18th February: Data leak found by Chaos Computer Club ++ DDoS attack on Ukrainian Defense Ministry ++ Government officials in Asia targeted by OneDrive malware

Chaos Computer Clubs finds more than 50 leaks – and 6.4 million personal data records

Chaos Computer Clubs finds more than 50 leaks – and 6.4 million personal data records
On February 14th, German based non-profit organization Chaos Computer Club (CCC), specialized on research on security and privacy aspects of technology, published the result of its latest research.

They found more than 6.4 million personal records – publicly available. No advanced hacking skills were needed to access the data, all were easily accessible, if it was known where to look.
The researchers accessed, amongst others, publicly available Git repositories and database-servers.

All of the more than 50 responsible organizations have immediately been informed about the leaks. According to the CCC two – unnamed – companies simply ignored the warnings; the leaks are still accessible, and no measures have been undertaken in order to solve the issues. Fortunately, most leaks were closed in due time after the CCC contacted the companies.

On its website, the CCC published their “highlights” of the data available, ranging from airline passenger name records to loyalty card data including the names of participants of a sweepstake from 2016.
Unsurprisingly, even criminals don’t take measures to secure their data: The CCC found a server with illegally gathered credit card data in Frankfurt. After the police was informed, the researchers were still able to watch the data piling up on the server for days. After informing the server host, the FBI and two large credit card companies, the server was finally shut down.

The CCC plans to further investigate such publicly available security threads.

Sources:
https://www.heise.de/news/CCC-Mehr-als-50-Datenlecks-mit-ueber-6-Millionen-Datensaetzen-gefunden-6457880.html
https://www.ccc.de/de/updates/2022/web-patrouille-ccc
https://www.onlinehaendler-news.de/digital-tech/cyberkriminalitaet/136003-ccc-datensaetze-50-leaks

DDoS attack on Ukrainian Defense Ministry website and major banks

After the ransomware attacks in January a new wave of cyber attacks has been launched on the Ukraine. The public facing website of the Ministry of Defense as well as the websites of two larger Ukrainian banks were down for a few hours. Account holders were not able to access their online accounts or the banks’ apps. The issue has been resolved.

In a second attack, Ukrainian citizens were receiving text messages that stated that ATMs were not working. It remains unclear whether the ATMs truly were disabled nor if the two attacks were related in the first place.

The Ukraine’s infrastructure has been under attack for years, most memorable instances for example the attack on the power grid in 2015 and notPetya in 2017 – that one infamously impacting cyber infrastructure around the world.

The fact that DDoS attacks are not – as opposed to the ransomware attacks in January – aiming at gathering critical data and information and are rather easy to recover from raises questions as to what the attackers were trying to achieve.
It officially remains unclear who the attackers are.
It is speculated that the attacks were used as a diversion to cover up more severe attacks, but no proof has been found yet.

Ukrainian neighbors Lithuania and Poland have increased the danger levels in the aftermath of the attack. “Increased geopolitical tension in the region leads to increased threats of cyber-attacks, including attacks on critical information infrastructure,” the Bank of Lithuania reportedly warned in a letter send to Lithuanian banks.

Sources:
https://www.baltictimes.com/danger_level_up_in_lithuania___head_of_cyber_security_center/ 
https://www.zeit.de/digital/2022-02/ukraine-cyberangriff-hacker-russland-cyberkrieg?utm_referrer=https%3A%2F%2Fwww.google.com%2F
https://www.fr.de/politik/russland-ukraine-konflikt-putin-strategie-cyberangriff-verteidigungsministerium-kiew-zr-91352837.html
https://www.cpomagazine.com/cyber-security/new-wave-of-cyber-attacks-on-ukrainian-government-websites-knocks-defense-ministry-offline/
https://news.sky.com/story/ukraine-security-services-say-too-early-to-identify-cyber-attack-culprits-12543501
https://www.airforcetimes.com/cyber/2022/02/16/experts-urge-caution-in-assessing-ukraine-cyberattacks/

Government officials in Asia targeted by OneDrive malware

The “Graphite” attack was prepared in July 2021 and eventually deployed between September and November, according to a Trellix report. Targets of the attack were high-ranking government officials in Asia linked to national security as well as individuals in the defense industry.

It was noted that the attack was successful but no information about the hackers’ goals were published as the investigation is still ongoing.

According to researchers with Trellux this new malware uses Microsoft’s Graph API to leverage OneDrive as a command and control server. “As seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims’ systems since it will only connect to legitimate Microsoft domains and won’t show any suspicious network traffic,” Trellix explained.

It appears that the malware was distributed via spear-phishing e-mails containing an Excel file.

Besides the innovative approach, another finding is worth mentioning: The hackers behind the project seem to have worked from Monday to Friday and the timestamps show they only worked during normal business hours.

Sources:
https://www.zdnet.com/article/trellix-finds-onedrive-malware-campaign-targeting-govt-officials-in-western-asia/
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html


Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.