IT Worker Sentenced for Impersonation

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, an IT security worker was sentenced for impersonating a ransomware gang, Deutsche Bank and other financial institutes were hit by Clop ransomware, USB drive malware attacks are on the rise in 2023, and a gaming company is investigating data breach claims and resetting users’ sessions.

See Also: OnDemand | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

IT Security Worker Sentenced for Impersonation

Ashley Liles, a British IT professional, has been sentenced to three years and seven months in prison after exploiting a ransomware attack on Oxford Biomedica, a gene and cell therapy firm. In February 2018, a hacker breached the firm’s systems and demanded a ransom for the stolen data.

Assigned to the investigation, Liles, an IT staff member at Oxford Biomedica, decided to manipulate the situation for personal gain. Instead of directing the ransom payment to the genuine hackers, he secretly altered the original ransom demand.

Using the email account of an Oxford Biomedica board member, Liles redirected the funds to a bitcoin wallet under his control. Consequently, if the company chose to pay the ransom, the money would end up in Liles’ hands rather than with the actual attackers.

Liles also created an email address strikingly similar to that of the original hacker and began pressuring the employer to pay a 300,000-pound ransom. Specialists from the South East Regional Organized Crime Unit’s Cyber Crime Unit became suspicious during their investigation. They identified unauthorized access to the board member’s email and traced it back to Liles’ home address.

The charges brought against Liles included blackmail and unauthorized access to a computer with intent to commit other offenses. The court’s decision is a reminder of the severe consequences that individuals who exploit their positions for personal gain may face.

MOVEit Update: Deutsche Bank and Other Financial institutes

Deutsche Bank AG, one of the world’s largest public banks, has reportedly suffered a data breach affecting its customers through a service provider in what appears to be a MOVEit Transfer data theft attack.

The breach originated from an external service provider responsible for operating the bank’s account switching service in Germany. The bank stated that more than 100 companies across 40 countries may have been affected,
and emphasized that its own systems had remained unaffected throughout the incident.

While the exact number of affected clients has yet to be determined, Deutsche Bank disclosed that the breach primarily affected German customers who used the account-switching service between 2016 and 2020. The bank reassured customers that only a limited amount of personal data had been exposed.

The data breach also affected other major banks and financial service providers, including Commerzbank, Postbank, Comdirect and ING. Commerzbank confirmed the involvement of the service provider named Majorel and clarified that its customers had not directly been affected – although its subsidiary, Comdirect, had experienced indirect effects. Postbank acknowledged limited impact without disclosing client numbers. ING reported that a low four-digit number of customers who used account-switching services had been affected by the cyberattack on their service provider.

USB Drive Malware Attacks on Rise

A recent report from Mandiant highlights USB-delivered malware campaigns on the rise in the first half of the year. The report sheds light on two campaigns observed this year. The first, dubbed Sogu, has been attributed to a Chinese espionage threat group known as TEMP.HEX. The other campaign, named Snowydrive, has been attributed to UNC4698 and specifically targets oil and gas firms in Asia.

Mandiant’s report follows previous findings in November 2022 related to a China-based campaign that used USB devices to infect entities in the Philippines with four distinct malware families. In January 2023, Palo Alto Network’s Unit 42 team discovered a variant of the PlugX malware that could hide within USB drives and infect connected Windows hosts.

The Sogu campaign, currently deemed the most aggressive USB-assisted cyberespionage campaign active now, targets a wide range of industries worldwide with the goal of stealing data from infected computers. Victims of the Sogu malware have been identified in countries including the United States, France, United Kingdom, Italy, China, Japan and the Philippines. Victims primarily belong to sectors such as pharmaceuticals, IT, energy, communications, health and logistics.

Sogu malware, also known as Korplug, uses DLL order hijacking to load C shellcode into memory. It establishes persistence by creating a registry Run key and employs Windows Task Scheduler to ensure regular execution. The malware conducts system reconnaissance by scanning for valuable data stored in MS Office documents, PDFs and other text files. Discovered files are encrypted and copied to specific directories on the host’s drive and the flash drive. Eventually, the files are exfiltrated to a command-and-control server using TCP or UDP, and requests are made over HTTP or HTTPS. Sogu is capable of executing commands and files, providing remote desktop access, capturing screenshots, establishing a reverse shell and performing keylogging. Any connected drives automatically receive a copy of Sogu’s initial compromise file, facilitating lateral movement.

The Snowydrive campaign focuses on infecting computers with a backdoor that allows attackers to execute arbitrary payloads through the Windows command prompt, modify the registry, and manipulate files and directories. Similar to the Sogu campaign, victims are deceived into launching an executable file from a USB drive, triggering the extraction and execution of malware components stored in a folder named Kaspersky. These components enable persistence, evasion of detection, backdoor deployment and the propagation of malware through newly connected USB drives.

Despite the requirement of physical access to target computers for infection, USB-based attacks possess unique advantages that make them relevant and trending in 2023. They can bypass security mechanisms, remain stealthy, provide initial access to corporate networks and infect air-gapped systems that are isolated from unsecured networks for security purposes. Mandiant’s investigation shows print shops and hotels as notable hot spots for USB malware infections.

Gaming Company Investigates Breach Claims, Resets Sessions

Gaming hardware company Razer responded to rumors of a significant data breach on Twitter, confirming that it is investigating the matter. Razer, known for its high-quality gaming peripherals, powerful laptops, and apparel, also provides services to registered account holders, granting them access to a wide range of games, exclusive rewards and special in-game item offers through the Razer Gold payment system.

The rumors of a potential data breach emerged when an individual posted on a hacker forum claiming to have stolen Razer.com’s source code, database, encryption keys and backend access logins. The user offered to sell the data for $100,000 worth of Monero cryptocurrency, inviting interested parties to contact them directly.

Screenshots shared as proof of the breach showcased file lists, email addresses, alleged source code for anti-cheat and reward systems, API details, Razer Gold balances, and more. Cybersecurity analysts at FalconFeeds.io discovered the post and alerted the public. In response, Razer acknowledged the potential incident on Twitter, stating that it had initiated an investigation. As a precautionary measure, Razer reset all member accounts, invalidating active sessions and prompting users to reset their passwords.

Other Coverage From Last Week