21ST DEC 2023
21ST DEC 2023Welcome to our latest cybersecurity news roundup, where we comprehensively overview the most pressing issues in the tech and cybersecurity landscape. This edition covers the GTA6 leaker, MS Drainer, and Falsefont exploits.
Join us as we navigate the evolving challenges and advancements in technology, cybersecurity, and beyond.
Here’s what went down this week:
Arion Kurtaj, a member of the Lapsus$ cybercrime group, has been sentenced indefinitely to a "secure hospital" by a British judge.
Residing in Oxford, Kurtaj played a significant role as a key member of Lapsus$, responsible for leaking clips from Rockstar Games' anticipated video game, Grand Theft Auto VI.
Prosecutors assert that Kurtaj was "caught red-handed" violating his bail conditions when authorities discovered an Amazon Fire Stick in his hotel room's TV. This device enabled him to connect to cloud computing services using his smartphone, keyboard, and mouse. This clever workaround allowed him to carry out the Grand Theft Auto VI leak despite his laptop being confiscated.
The judge expressed concern that Kurtaj, due to his skills and evident inclination towards cybercrime, poses a continuing "high risk" to the public. Consequently, he will remain in a secure hospital until medical professionals deem him no longer a threat.
In addition to his involvement in cybercrime, the court disclosed that Kurtaj displayed violent behavior while in custody, resulting in "dozens of reports of injury or property damage."
Owing to his autism, healthcare professionals had initially deemed Kurtaj unfit to stand trial. The decision to determine if his alleged actions were carried out with criminal intent was left to the jury.
The BBC further reported that a mental health assessment conducted during the sentencing hearing revealed Kurtaj's strong motivation to "return to cyber-crime as soon as possible."
Google and Twitter advertisements are being utilized to promote websites hosting a cryptocurrency exploitation tool known as 'MS Drainer,' which is responsible for siphoning off $59 million from 63,210 individuals in the last nine months.
As per insights from blockchain threat analysts at ScamSniffer, they have identified over ten thousand phishing websites employing the drainer since March 2023, with notable surges in activity observed in May, June, and November.
A drainer, in this context, refers to a malicious smart contract or a comprehensive phishing suite engineered to deplete funds from a user's cryptocurrency wallet without their explicit consent.
Individuals are redirected to a seemingly legitimate phishing website, where they unwittingly authorize malicious contracts. This allows the drainer to execute unauthorized transactions, transferring the victim's funds to the attacker's designated wallet address.
MS Drainer is being promoted through deceptive ads on Google Search, strategically displayed for keywords associated with decentralized finance (DeFi) platforms such as Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant.
Numerous ads exploit a tracking template vulnerability in Google Ads to manipulate the URL, making it appear as if it is affiliated with the targeted project's official domain. However, upon clicking, users are redirected to a phishing site.
On Twitter, also known as "X," the prevalence of MS Drainer advertisements is substantial, constituting six out of nine reported phishing ads on the platform, according to ScamSniffer.
Microsoft reports that the APT33 Iranian cyber-espionage group is employing a newly discovered backdoor malware named FalseFont to target defense contractors globally.
In a statement, the Seattle-based tech giant revealed:
The Defense Industrial Base sector, encompassing over 100,000 defense companies and subcontractors engaged in the research and development of military weapons systems, subsystems, and components, has been the primary focus of these attacks.
Also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, the hacking group has been operational since at least 2013. Its targets range across various industry sectors in the United States, Saudi Arabia, and South Korea, including government, defense, research, finance, and engineering domains.
The recently identified custom backdoor, FalseFont, provides the hackers with remote access to compromised systems, enabling file execution and transfer to their command-and-control servers. Microsoft notes that FalseFont was first detected in the wild around early November 2023.
"The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft," stated Microsoft.
In response to these threats, network defenders are advised to reset credentials for accounts targeted in password spray attacks to mitigate the attack surface. Additionally, Microsoft recommends revoking session cookies and enhancing the security of accounts and RDP or Windows Virtual Desktop endpoints by implementing multi-factor authentication (MFA).
Check out our previous news reports about cybersecurity happenings around the world:
