Cyber Security News Roundup – 17th April 2023

It's the beginning of a new week, and that means a round up of some of the cyber security and data protection news headlines over the last 7 days! To learn more about each story, click the headings.

Data on 400K Kodi Forum members stolen and put up for sale 12/4

400,000 users of the Kodi Forum, where users of the Kodi open source media player share tips on how to customise their home theatre experience, have seen their data compromised. The data breach occurred when a former MyBB admin’s account was hijacked, providing threat actors with access to the admin console on the 16^th and 21^st of February. First announcing the breach on the 8^th of April, Kodi stated that the cyber criminals used this account to create database backups that were then downloaded and deleted. The breached data contains all forum posts, user to user messages, and personal information including usernames, email addresses and hashed passwords. On the 11^th of April MyBB stated that they were migrating onto new servers that would run an updated version of the MyBB software, causing a multi-day outage. MyBB will also “restrict and harden access to the MyBB admin console, revise admin roles to reduce privileges wherever possible, and improve audit logging and backup processes” in response to the breach. (Dark Reading)

Hyundai suffered a data breach that impacted customers in France and Italy 12/4

A data breach at Hyundai has compromised the data of customers that booked test drives in France and Italy, with cyber criminals gaining access to both email and physical addresses, phone numbers, and vehicle chassis numbers of affected individuals. Hyundai has sent a data breach notice letter to affected customers notifying them of unauthorised access, and has also notified the privacy watchdog and hired external cyber security experts to determine the scope of the incident. The number of affected individuals is unknown, however the letter stated that no financial information was exposed. In February Hyundai was forced to release emergency software updates to fix a flaw that allowed cars to be stolen with a USB cable, and now this data breach is the latest problem to affect the South Korea based car manufacturer. (Security Affairs)

DDoS attacks shifting to VPS infrastructure for increased power 12/4

Observed hyper-volumetric distributed denial of service (DDoS) attacks in the first quarter of 2023 shifted from compromising internet of things devices to leveraging breached Virtual Private Servers (VPS). By taking advantage of vulnerable and misconfigured VPS servers through API credentials and known exploits, threat actors are able to build high performance botnets more easily and quickly that can be up to 5,000 times stronger than their IoT based equivalents. Cloudflare observed steady DDoS activity in Q1 of 2023. However, with 16% of DDos attacks now being ransom based this represents a 60% year on year increase, with the most significant attack observed so far peaking at 71 million requests per second. Another notable attack involved a 1.3 terabits per second DDoS attack, aimed at a South African telecommunications organisation. In Q1, 86.6% of DDoS attacks lasted under 10 minutes, however there has been a 6.5% increased in attacks that surpass 100 gigabits per seconds.  (Bleeping Computer)

Darktrace denies getting hacked after ransomware group names company on leak site 14/4

After being named on the LockBit ransomware operation’s leak site, cyber security company Darktrace has issued a statement that after a full review of their internal systems there is no evidence of compromise. Darktrace added that while they continue to closely monitor the situation, they are confident that their systems are secure and that customer data remains protected. A post on LockBit’s website listed alleged Darktrace data with a ransom price of $1 million, however evidence would suggest that Darktrace weren’t even targeted by the ransomware-as-a-service operation. Instead, the listing appears to come in response to Singapore based threat intelligence firm Darktracer who posted on Twitter that the LockBit’s reliability was declining, in reference to the posting of junk data on their leaks site. It is likely that the criminals behind the operation got the two firms’ names confused and were actually trying to get back at Darktracer, however LockBit does have a history of false claims with regards to cybersecurity companies. (SecurityWeek)

LockBit ransomware encryptors found targeting Mac devices 16/4

LockBit has likely become the first major ransomware operation to begin targeting Mac devices, with cybersecurity researchers discovering encryptors designed to target macOS devices for the first time. Historically targeting Windows, Linux, and VMware ESXi servers, the newly discovered encryptors appear to be designed to target macOS, ARM, FreeBSD, MIPS, and SPARC CPUs. One in particular, named “locker_Apple_m1_64” targets new Mac devices running on Apple Silicon, and appears to have been in existence since December 2022. On a more positive note, the research indicates that these new encryptors were actually intended as a test and that it is unlikely that they are ready to be deployed in a genuine cyber attack, as they lack the required functionality to be able to properly target Mac devices. The encryptor also crashes on launch due to a buffer overflow bug in its code. This does however stress the importance of practicing good computer safety habits such as keeping operating systems updated and avoiding unknown attachments, as it would not be surprising to see working encryptors designed to target these architectures released in the future. (Bleeping Computer)

Attempted cyber attacks occur every second, and as we can see from the recent headlines, constantly change in nature. It's vital that your organisation is as protected as possible from all forms of cyber crime, so Contact Celerity to find out how we could protect your business!