TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
Hackers exploit household TP-Link routers to attack European entities, 18-year-old gets charged with hacking thousands of DraftKings betting accounts and the MalasLocker ransomware. Catch all this and more in this week’s edition of Cybersecurity Weekly.
1. Chinese hackers exploit TP-Link routers to attack EU foreign affairs entities
CheckPoint Research recently uncovered a disturbing cyberattack involving TP-Link routers. The attack, attributed to the Chinese state-sponsored APT group “Camaro Dragon,” utilized a malicious firmware implant called “Horse Shell.” This implant granted the attackers complete control over the compromised devices and facilitated undetected access to targeted European foreign affairs entities. While the exact method of deploying the firmware remains unclear, the incident underscores the need for more robust protection measures.
2. Federal officials charge an 18-year-old for hacking 60,000 DraftKings accounts
Federal officials have charged an 18-year-old Wisconsin resident, Joseph Garrison, for hacking 60,000 user accounts on sports betting site DraftKings. Garrison employed a credential stuffing attack using stolen usernames and passwords from previous data breaches. He then sold access to compromised accounts, resulting in a theft of approximately $600,000. Garrison was traced through his IP address, and evidence was found on his devices. If convicted, he could face significant prison time for charges including computer intrusions and wire fraud.
3. Open source mail client Zimbra becomes a victim of MalasLocker ransomware
A new ransomware operation called MalasLocker has been targeting Zimbra servers, encrypting emails and files. Interestingly, instead of demanding a ransom payment, the ransomware actors request a donation to a charity of the victim’s choice. The encryption method used is Age, which is uncommon among ransomware operations and does not target Windows systems. The operation has already affected multiple companies and victims and shows no signs of slowing down. Although the ransom notes provide contact details, there is no mention of a data leak site.
4. Threat actors exploit Azure Serial Console for stealthy access to VMs
A new cybergang known as ‘UNC3944’ has been targeting Microsoft Azure admin accounts via phishing and SIM swapping tactics. Their primary objective is to steal data from organizations utilizing Azure. To achieve this, they exploit the Azure Serial Console and Azure Extensions, employing these tools for surveillance and persistence. Once they gain administrative access to virtual machines, they execute commands and utilize commercially available remote administrator tools discreetly. UNC3944’s proficiency in Azure, combined with their adept social engineering skills in performing SIM swapping intensify the risks for Azure users.
5. CISA warns of critical Samsung vulnerability used to bypass ASLR
CISA has issued a warning about a security flaw affecting Samsung devices, enabling attackers to bypass Android ASLR protection. The vulnerability (CVE-2023-21492) affects Samsung mobile devices running Android 13, 12 and 11, allowing local attackers with high privileges to bypass ASLR and exploit memory-management issues. Samsung has released security updates to address the issue. Additionally, U.S. federal agencies have been ordered to patch their Samsung Android devices by June 9, as these vulnerabilities are frequently targeted by cyber actors. Private companies have also been urged to prioritize addressing such vulnerabilities.