Welcome to Dark Reading’s weekly digest of the can’t-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.
Dark Reading’s editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn’t get to earlier but would feel wrong not covering. In this week’s “in case you missed it” (ICYMI) digest, read on for more on the following:
- Neopets & Gaming’s Lax Security
- SolarWinds Hackers Embrace Google Drive in Embassy Attacks
- Nation-State Attacks Ramp Up in APT-a-Palooza
- Google Ads Abused as Part of Tech Support Scams
Neopets & Gaming’s Lax Security
Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting “leisure-activity” companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.
A hacker who goes by the handle of “TarTarX” is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday’s exchange rate. The stolen PII appears to include data includes members’ usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.
It’s unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.
“We’ve seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect,” he says. “Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur.”
Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.
SolarWinds Hackers Embrace Google Drive in Embassy Attacks
The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets’ machines.
The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks’ Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.
“In both cases, the phishing documents contained a [Google Drive] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload,” according to Unit 42’s post this week.
APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.
The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.
“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment,” he said in a statement to Dark Reading. “Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”
Nation-State Attacks Ramp Up in APT-a-Palooza
Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.
Google’s Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.
CyberAzov is “hosted on a domain controlled by the actor and disseminated via links on third party messaging services,” according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, “the ‘DoS’ consists only of a single GET request to the target website, not enough to be effective.”
In reality, the app is “designed to map out and figure out who would want to use such an app to attack Russian websites,” according to an additional commentary from Bruce Schneier.
Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.
“As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor’s intent was to gain access to source a supply chain-style attack,” researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company’s network or launching additional attacks such as ransomware.
Also notable is the fact the effort revolved around “a fairly uncommon piece of malware” called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.
And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).
The “malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence,” according to the statement.
Google Ads Abused as Part of Tech Support Scams
People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.
A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.
“The threat actors are … purchasing ad space for popular keywords and their associated typos,” researchers explained in a posting. “A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).”
In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.
“Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them,” researchers lamented.
The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.