Cyber Intelligence Briefing: 27 January 2023

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

top NEWS stories this week

1. Hive-ing a bad day. Ransomware-as-a-service operation Hive shut down. 
2. I predict a riot. Video game developer Riot Games falls victim to cyber attack.
3. In the spotlight. T-Mobile and Arnold Clark under pressure following data breaches.
4. Coin trace. The FBI traces USD 100 million of stolen funds to North Korean hackers.
5. Get stuffed. ‘Credential stuffing’ used to breach 35,000 PayPal accounts.
6. Lunar-cy. Chinese hackers deface South Korean state institution websites over New Year.
7. Noted! Microsoft OneNote attachments become the newest vector for malware. 

1. HIVE RANSOMWARE NETWORK SHUT DOWN AND DECRYPTOR LEAKED 

The US Department of Justice has shut down the website of a major ransomware network, Hive. The FBI penetrated the network in July 2022, capturing over 300 decryption keys that were then handed over to companies compromised by the gang. The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims. 

2. RIOT GAMES HACKED 

Video game developer Riot Games has confirmed that a threat actor compromised their development environment last week. The hackers gained access through social engineering and exfiltrated source code of popular games, including League of Legends. The threat actor has demanded USD 10 million to prevent source code from being leaked and deleted from their servers. 

3. T-MOBILE AND ARNOLD CLARK CUSTOMER DATA LEAKED  

The Play ransomware group has leaked customer data belonging to British car dealership Arnold Clark, including passport and bank details. Play has allegedly threatened to leak further tranches of data if the ransom is not paid.  

Separately, telecommunications giant T-Mobile has disclosed a data breach going back to November 2022, affecting 37 million customer accounts. The attackers reportedly accessed personal customer information, including names, addresses, emails, phone numbers, and dates of birth.  

4. THE FBI TRACES STOLEN FUNDS TO NORTH KOREA  

The FBI has traced USD 100 million worth of Ethereum stolen from the cryptocurrency firm Harmony Horizon back to the North Korean government-linked Lazarus Group. Investigators identified the hackers when they moved part of the funds through Railgun, a privacy enhancing system, before depositing the funds to addresses associated with the group.   

5. CREDENTIAL ATTACK AT PAYPAL  

Online payment platform PayPal has announced that hackers breached nearly 35,000 user accounts in December. The attack technique involved so called ‘credential stuffing’ where the hackers accessed previously leaked PayPal login information. The hackers accessed sensitive data such as full names, social security numbers, card details, and transaction histories.  

6. CHINESE HACKERS DEFACE WEBSITES 

A Chinese hacking group dubbed Xiaoqiying has claimed responsibility for an attack that defaced the websites of 12 South Korean state-run institutions over the Lunar New Year holiday. Authorities have been put on high alert after the group announced it would target over 2,000 Korean organisations, in what it called ‘an invasion into Korea’s internet’.  

7. MICROSOFT ONENOTE ATTACHMENTS USED IN PHISHING ATTACKS  

Recent trends indicate that threat actors have begun using Microsoft OneNote attachments in phishing emails to distribute malware. It appears that organisations such as DHL are being spoofed to encourage users to click through the OneNote attachment.