Risky Biz News: $90 million stolen from DeFi platforms over the weekend

In other news: Side-channel attacks discovered in Apple CPUs; new twist in Kronos ransomware attack fallout.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.

The weekend has not been kind to the cryptocurrency community as two cryptocurrency platforms were robbed on Saturday. DeFi platforms Saddle Finance and Rari Capital both had their trading protocols exploited and lost $10 million and $80 million worth of cryptocurrency, respectively.

Both platforms confirmed the hacks on Saturday and immediately posted messages on Twitter offering "no questions asked" bug bounties to the attackers to return the stolen funds.

The two hacks come after Deus Finance also lost $13.4 million in a hack last week. In total, cryptocurrency platforms have lost or scammed users for almost $360 million in April alone and $1.78 billion for the whole year.

Breaches and hacks

Indian data breach law: The Indian government passed an update to its Information Technology Act last week, requiring companies to report cybersecurity incidents to India's CERT team within six hours of when they occur. In addition, all cloud, VPS, and VPN providers will also have to record the names, emails, and IP addresses of all their subscribers, data that they must archive for at least five years. The new update is set to go into effect at the start of July.

French Muslim leak: French prosecutors opened a criminal investigation against Fdesouche—a French far-right website—after the site published the personal data of French Muslims last September. The leak allegedly contained the data of more than 100 individuals, such as Muslim activists, journalists, and imams. According to the French edition of the Huffington Post, this was the second leak published by Fdesouche after the organization published the email addresses and phone numbers of people working with organizations aiding migrants and refugees back in 2017.

Kronos fallout: Multiple class-action lawsuits have been filed over the month of April against some of the largest US companies that relied on the Kronos timekeeping apps to keep track and pay employees. Kronos (aka UKG) got hit by ransomware in December 2021 and took months to recover, causing long delays in employee payments. The company is the subject of several class-action lawsuits filed last year and in early January. But now, companies like PepsiCo, Mercedes-Benz, DHL, Frito-Lay, the Giant supermarket chain, call center giant Sitel Group, and the Cargill and Sodexo food corporations have all been sued for (still) unpaid wages related to the Kronos incident. As Zack Needles writes for BenefitsPro, this new wave of class-action lawsuits brings a new twist to ransomware-related mitigation, especially for attacks against large companies, where the legal consequences may now also start to impact their customers in the case of a super slow and bad recovery/response plan.

General tech and privacy

Android Play Store security review: Google said that last year it banned more than 190,000 malicious and spammy developer accounts as part of its efforts to keep the official Android Play Store safe from scams and malware. In addition, Google said that it also closed around 500k developer accounts that are inactive or abandoned, which could have been abused to publish malware; in case they were compromised. In total, Google said it blocked more than 1.2 million policy-violating Android apps from being published on Google Play last year, up from 962,000 in 2020.

Side-channel attack on Apple CPUs: A team of academics has published a report on Augury, a rare side-channel attack that can leak data from Apple CPUs such as A14, M1, and M1 Max. The finding comes after, over the past 4-5 years, academics have poked similar holes in the silicon of every other major chipmaker, such as Intel, AMD, and Arm. This is the second side-channel attack discovered against Apple silicon after the M1RACLES bug found in May 2021. A thread on the recent findings can be found below, posted by one of the Augury researchers:

Apple improves AirTag detection: Apple has released version 1.0.301 of the AirTag firmware to modify the sound alert given out by an AirTag engaged in an active tracking campaign. Apple promised this fix back in February as a way to prevent the widespread abuse of its new tracking gadget against vulnerable targets who may not have been aware an abuser hid an AirTag on one of their personal objects.

Government, politics, and policy

UK confuses local ISPs: The UK government managed to confuse all local internet service providers on Friday by passing a surprise update to its Russian sanctions. The new update mandated that UK ISPs block access to internet resources managed by sanctioned persons or entities. As several industry blogs pointed out last week, there are several issues with this update. First, the update was passed on April 27 and enforced two days later, leaving little time for ISPs to prepare. Second, even if they had the resources, many ISPs didn't know what Russian sites to block, as they had no idea to which sites each sanctioned entity was connected or running.

Cybercrime and threat intel

Stormous: Trustwave has a report out on Stormous, a threat actor that began operations in mid-2021 and which recently made headlines by siding with the Russian government after its invasion of Ukraine and "allegedly" infecting the Coca-Cola company with ransomware. However, Trustwave says it's unclear if the group actually uses ransomware in its attacks and what kind of ransomware. Instead, the company believes Stormous is more of a hack-ransom-and-leak operation, similar to the more widely-known Lapsus$ group.

Hacked website stats 2021: Sucuri has published its annual year in review report in which the company analyzed the hacked website landscape. The three main takeaways from the report: (1) vulnerable plugins and extensions account for far more website compromises than out-of-date, core CMS files; (2) credit card skimming is on the rise for WordPress sites; and (3) website-based crypto-mining (also known as cryptojacking) has almost died off.

Widespread VMWare abuse: In a report on Friday, security firm Rapid7 reported widespread abuse of CVE-2022-22954, a vulnerability in VMware’s Workspace ONE Access and Identity Manager solutions. VMWare itself confirmed the first attacks against this bug last week.

Malware technical reports

PrivateLoader: Zscaler has published a technical report on PrivateLoader, a malware downloader whose primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service. The company says the malware has been used by multiple threat actors to distribute ransomware, information stealers, banking trojans, and other commodity malware.

BoratRAT: BlackBerry has published a technical report on BoratRAT, a new remote access trojan recently offered for rent on underground malware forums. BlackBerry said the malware appears to have been developed on top of the older SantaRAT.

APTs and cyber-espionage

Lotus Panda: Threat intelligence firm Cluster25 also published a report on Friday about a new spear-phishing campaign carried out by Naikon, one of the oldest Chinese cyber-espionage groups known to date. The security firm was not able to identify the victim of the attack but believes that Naikon most likely targeted a government institution from a South Asian country— its typical targets in the past. In addition, Cluster25 said the attack was of note because Naikon operators used a red team framework known as "Viper," a tool that's very popular with Chinese security researchers.

PwC year in review: The security arm of PricewaterhouseCoopers published its year in review report for 2021 last week. While the report is a chunky and well-worth read at 75 pages, the most interesting tidbit is a section on Red Dev 17. PwC says that this new APT has several infrastructure overlaps with other cyber-espionage groups, including some that were previously linked to the Chinese military. Active since 2017, PwC said that last year Red Dev 17 targeted the Indian military, a major Indian technology multinational, and a state energy company.