The attacks came from all corners in the past month, as cybercriminals used administrative access codes, stolen internal data, laser-focused programming tools, and even humble job applications to worm their way into organisations’ inner workings. Let’s look at some of the strange and sinister innovations that shaped the world of cybercrime this April.
April 2022’s Biggest Cyber Attacks
More_eggs Malware Hatches Trouble for Hiring Managers
It’s a tricky time to be a hiring manager. An ongoing worker shortage has left companies scrambling to fill roles, and now hackers are hitting them with bogus applications riddled with malware.
An April article in The Hacker News reports that a Canadian cybersecurity company identified several late March incidents in which employers received phony job applications whose resume attachments contained a suite of backdoor malware called More_eggs.
Thought to be the handiwork of a Russian group that goes by the names Venom Spider or Golden Chickens (both of which lay eggs … get it?), this malware embeds itself in Windows processes for later deployment. Once it’s in an organisation’s system, it potentially opens the door for ransomware, data theft, and other acts of espionage.
In the reported instances, More_eggs was identified before it could do any harm, but there is a high likelihood that it is already present in other companies’ systems. Interestingly, this scheme seems to be a reversal of attacks from the same time last year in which Golden Chickens targeted job seekers with malware hidden in job offers.
Records Exposed: Windows processes
Type of Attack: Spear phishing
Industry: Hiring managers across multiple industries
Date of Attack: Ongoing
Key takeaway: Hackers will exploit any possible route they can. Even a normally benign area of the workplace like human resources can be a gateway for ransomware and data theft. Your security system needs to be capable of filtering and scanning attachments of all kinds, even easily overlooked items like applications and resumes.
BlackCat Crosses the Path of Rust Users
One of the most frustrating elements of the cybersecurity landscape is the persistence with which bad actors seek out new ways to get around obstructions.
In one of the latest examples, the FBI issued a warning to websites using the Rust programming language about a wave of targeted attacks. Rust has become a darling amongst programmers in-the-know in recent years due to its comparative safety and solutions to problems that plague other languages. Its relatively low rate of adoption and use has helped shield Rust from some of the cybersecurity issues faced by better-known systems up until now.
But all good things must come to an end. The FBI report states that at least 60 organisations worldwide have been hit with ransomware-as-a-service attacks written specifically for Rust-based systems.
The attacks have been attributed to the well-known BlackCat ransomware group, also known as ALPHV, and have targeted institutions including Florida International University, North Carolina A&T University, the Italian fashion company Moncler, and the German oil companies Oiltanking and Mabanaft, among dozens of others. The breaches likely took place between 2021 November and 2022 March and may have been difficult to detect because many security analytics tools are not equipped to effectively monitor a Rust-based system.
Records Exposed: Unspecified but wide-ranging
Type of Attacks: Ransomware
Industry: Academia, fashion, energy, and more
Date of Attacks: 2021 November to 2022 March
Key takeaway: Maybe one day programmers will come up with a truly hacker-proof language, but that day hasn’t come yet. Even a language built around security such as Rust can—and will —eventually become a target. Cybercriminals are an endlessly adaptable lot, which makes it all the more important to employ a robust, customisable cybersecurity system that can be upgraded to meet incoming threats of all kinds.
Cash App Gets Breached from Within
Your uncle who still insists on doing all their banking in person got a little bit of validation in April, when an SEC filing confirmed that the popular investment app Cash App had been breached by a former employee.
According to the 6 April filing, a previously dismissed employee of Cash App’s parent company Block (formerly known as Square) was able to access sensitive customer information and downloaded a large number of files in 2021 December. While the breach is not believed to include data such as social security numbers or addresses, the theft did include the names and brokerage account numbers of as many as 8.2 million Cash App investors.
While the actual damage could have been worse, what’s troubling is how a supposedly secure business like Cash App was lax enough to allow a disgruntled former employee to get hold of so much customer data. The investigation continues but, in the meantime, Block has been following the usual course of contacting current and former users and making applicable resources available to them.
Records Exposed: Investor names and brokerage account numbers
Type of Attack: Internal data theft
Date of Attack: 2021 December
Location: San Francisco, CA
Key takeaway: While the motivations and actual damage of this incident remain unclear, it stands as a strong reminder that external attacks are only part of the equation. Internal security gaffes such as allowing former employees with axes to grind to gain access to sensitive information simply can’t be allowed if an organisation wants to maintain trust. A cybersecurity system that can identify and help close-up internal gaps before they widen is a must.
Lapsus$ Continues its Crime Spree with Okta Hack
The Brazilian hacker collective known as Lapsus$ has been one of the most prolific players in the cybercrime game recently, stealing and posting source code from high-value targets such as Samsung, Microsoft, and Nvidia. The latter made some security industry headlines by reportedly hacking Lapsus$ back and stealing their data away from the thieves, but on the whole the Lapsus$ streak has been remarkably successful.
Screenshots posted from the January incident show that Lapsus$ was able to gain a high level of access to Okta’s inner workings. Operating as a “superuser/admin,” hackers could have theoretically acted on behalf of customer accounts, even changing passwords to lock out legitimate users.
Records Exposed: Administrative access and control of customer accounts
Type of Attack: Admin hijack
Industry: Identity management
Date of Attack: 2022 January
Location: San Francisco, CA
From angry ex-employees to phony future employees to infamous crime syndicates, security professionals had their hands full with breaches of all stripes in 2022 April. Whether you’re scanning over resumes or heading up an IT department, a wide-ranging, holistic approach to organisational cybersecurity remains a vital element of doing business over the internet.