The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good | Authorities Sentence 2020 Twitter Hacker For SIM Swap & Crypto Theft Schemes

Joseph James O’Connor (aka PlugWalkJoe) was sentenced this week to five years in prison for various cybercrimes including his role in the 2020 Twitter Hack. O’Connor is charged with stealing cryptocurrency, money laundering, cyberstalking, and unauthorized access to Twitter, TikTok, and Snapchat accounts. Further, he is ordered to return the $749,000 stolen from a New York-based cryptocurrency firm.

Source: Reuters

According to the DoJ, O’Connor and his co-conspirators conducted a mass SIM swap attack in 2019 to steal from a targeted cryptocurrency firm. In SIM swap attacks, a threat actor gains control of a victim’s mobile phone number by linking it to an SIM card controlled by the actors. The victim’s calls and messages are then routed to the actor-controlled device and used to access accounts registered with the victim’s number. Using this technique, O’Connor and his associates successfully targeted three of the cryptocurrency firm’s executives and obtained access to the company’s internal accounts and system.

In the 2020 Twitter Hack, O’Connor and his associates again used SIM swaps, along with social engineering tactics, to gain access to Twitter’s back-end tools and transfer control of high-profile accounts to various unauthorized users. While some accounts were hijacked by the actors themselves, O’Connor sold the access rights of several well-known accounts. Using similar techniques, O’Connor also hijacked TikTok and Snapchat accounts to participate in online extortion, harassment, and cyber stalking.

These attacks on social media platforms underscore the impact that cyber attacks have on everyday users. As the rate of digital identity theft skyrockets and threat actors continue to eye up popular apps and services, implementing strong identity-based controls remains a high-priority task for organizations in all industries.

The Bad | New Infostealer Malware Dubbed “ThirdEye” Targets Windows Devices

A newly discovered Windows-based infostealer dubbed “ThirdEye” has been spotted in the wild, harvesting sensitive data from infected hosts. Security researchers this week reported on an executable masquerading as a PDF file which hosts the info-stealing malware. While the arrival vector for the malware isn’t yet known, researchers believe it is used in phishing campaigns.

Based on an earlier version of ThirdEye that was uploaded to VirusTotal in early April, the infostealer is evolving and now shows capabilities of gathering system metadata such as BIOS release dates and vendors, total and free disk space on C: drives, volume information, and registered usernames. Details collected are then transmitted to a command-and-control (C2) server.

Though the malware is not considered technically sophisticated, researchers warn that its purpose-built design allows malicious users to gather critical information for use in future attacks. In the case of ThirdEye, the information stolen could be used by attackers as a way of narrowing down potential targets and planning unique campaigns.

There are no current indications that ThirdEye has been used in the wild. However, given the fact that the infostealer artifacts were uploaded to VirusTotal from Russia, researchers speculate that any malicious activity leveraging the malware is likely being aimed at Russian-speaking organizations. ThirdEye is the latest to make an appearance following a marked surge of infostealer malware being sold on Russian darknets.

As more infostealers become readily available, enabling cybercriminals to launch their ransomware campaigns, organizations should invest in machine learning algorithms and analytics to identify patterns indicating suspicious activity in real-time.

The Ugly | Emerging 8Base Ransomware Group Responsible For Uptick In Ransomware Attacks

First appearing in March, the emerging ransomware group called 8Base has accelerated its activity over the past two months, targeting small to medium-sized businesses worldwide in double extortion “name and shame” attacks. According to security analysts, ransomware attacks have spiked in May and June so far, up respectively 24% from this April and 56% compared to the same period last year. 8Base claims a significant role in this surge, responsible for more than 15% of all ransomware victims recorded last month.

In double extortion attacks, threat actors exfiltrate and encrypt all of a victim’s sensitive data, giving them extra leverage when demanding ransom payments. Actors then threaten to release or sell the data onto the dark web unless payment is made.

Like many other groups in the threat landscape though, 8Base accepts ransom payments in Bitcoin only and claims on its leak site to be “honest and simple pentesters”. The group employs multiple streams of communication, including an active Twitter profile and several encrypted Telegram channels. Latest findings on the group note that 8Base has compromised businesses across a large span of industries but has not shown allegiance to any one particular methodology or source of motivation.

Based on the speed and effectiveness shown in recent attacks, security researchers believe this denotes a well-established and mature operation, indicating 8base may be comprised of members of some previously successful ransomware group. Malware research site vx-underground has compared 8Base’s recent attacks to those of the “Big 3”; namely, Conti, LockBit, and ALPHV ransomware groups. SentinelOne customers are autonomously protected from 8Base ransomware attacks.