Bitcoin price spikes after SEC Twitter account hijack
The US Securities and Exchange Commission’s (SEC) X account was hacked Tuesday. A tweet from the hijacked account stated, “Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges.” The tweet also included an image of SEC Chairperson Gary Gensler with a quote promoting the alleged approval. The news quickly spread through the media causing Bitcoin prices to shoot up. However, the price jump quickly receded upon the SEC revealing the fake news was a result of their account compromise. The SEC has not confirmed whether 2FA was enabled on the account. The incident comes amidst a massive wave of X account breaches to spread crypto scams.
(Bleeping Computer and The Register)
Mandiant affected by Twitter account hijack wave
The parade of recent X account hijackings has also affected cybersecurity firms including Google-owned firm Mandiant, which was forced to wrestle back control of its X account Monday. Scammers used Mandiant’s account to promote sites claiming to offer free $PHNTM cryptocurrency tokens (but which actually aimed to drain wallets). Hackers branded the account and blog as belonging to Phantom cryptocurrency wallet then tweeted that Mandiant should change its account password and check out the account bookmarks that were added by the hackers. Mandiant regained access to its account and confirmed that 2FA had been enabled. The cybersecurity community eagerly awaits what additional details Mandiant has to share about the security breach. Mandiant wasn’t the only security firm to have its X account hijacked this week as Web3’s CertiK also fell victim to crypto scammers.
China claims it cracked Apple AirDrop
A state-backed Chinese research institute claims it has discovered how to decrypt device logs for Apple’s AirDrop feature. The researchers say they used rainbow tables to de-hash the iOS device logs which contain the sender’s device name, email address, and mobile phone number. Many Chinese have used AirDrop to circumvent the country’s censorship because the feature uses Bluetooth and a private Wi-Fi network (instead of a cellular network) to send images and photos between devices. The institute says that they conducted this research after Apple AirDrop was used to send “inappropriate” comments in the Beijing subway. They added that, when such incidents occur, it’s necessary to find the sending source and identity as soon as possible to avoid negative impacts.
Nigerian gets 10 years for laundering millions stolen from elderly
On Monday, Nigerian man Olugbenga Lawal was sentenced to 10 years in prison for conspiring to launder millions stolen from elderly victims. Lawal worked directly with the leader of the Nigerian Black Axe crime group which targeted elderly victims through online romance scams, ultimately persuading them to transfer large sums of money to their accounts. In all, Lawal oversaw deposits totaling more than $3.6 million to fraudulent accounts and then laundered the funds back to Nigerian accounts through a series of transactions often including automobile shipments. In addition to his prison sentence, the court ordered Lawal to pay over $1.46 million in restitution. In October 2020, INTERPOL arrested more than 70 suspected Black Axe members.
Hackers target hotel Booking.com logins
According to researchers at Perception Point, cyberattackers are phishing hotels for their backend Booking.com logins to harvest customer data. Many of the phishing messages are to hotel managers, claiming former guests have written scathing online reviews. Of course, the email contains a “Reply to Complaint” link which, when clicked, directs victims to a convincing-looking Booking.com website (replete with a look-alike URL) where victims are tricked into entering their credentials. The researchers say, “the campaigns demonstrate a deep understanding of the hotel industry’s processes” and that the use of Generative AI (GenAI) in such campaigns is helping create “more believable, context-rich messages.” Therefore, defenses need to include email security solutions that have LLM-based analysis, anti-evasion, and next-gen dynamic detection features.
New York AG compels healthcare firm to invest $1.2 million in cybersecurity
In May 2021, Refuah Health Center was hit with a ransomware attack by the Lorenz gang, which accessed sensitive information of more than 250,000 people. The gang broke in through a video camera system and then pivoted to the network using administrative credentials from an IT vendor that had not been changed in 11 years. An investigation by the AG’s office revealed Reuah failed to implement basic security practices including deactivating inactive user accounts, rotating credentials, restricting employee access to certain parts of their network, using multi-factor authentication, and encrypting patient information. Additionally, Refuah failed to send a breach notice to 79,000 affected individuals. New York Attorney General Letitia James said the health center will have to pay a $450,000 penalty for its security failures. The settlement includes a $100,000 discount incentive if Refuah makes good on its commitment to spend $1.2 million on better cybersecurity protections between 2024 and 2028.
FTC bans X-Mode from selling phone location data
In a first of its kind settlement, the US Federal Trade Commission (FTC) has prohibited X-Mode, now known as Outlogic, from sharing and selling sensitive user information. X-Mode buys and sells access to the location data collected from ordinary phone apps. The settlement requires the data broker to delete or destroy all the location data it previously collected, along with any products produced from this data, unless the company obtains consumer consent or de-identifies the data. X-Mode faced scrutiny for selling access to the commercial location to the US government and military contractors. Quickly after the settlement, Apple and Google mandated developers remove X-Mode from their apps.
Ransomware victims targeted by fake hack-back offers
Researchers have observed several instances where victims of the Royal and Akira double-extorsion ransomware operations were approached by a threat actor claiming to be an ethical hacker or security researcher with a deep understanding of the field. The fake researcher offered to provide proof of access to the stolen data still on the attacker’s servers and said they could delete it for a fee of up to five Bitcoins (roughly worth $190,000 at the time). In at least two cases, the fake researchers appear to have made errors related to details of the breaches they claimed to be helping the victims with. Akira ransomware confirmed, in one case, that they had not exfiltrated any data and simply had encrypted it on the victim’s systems. These scams highlight yet another aspect of the multi-layered burden for ransomware victims.
This article first appeared in CISO Series, written by Sean Kelly on January 10, 2024.