang has announced that after leaving the cybercrime business they now want to refund their victims. After watching law-enforcement takedowns of other malware organizations like Emotet and Netwalker they wanted to ensure that didn't happen to them. Apparently, they did also feel a bit "guilty"… Isn’t that nice of them. Victims paid their ransom in bitcoin and Ziggy will be refunding them according to the bitcoin value on the day they received payment. Given the value of bitcoin has risen drastically since then Ziggy will still be netting a considerable profit, so the guilt isn't exactly killing them. Link.

💸 Ubiquiti Data Breach was "Catastophic"

In January Ubiquiti disclosed a data breach where attackers gained access to some of their systems hosted on Amazon Web Services (AWS). Thanks to a whistleblower we now know just how bad the breach was.

Ubiquiti produces Internet-of-Things (IoT) devices and has shipped over 85 million of them worldwide. Attackers gained admin access to all of Ubiquiti's AWS servers which gave them access to Ubiquiti's source code, login infrastructure, and all of their customer’s credentials. Meaning that hackers could have remotely accessed countless Ubiquiti devices across the globe. Link.

The advanced persistent threat group (APT) known as Charming Kitten has been linked to a phishing campaign in late-2020 that targeted senior medical researchers in the US and Israel. Charming Kitten is believed to be aligned with the Iranian government and targeting Israel lends some credibility to that theory given the tensions between the two nations. The aim of the attackers was to steal the credentials of researchers working in genetics, neurology and oncology; although their intentions beyond that are unknown. Link.

🤔 North Korean Attackers Continue Targeting Security Professionals

Earlier in the year reports came out about a North Korean social engineering campaign that was targeting cybersecurity researchers. Attackers posed as researchers on social media then approached legitimate researchers asking them to collaborate on a vulnerability research project. They then sent links to Visual Studio projects (a popular code editing program), but these links contained malicious code enabling attackers to send commands to the researchers’ computers.

However, that wasn't the end of the story, this week Google's Threat Analysis Group reported that the same attackers have set up a fake security company online called SecuriElite whose website was laced with malware. The attackers also created fake Twitter and LinkedIn profiles for "employees" at SecuriElite as well as “researchers” at other companies that they used to promote SecuriElite.

This is a really clear example of just how fast attackers can change their tactics if their initial methods are exposed. Link.

🧒 Google Restricts Who Can Access Your List of Installed Apps

Previously all Android apps could access a list of applications installed on your device. However, this provided an opportunity for potentially harmful apps to check for the presence of antivirus or serve misleading ads to users. With Android 11 Google made apps ask for permission if they wanted to access this information, but now they're going a step further. Google announced that they are now treating the list of installed apps as personal and sensitive user data, as such any app wishing to access it must fall within a strict set of categories or submit a declaration form to Google to prevent their removal from the Play Store. Link.

🛢 Scammers Disguise Malware as Call of Duty Cheat Tools

Activision has put out a warning that it's found ads for Call of Duty cheats that contain malware. If installed the malware would give attackers remote access to a victim's system. This is a particularly easy avenue for spreading malware as cheat programs commonly ask users to disable antivirus software and firewalls; if that program turns out to be malicious then the user has just opened the floodgates for it to do whatever it wants. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

🗃 Two zero-day vulnerabilities are affecting legacy network-attached storage (NAS) devices from QNAP Systems. The vulnerabilities are exposing devices to remote unauthenticated attackers. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

📱 Back in October 2020 Google's Project Zero caught a hacking group exploiting 11 powerful vulnerabilities in iOS, Android and Windows. But the catch is that the hackers in question were Western government operatives conducting a counterterrorism operation. So was disclosing the vulnerabilities the right move if it effectively shut down a counterterrorism operation? Link.

🐛 The fascinating world of bug bounties - what they are and how to get your feet wet. Link.

🗝 The Consumer Authentication Strength Maturity Model from Daniel Miessler. A great way to visualize how secure your password practice is and find out how to improve it. Link.

🐦 The Twitter account for the US Strategic Command tweeted out “;l;;gmlxzssaw” when their social media manager’s kid happened upon an open laptop. Link.

🌐 A perspective we're not so used to hearing... an article breaking down the relationship between users and social media algorithms from Nick Clegg, Facebook's VP for Global Affairs and Communications. It's an interesting perspective to hear as we look at what the future holds for social media. Link.

💉 A fantastic video from Vox about why we should stop comparing Covid-19 vaccines. The best vaccine is any vaccine. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.