TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts

May 22, 2023 by Dan Virgillito

Hackers exploit household TP-Link routers to attack European entities, 18-year-old gets charged with hacking thousands of DraftKings betting accounts and the MalasLocker ransomware. Catch all this and more in this week’s edition of Cybersecurity Weekly.

1. Chinese hackers exploit TP-Link routers to attack EU foreign affairs entities

CheckPoint Research recently uncovered a disturbing cyberattack involving TP-Link routers. The attack, attributed to the Chinese state-sponsored APT group “Camaro Dragon,” utilized a malicious firmware implant called “Horse Shell.” This implant granted the attackers complete control over the compromised devices and facilitated undetected access to targeted European foreign affairs entities. While the exact method of deploying the firmware remains unclear, the incident underscores the need for more robust protection measures.

Read more »

2. Federal officials charge an 18-year-old for hacking 60,000 DraftKings accounts

Federal officials have charged an 18-year-old Wisconsin resident, Joseph Garrison, for hacking 60,000 user accounts on sports betting site DraftKings. Garrison employed a credential stuffing attack using stolen usernames and passwords from previous data breaches. He then sold access to compromised accounts, resulting in a theft of approximately $600,000. Garrison was traced through his IP address, and evidence was found on his devices. If convicted, he could face significant prison time for charges including computer intrusions and wire fraud.

Read more »

3. Open source mail client Zimbra becomes a victim of MalasLocker ransomware

A new ransomware operation called MalasLocker has been targeting Zimbra servers, encrypting emails and files. Interestingly, instead of demanding a ransom payment, the ransomware actors request a donation to a charity of the victim’s choice. The encryption method used is Age, which is uncommon among ransomware operations and does not target Windows systems. The operation has already affected multiple companies and victims and shows no signs of slowing down. Although the ransom notes provide contact details, there is no mention of a data leak site.

Read more »

4. Threat actors exploit Azure Serial Console for stealthy access to VMs

A new cybergang known as ‘UNC3944’ has been targeting Microsoft Azure admin accounts via phishing and SIM swapping tactics. Their primary objective is to steal data from organizations utilizing Azure. To achieve this, they exploit the Azure Serial Console and Azure Extensions, employing these tools for surveillance and persistence. Once they gain administrative access to virtual machines, they execute commands and utilize commercially available remote administrator tools discreetly. UNC3944’s proficiency in Azure, combined with their adept social engineering skills in performing SIM swapping intensify the risks for Azure users.

Read more »

5. CISA warns of critical Samsung vulnerability used to bypass ASLR

CISA has issued a warning about a security flaw affecting Samsung devices, enabling attackers to bypass Android ASLR protection. The vulnerability (CVE-2023-21492) affects Samsung mobile devices running Android 13, 12 and 11, allowing local attackers with high privileges to bypass ASLR and exploit memory-management issues. Samsung has released security updates to address the issue. Additionally, U.S. federal agencies have been ordered to patch their Samsung Android devices by June 9, as these vulnerabilities are frequently targeted by cyber actors. Private companies have also been urged to prioritize addressing such vulnerabilities.

Read more »

Posted: May 22, 2023
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.