Cybersecurity Week in Review: 1/11

This week we highlight a wide range of threats:

• Ransomware attacks targeting gamers
• A breach involving a popular wireless and networking device manufacturer
• A highly sophisticated ‘watering hole’ attack targeting vulnerabilities in Chrome, Windows and Android

Resident Evil and Street Fighter: Battling more gamer’s personal data 

The developer behind such popular games as Resident Evil and Street Fighter announced last week that a November data breach affected nearly 400,000 gamers— 40,000 more than originally reported.

The November 2020 ransomware attack against a well-known Japanese game developer involved a threat called Ragnar Locker, a type of ransomware that caused more than a few headaches last fall. (You can read more on another November 2020 Ragnar Locker extortion scheme here.) 

The gaming company first announced that it had detected a breach on November 2, 2020. A few weeks later it reported that both personal and corporate data had been compromised. In the original ransom note, the Ragnar Locker criminal group claimed they had downloaded more than 1 TB of corporate data, including banking data, contracts, proprietary information and emails. The company has repeatedly stated that none of the stolen or at-risk data contained credit card information.

This gaming company isn’t the first to experience a cyberattack, as increasingly gaming entities are becoming a target. Recent attacks have targeted Minecraft, Among Us, Roblox, Animal Jam and others. Experts believe that gaming companies are attractive to cybercriminals because of the profit they can turn by selling leaked credentials. 

You can read an update on the gaming company breach here and here.

Customer data exposed in breach of major wireless device manufacturer

A manufacturer of popular networking and wireless devices announced last week that the systems it uses to store user profile information had been breached. While the company said that there was no indication that the user data had been accessed, there was still a possibility of data exposure, including names, email addresses, one-way encrypted account passwords, customer addresses and phone numbers. Last week the company began emailing customers and urging them to change their passwords and enable two-factor authentication (2FA).

In a rather ironic twist, the customers who received the email initially believed it to be a phishing attempt. However, the company has verified that the email is legitimate. (You can read the Account Notification Statement here.) 

More information on this breach is available in this article.

Major ‘watering hole’ attack targeted Chrome, Windows and Android

Experts at Google announced last week the details of a major hacking campaign perpetrated by a “highly sophisticated actor.” Defined as a ‘watering hole’ attack, the researchers found “two exploit servers delivering different exploit chains” via the ‘watering-hole.’

In watering hole attacks, threat actors compromise websites often visited by individuals or organizations of interest. The websites are injected with malware, which eventually infects someone visiting the site. The threat actors then are able to access the victim’s systems and devices via the malware infection.

In the case of these attacks, the threat actors exploited vulnerabilities in Chrome and Windows with the objective of installing malware on Android and Windows devices. The vulnerabilities involved zero-day exploits on Windows and ‘exploit chains’ (using “n-day” exploits) on Android. They also executed malicious code remotely on Windows and Android services using Chrome exploits. On the Android devices, once infected, the threat actors appeared to have delivered additional malicious payloads that collected device fingerprinting, location data, and a list of the processes that were running, as well as a list of the installed phone apps.

The zero-day Windows vulnerabilities are listed as CVE-2020-6418, CVE-2020-0938, CVE-2020-1020 and CVE-2020-1027. All bugs have since been patched.

According to researchers, the attacks appeared to be highly complex, involving complicated code, novel exploitation methods, mature logging and sophisticated post-exploitation techniques. For example, sometimes the threat actors operated a complex targeting infrastructure, detailing user fingerprints from inside the sandbox and then sending back dozens of parameters from the victim’s device before determining whether or not to continue with the exploitation. In other scenarios, the attackers fully exploited the system immediately or sometimes didn’t attempt any exploitation at all. Researchers believe the exploit chains and approaches were designed to be as efficient and flexible as possible, demonstrating a high level of expertise.

You can read more on this advanced watering hole attack here and here.

Final Words

The details associated with the different breaches and attacks highlighted above demonstrate the wide variety of threats and threat actors operating in the cyber landscape—and it also demonstrates the challenges faced by security professionals. Not only are threats widely varied in their purpose and their sophistication, but they’re also perpetrated by individuals and groups with hugely different objectives. 

In the case of the Ragnar Locker ransomware, money is clearly the driver behind the threat, which suggests organized crime. In the case of the ‘watering hole’ attack, due to its sophistication, it sounds like government- or state-sponsored attackers may be involved. 

Fighting crime used to be the sole purview of the police and other law enforcement entities. Today, that role includes anyone working in IT or security.  Security professionals are not just detecting and responding to threats, they’re also trying to find a balance between risk, cost, staffing, training and keeping their organizations safe.

While there is no quick solution to the cybersecurity/cybercrime challenge, there is a clear message—to get ahead, we need to begin investing more deeply in cybersecurity prevention at both a global, national and local level by addressing the various gaps that exist in skills, knowledge and technology.