Cybersecurity News Digest [February 2023]
Congratulations to our readers on the end of winter and the beginning of spring!
Have you forgotten about our monthly digest of all the main cybersecurity news for the past month?
Then sit back and learn about the most significant events from the world of cybersecurity here.
You can find the previous digest for January here.
#1 The MyloBot botnet is rapidly spreading around the world
This follows from new data from BitSight, which stated that “more than 50,000 unique infected systems are currently observed daily,” compared to a total of 250,000 unique nodes in 2020.
Moreover, analysis of MyloBot’s infrastructure found connections to a household proxy service called BHProxies, which indicates that infected machines are being used last.
MyloBot, which appeared on the threat landscape in 2017, was first documented by Deep Instinct in 2018, reporting on its anti-analysis methods and ability to function as a downloader.
Last year, the malware was spotted sending emails from hacked endpoints as part of a campaign aimed at extorting more than $2,700 in Bitcoin.
It is known that MyloBot uses a multi-step sequence of actions to unpack and launch a malicious bot. Notably, it sits idle for 14 days before attempting to contact the Command and Control (CnC) server to avoid detection.
The main function of the botnet is to establish a connection with a hard-coded CnC domain embedded in malware and wait for further instructions.
#2 Coinbase cryptocurrency exchange hacked with SMS attack
On February 17, 2023, the cryptocurrency exchange Coinbase reported a cyberattack targeting one of its employees. An unknown attacker stole the login credentials of a Coinbase employee, trying to gain remote access to the company’s IT infrastructure.
It is reported that during the attack, a limited amount of data from the corporate directory was disclosed. The cybercriminal obtained some contact information about several Coinbase employees. At the same time, Coinbase emphasized that assets and customer data remained intact.
The attack began on February 5, 2023. The attacker sent SMS messages to several Coinbase employees with a call to log into their company’s accounts to receive some important notification.
While most of the employees ignored the SMS, one of them fell for the trick and followed the link, hitting a phishing page where he entered his credentials.
The fraudster then tried to log into Coinbase’s internal systems using the stolen information but was unable to do so because access was protected by multifactor authentication.
Then the cybercriminal switched to another strategy. He called the same employee of the cryptocurrency exchange, posing as an IT specialist at Coinbase.
The attackers convinced the employee to log on to his workstation and perform some actions. The CSIRT Coinbase security team detected suspicious activity within 10 minutes and promptly contacted the employee. At that point, he realized that he was a victim of a fraudulent scheme and stopped communication with the attacker.
Is Coinbase safe to use? Read more here.
#3 3.3 million people were affected by the ransomware attack on Regal Medical Group
Personally identifiable information (PII) and protected health information (PHI) of more than 3.3 million people were stolen as a result of a ransomware attack on the California healthcare provider Regal Medical Group.
After the incident, Regal began sending letters about the violations to the affected persons, informing them that their data had been compromised as a result of the incident.
Affected PII and PHI included names, addresses, dates of birth, phone numbers, social security numbers, diagnosis and treatment information, health plan member numbers, lab test results, prescription details, and radiology reports.
#4 Attackers gained access to the passwords of 30 million users and 85,000 companies
Over the past few months, LastPass has been at the center of many problems related to individual data leaks. Last December, LastPass published a report that it was hacked in November. At that time, the company had not discovered several facts about the attack. However, a new investigation now shows that the attack began several months earlier.
In addition, the attacker obtained passwords from 30 million people and 85,000 LastPass companies.
LastPass is a free online password management tool for various platforms. Its purpose is to eliminate the inconveniences associated with the repeated entry of passwords by keeping them in the cloud.
This system works with most browsers and interfaces on a web page.
LastPass finally admitted in December that a hacker had not only penetrated its system but also stolen sensitive data, including company names, usernames, billing addresses, email addresses, phone numbers, and IP addresses.
LastPass claimed that there is no reason for users to worry if they use a strong master password. According to the company, it would take millions of years to decrypt a 12-character password using “publicly available technologies.”
#5 Internal documents and Reddit source code stolen
The popular Reddit platform, or rather, the company managing it with the same name, was hacked by unknown hackers. The attackers managed to steal the source code of the project, as well as data about some employees.
The attack was cunningly planned and subtly implemented — hackers created a phishing site that was allegedly an internal working resource of the company. Then, using social engineering, among other techniques, they stole the authorization data of at least one of the employees and two-factor authentication tokens.
Learn more about social engineering here.
It is reported that the victim of the phishing independently turned to the “security guards,” which allowed them to promptly begin investigating the incident.
As it turned out, the attackers were able to gain access to the code, certain internal documents, and systems. They also managed to pump out information about some advertisers. According to Reddit, user data including information about bank cards and password hashes have not been affected and are safe.
Nevertheless, the company recommends using two-factor authentication in any case — this allows you to increase the level of protection and significantly complicates the life of any attackers targeting accounts.