The Good, the Bad and the Ugly in Cybersecurity – Week 41

The Good

In yet another new initiative to tackle the rampant success of cybercrime, the U.S. government this week laid out further measures to punish companies that either fail to keep their products secure or fail to be transparent about security incidents.

The new Civil Cyber-Fraud initiative is aimed at government contractors that fail to keep up with cybersecurity best practices. It will leverage the False Claims Act to levy financial penalties on offenders in the hope that it will encourage all contractors to both put in the appropriate investment in security tools and to report breaches promptly when they occur.

The government also announced further measures in relation to cryptocurrency exchanges, following last week’s OFAC sanction against SUEX, in the form of a new National Cryptocurrency Enforcement Team at the Department of Justice. The team will go after cybercriminals who target cryptocurrency marketplaces and who use exchanges to launder profits from cybercrime like ransomware.

The new measures are aimed at disrupting cybercriminals’ financial operations and ensuring cryptocurrency exchanges are held to the same standards as other financial institutions. Deputy AG Lisa Monaco said “If cryptocurrency exchanges want to be the banks of the future, we need to make sure people can have confidence in these systems”.

The Bad

Streaming platform Twitch suffered a massive leak of data this week that reportedly includes a significant portion of its IP, among which is source code for existing and future products and its own SOC’s internal red teaming tools. Twitch streamers have also been affected and warned by external experts to beware of phishing attacks after leaks of Twitch payouts went viral online.


The breach was revealed on the infamous 4Chan message board by a user who, unsurprisingly in that context, called themselves ‘Anonymous”, along with a torrent of the usual abuse directed at the company. However, the hack was confirmed by a number of independent sources before Twitch themselves made a short announcement. Subsequently, the company said it had also reset all users’ stream keys “out of an abundance of caution”.

The hacker has already released one dump of the information and more are expected. It is thought that among the data stolen is:

  • A significant amount of Twitch’s source code with commit history “going back to its early beginnings”
  • Creator payout reports from 2019
  • Mobile, desktop and console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • “Every other property that Twitch owns” including IGDB and CurseForge
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
  • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

At the time of writing, Twitch’s official statement says that the data leak is “due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” Expect more details as the story unfolds and the company’s own investigation proceeds.

The Ugly

Perhaps the most unsurprising thing we saw in this week’s cyber news was the statement that “cybercriminals seem to have no moral compass”. And while that really shouldn’t come as a shock to anyone, it is nevertheless the lowest of the low to deliberately target healthcare organizations for ransomware attacks and data theft.

One particular ransomware operator has made healthcare their top target, with an estimated 20% of the gang’s earnings coming from this sector alone. Second highest: education. That’s no accident when you consider that healthcare and education share in common a lack of investment and expertise in cybersecurity.

Lowering the bar yet further, a gang of scammers dubbed Xgroup appear to be profiteering off equally ethically-challenged members of the public by offering a service that claims the gang will – for a fee – insert an unvaccinated COVID-19 person’s medical records into hacked hospital databases to make it appear that the person has been fully vaccinated.

The group appear to have identified a lucrative market among those unwilling to be vaccinated yet desiring the benefits of travel and access afforded to those that have done the responsible thing. The scammers may be after more than just the initial payout from their victims. As part of the service to provide a false vaccination record, the scammers require the victim to provide a huge amount of sensitive personal data to (supposedly) enter into the hospital’s (allegedly) hacked database. That information could, of course, be used against the victim in other hacks on their bank accounts or be used to obtain false identities useful for other crimes, cyber and otherwise.

We’ll leave the moral of the story up to the reader, and merely note that aside from all the other bad consequences a scammed victim could face, in most jurisdictions it’s a criminal offence to pay someone to hack a hospital database, a fact which gives the scammers yet one more hold over anyone foolish enough to get involved with them.