News digest for September 2022
Hi all! Our traditional digest of the hottest information security news for the past month arrived in time. Autumn began with notable incidents in the geopolitical arena, so today we have a lot of informational intrigues at the state level: the Iranians are hacking into Albania, Montenegro is imagining the ubiquitous Russian hackers, the Portuguese are missing important incidents during their afternoon nap… In addition, we will talk about high-profile hacks, that affected Uber and Rockstar, and about the fall of bison from the world of the cybercrime market. For details, welcome under the cut!
Albanian passion for Iranian crackers
Autumn has just begun, and from the very first days we had the most entertaining crossover of the season on the air. Then Albania accused Iran of the July attack on its state infrastructure. And then broke off diplomatic relations with him and demanded that the entire embassy leave the country within 24 hours.
The Albanian Prime Minister issued a statement that an Iranian-sponsored hacker group was behind the attack. Its goal was to paralyze government services, destroy their systems and steal government data. It was all connected, as usual, with Iranian political intrigues – a conference of their dissidents was to be held in Albania in July.
The results of the FBI investigation into the traces of the hacking of Albanian state systems by the Iranians turned out to be no less amusing: hackers had access to their networks for about 14 months. All this time, they periodically came to their home and pulled correspondence from state mailboxes. And then they sent them a ransomware and a viper, putting a bunch of state services and services.
In response to the break in relations between the countries, Iranian hackers also pompously leaked documents stolen from Albanian networks, arranging a poll among subscribers of their Telegram channels regarding what to leak next. And soon began repeated attacks. In general, a stunning example of what information security should not be at the state level. Even if we are talking about such a small country as Albania.
In general, cybercriminal intrigues at the state level look quite alarming. As the President of the United States recently stated in one of his speeches, attacks on network infrastructure today can be a reason for declaring war. So even during our lifetime, the conditional Franz Ferdinand may well turn out to be purely digital.
Montenegrin boy who shouted “Wolf”
Montenegro brought another wonderful example of geopolitical intrigues from the world of information security in early September. In the last weeks of summer, the network infrastructure of Montenegro gradually crumbled under cyberattacks. They hit on electricity and water supply, transport and state portals. Several power plants switched to manual operation, and the state networks were turned off to contain the attacks. It got to the point that the state embassies advised their citizens to limit travel to the country and expect problems at the border and at airports.
In Montenegro, they initially stated at the highest level that the attacks came from Russia and were related to the geopolitical situation. Up to the fact that the country’s defense minister pointed to the notorious Russian hackers as the source of all Montenegrin network troubles. A matter of international security, that’s all.
However, the issue of geopolitics was soon removed from the agenda. In the wake of a large-scale cyber attack, the government of Montenegro stated that this was just the work of the ransomvar group and their “special virus”.
The hackers from the Cuba gang claimed responsibility for the attack, publishing in the public domain financial documents, tax returns, correspondence with banks, and so on, taken from the Montenegrin government, up to the source code. The attackers allegedly demanded a $10 million ransom from Montenegro. And no Russian hackers, apparently. Well, today without geopolitical scandals, be careful with statements next time.
Portuguese [не] know a lot about cybersecurity
And one more instructive story on how not to deal with information security at the state level. According to media reports in September, the general headquarters of the armed forces of Portugal was subjected to a cyber attack. Classified NATO documents were stolen from the Portuguese military and later put up for sale on the dark web. Sources said the docks are so important that it could undermine the country’s credibility in the alliance. And judging by the scarce information that is known about what happened, such a reaction from NATO is quite justified.
The systems in the general staff are isolated from the network, but the “prolonged attack” was carried out through the usual channels. So, most likely, somewhere on the ground, basic security protocols were tritely violated. At the same time, the attack itself was dubbed “untraceable”, and it was allegedly carried out by a botnet, sharpened to search for classified information.
The most surprising thing is that the Portuguese themselves did not detect the attack or the leak – they literally missed it. And they even learned about the leak from American intelligence, which discovered the stolen documents on the dark web and, so to speak, in a slight bewilderment, began to call their embassy in Lisbon. Where did the information come from to the extremely surprised senior officials of Portugal.
Surprise in the wake of such inspiring news was expressed by many members of the Portuguese Parliament, among others. In the wake of this embarrassment, officials of the country urgently went to the headquarters of the alliance in Brussels to explain the situation. And we can only marvel at such a curious case. Here’s to you, mother-manyana, and a military opsek.
Uber hack, Rockstar leak and other teenage fun
Having done away with geopolitical intrigues from the world of infobez, let’s turn to the loudest hacks of September. In the middle of the month, it was a black day for Uber: they were hacked on an impressive scale. In the screenshots, the hacker had full access to key company systems, including their security software and the Windows domain. As well as the AWS console, virtual machines, mail admin panel and Slack server – a complete set.
But that was not all. It was later confirmed that the hacker pulled all of their vulnerability reports from their HackerOne profile, including unpatched ones. So the company obviously had to hastily patch all the unpatched vulnerabilities in a race with crackers, since the leaked reports could well have gone under the hammer right away. Meanwhile, the company went on to say that their code base and personal data of users were not affected in any way.
Hacking from the very first hours was overgrown with delightful details: some 18-year-old talent took responsibility for it. The hacker claimed that he wrote to an Uber employee, posed as an enterprise information technology specialist, and convinced him to hand over the password to access the systems. And the attack vector was the recently gaining popularity of MFA fatigue – the external contractor Uber was bombarded with two-factor requests until one of them was accepted.
As Uber later said, the hacker who hacked them appeared to be connected to the infamous Lapsus$ teen gang. And the adventures of the anti-hero of our story did not end there in September.
Rockstar was next in a series of high-profile hacks: a few days after the Uber story, 90 videos from GTA VI developers leaked to the network after the Slack server and Confluence wiki were hacked. The hacker also pulled the sources of the fifth and sixth parts and put up the resources of the previous part of the game for sale. And allegedly negotiated with the company for a ransom for the rest. Including for the test build of the six.
This September leak draws on one of the largest in the history of video games – the severity of such a blow to the production of the legendary crime simulator can hardly be overestimated. And what is interesting, the cracker immediately stated that he had recently hacked Uber, and the handwriting was similar. Rockstar hurriedly showered videos with copyright, but they inevitably spread over the network along with pieces of leaked source code. So those who are especially curious could peep what the new part of the eminent franchise will look like.
Alas, the dashing story of our today’s antihero has come to an end. In a matter of days, the expected news arrived: already on September 23, a teenager suspected of hacking both Uber and Rockstar was arrested in the UK. Moreover, as it turned out, in fact he was only 17 years old. As before, all this is associated with the Lapsus $ group. Earlier in April, let me remind you, seven of their young talents, aged 16 to 21, were arrested in connection with high-profile hacks that disturbed the network world at the beginning of the year.
Interestingly, the notorious fellow pompompurin claimed that the Uber and Rockstar hacks were linked to the head of Lapsus$ named White. Earlier in the spring, he was released on bail, since the guy is a minor – for a minute, at the time of his arrest he was sixteen. So it may well be that he quickly took up the old ways, but there is no official confirmation of this yet – according to the laws of Great Britain, the data of juvenile offenders are not disclosed.
Such was the September epic of the young talent from the world of cybercrime who made a noise. In principle, the arrest was quite predictable. Once the typical post-break-in teenage bravado emerged, it was obvious that it would be quickly accepted. Mom, I’m breaking Rockstar! What kind of opsec is there.
WT1SHOP went to the bottom, and the owner of RSOCKS went to court in the states
And finally, about the loud falls of bison from the world of cybercrime. In September, the FBI and the company conducted an international operation and intercepted the website and domains of WT1SHOP, one of the largest platforms for trading personal data, credit cards and accounts. More than 100 thousand users, infa for about 6 million people and a turnover of several million dollars – another expanse for carders and scammers went to the bottom after Slilpp, which went down in history a year ago after a similar operation by the special services of several countries.
Damn good coffee lovers also reported that they traced bitcoins, email accounts and admin panels to a 36-year-old citizen of Moldova named Nikolai Kolesnikov. Now, if caught on a combination of charges, the unlucky comrade faces up to 10 years in prison.
In addition, last month, an update appeared in time in the wake of the fall of the massive RSOCKS botnet. Back in June, Denis Emelyantsev, a native of Omsk, was arrested in Bulgaria at the request of the states. He was charged as the owner of the botnet. Now the court granted Yemelyantsev’s request for extradition to the United States so that “lawyers would sooner remove unfounded charges from him.”
The bison of the RSOCKS botnet scene had existed since 2013 until it was put down this June after an international investigation. Its owner is also associated with RUSdot, a major spam forum, the successor to Spamdot. Interestingly, in the 2019 indictment declassified by the United States in September, Emelyantsev was already identified as the creator of the botnet. So the fight against “unfounded accusations” in an attempt to make a deal with the investigation and hand over accomplices from a comrade will be hot.