Newsletter Issue #168: What I Read This Week

Issue #170 coming soon...

Here’s a roundup of what I read (and watched) this past week.

Things are really heating up, in more ways than one.

Let’s get into it.

---

What I Read This Week

• DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

  • Yet more activity from DPRK threat actors

  • SentinelOne's research team wrote a blog post outlining the methods used in this campaign, including Telegram comms, sending fake Zoom links, and heavy usage of AppleScripts

• No honor among thieves: hacking group starts turf war

  • Ransomware group beef? I’m here for it

  • Targets could see a case where they are hit twice, once by each group

  • “While double extortions remain rare, US company UnitedHealth Group was the victim of one last year due to a fallout between hacking groups.”
    

• Profiling TraderTraitor: Tactics, History & Defenses

  • TTPs for this cloud based DPRK-nexus threat actor discussed

  • Tactics used such as posing as a recruiter, sending malicious PDF as a job offer, and harvesting AWS session tokens

  • All of this included in the Invictus IR github repo
    

• Impostor Uses AI to Impersonate Rubio and Contact Foreign and US Officials

  • It was bound to happen right?

  • This impersonation was done via text, Signal, and voicemail messages
    

• All talks from fwd:cloudsec are live on YouTube

  • Personally enjoyed the talks Patience brings prey & The Duplicitous Nature of AWS Identity and Access Management

  • It’s mainly great just to hear how other companies are tackling the same problems you’re facing

Breaches

• AT&T Reaches $177M Deal Over 2019 and 2024 Data Breaches

  • An agreement was reached over the breaches from the previous years that affected nearly all of AT&T’s 109 million US customers

  • Details on who qualifies for payments are in the link above
    

• Employee gets $920 for credentials used in $140 million bank heist

  • C&M employee sold credentials which gave access to $$ via the instant payment system PIX

  • A pattern we have been seeing, why breach a company’s systems when you can just buy credentials?

  • A reminder what “a lot of money” can mean to someone in other countries (To be fair he received another $1,850 for running some commands)

  • From a pure economic standpoint, it could make sense why this happens.
    The model is as follows: A company hires mainly overseas support agents to save money, these support agents are bribed for many times over their wages, and a data breach ensues.

From the above linked BleepingComputer blog post

---

Wrapping Up

The stories from this week give insight into how rapidly things are moving.

Right when we think we’ve seen it all, more impersonations using deepfakes or voice cloning and employees selling their credentials.

They give us a reminder of the dynamics of attacks today and resulting breaches as well as the international implications.

See you in the next one.

---