We have collected the most important news from the world of cybersecurity for the week.
- Data from the Pentagon and thousands of corporations was in the public domain for five months.
- GRU-linked malware was caught attacking crypto wallets.
- The DreamBus botnet is back after two years of hiatus and continues to mine Monero.
- A spy clone of Signal hit the app stores.
Data from the Pentagon and thousands of corporations was publicly available for five months
The US National Security Council (NSC) has committed an unprecedented leak that has exposed the credentials of 2,000 companies, including government agencies and large corporations, to the public since January. This was reported by Cybernews researchers.
The non-profit organization NSC provides security education. Its website has nearly 55,000 registered users.
Cybernews experts discovered a platform subdomain that was allegedly used during development. It published a list of all online directories, allowing access to most of the server’s files, including a database backup with user emails and hashed passwords.
The Ministry of Justice, the US Navy, the FBI, the Pentagon, NASA, Shell Corporation, BP, Intel, IBM, AMD, Boeing, Pfizer, Ford, Toyota, Volkswagen, Tesla, Amazon, Coca Cola and many others are among the victims.
The data has been publicly available for five months since IoT search engines first indexed the leak on January 31, 2023. NSC fixed the issue after being contacted by Cybernews.
Potentially, the leak could be used to access corporate networks in order to inject ransomware or steal internal documents.
GRU-linked malware caught attacking crypto wallets
The new Russian malware Infamous Chisel began to be used to attack cryptocurrency wallets and instant messengers. This is stated in a joint report of the UK National Cybersecurity Center, the FBI, the NSA and CISA.
Experts attribute the management of the malware to the Sandworm hacker group, which is associated with Russian military intelligence.
Infamous Chisel provides permanent access to a jailbroken Android device and allows you to copy certain application directories from it, including those related to the Brave web3 browser, Binance and Coinbase applications, Trust crypto wallet, Telegram messengers and Discord.
According to the report, the malware developers did not pay much attention to hiding the malicious activities of its components.
DreamBus botnet is back after two years and continues to mine Monero
The DreamBus malware, which has not been active since 2021, has again begun attacking Linux users to install a hidden XMRig miner for mining the Monero cryptocurrency. Juniper Threat Labs experts drew attention to this.
DreamBus exploits a recently patched vulnerability in the Apache RocketMQ messaging application that allows attackers to remotely execute commands.
Although Monero mining is the main target of attacks, the modular nature of the malware allows it to be extended and potentially used to steal confidential communications.
Signal spy clone hit app stores
ESET experts have found an application in the Google Play Store and Samsung Galaxy Store that aims to steal messages from the Signal messenger.
A clone called Signal Plus Messenger is infected with BadBazaar spyware, which can track the exact location of the device, steal call and SMS logs, record phone calls, take photos with the camera, and steal contact lists, files and databases.
In addition, the functions of the fake app allow the attacker to link the victim’s Signal account to their device in order to see future messages in chats.
ESET believes that the Chinese hack group GREF is behind the development of BadBazaar. Its target is users from Poland, the Netherlands, Ukraine, Spain, Portugal, Germany, Hong Kong and the USA.
Signal Plus Messenger was uploaded to Google Play and Samsung Galaxy in July 2022. Google specialists removed the malware only on May 23, 2023. At the time of the release of the experts’ report, the application was still available in the Samsung Galaxy Store.
Paramount hit by data breach
American media holding Paramount said that between May and June 2023, unknown persons gained access to its systems, resulting in a data breach of about 100 people. The media only found out about it now.
Among the compromised information: the name, date of birth, social security number or other identification document, as well as some information about the connection of the victim with Paramount.
An investigation is underway with law enforcement agencies. The media holding offered all affected users two years of free personal data monitoring services.
Also on ForkLog:
What to read on the weekend?
Chapter from the book “Blockchain for everyone. How cryptocurrencies, BaaS, NFT, DeFi and other new financial technologies work” by Doctor of Economics Artem Genkin and digital technology expert Alexei Mikheev.
It highlights some of the fundamental issues, including cybersecurity issues, that hinder the widespread adoption of DLT.
Found a mistake in the text? Select it and press CTRL+ENTER
ForkLog Newsletters: Keep your finger on the pulse of the bitcoin industry!