Android Data Breach, Ring Settlement Payout, Iran Cyber Sanctions – Cybersecurity News [April 22, 2024]

Here we are with the latest cybersecurity news of the week, covering the scoops on the new Brokewell malware, the FTC settlement for Ring users, the sanctions on Iranian threat actors, the return of HelloKitty malware, and the spread of Redline malware via game cheats. Let’s take a look!

New Brokewell Malware Compromises Android Devices and Extracts Data

A new Android banking trojan, Brokewell, was discovered this week that captures device data. 

Brokewell is delivered via a fake Google Chrome update that is shown to users of the web browser. The malware was found by ThreatFabric, who shared that the fake Chrome page delivers the payload that the threat actors can use to steal data and assume remote control. Brokewell is particularly dangerous because it can capture a ton of information, including. 

• Keystrokes: Every key you press is logged, including passwords and credit card numbers.
• Screen Information: Anything displayed on your screen, like online banking details or emails.
• Text Entries: Any text you enter in any app is fair game for Brokewell.
• App Usage: The malware tracks the apps you launch, giving the threat actors a complete picture of your digital activity.

The developer of Brokewell, Baron Samedit has been selling tools to threat actors for checking stolen accounts for nearly 2 years now and has released a Brokewell Android Loader that can bypass Google restrictions and take over devices easily. If you want to steer clear of the malware, do not download any apps or updates from outside the Google Play store. 

Ring Users Receive $5.6 Million in Settlement Over Privacy Violations

The FTC (Federal Trade Commission) will send a $5.6 million refund to Ring users following the class-action lawsuit against Ring, the popular video doorbell organization.

The complaint was made in May 2023 when Ring failed to implement proper security measures to protect devices from unauthorized individuals, and Amazon employees and contractors accessed private video feeds of its users.

Ring is an Amazon subsidiary that sells smart home products that are connected to the Internet. You can use these devices for remote access via a mobile application. Apart from the unauthorized access, Ring also failed at basic security like MFA (Multi Factor Authentication), and many people had their accounts hijacked via credential stuffing and brute-force attacks. The FTC is now sending PayPal payments to nearly 117,000 Ring customers as part of the settlement. 

If you were a part of the attack, you can redeem the funds in the next 30 days. The funds are being given as payment to the consumers who had indoor cameras during the period when the time when the unauthorized access was noticed. You can apply for the funds and read more about them in the FTC’s press release. 

US Government Imposes Sanctions on Iranians Connected to Cyberattacks

In other news, the US OFAC (Office of Foreign Assets Control) sanctioned 4 Iranian nationals who were a part of the cyberattacks against the US government and private organizations. 

These individuals are accused of working for or collaborating with the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC), a branch responsible for the country’s cyberwarfare efforts. The four individuals sanctioned are: 

• Alireza Shafie Nasab and Reza Kazemifar Rahman: Believed to be involved in a multi-year cyber campaign targeting US enterprises and government entities.
• Hosein Mohammad Harooni: Accused of spear phishing attacks against the US Department of the Treasury and other institutions.
• Komeil Baradaran Salmani: Linked to attacks coordinated by the IRGC-CEC against US organizations.

The OFAC also sanctioned two Iranian organizations—MASN (Mehrsam Andisheh Saz Nik) and DAA (Dadeh Afzar Arman), which the IRGC-CEC used as a front. The threat actors are still at large, and the Justice Department has also released indictments charging them with the cyber campaign.  

HelloKitty Ransomware Adopts New Name, Leaks Data from CD Projekt and Cisco

HelloKitty made its comeback this week when one of the operators behind the ransomware released passwords from leaked CD Projekt source code and Cisco network information. 

The comeback was first noticed by 3cp0rt, who took to X and shared the details. The threat actor “Gookee” also announced the rebranding of the ransomware along with a new dark web portal called HelloGookie.

HelloKitty shut down at the end of 2023 after its developer leaked the ransomware’s builder and source code on a hacking forum. But now, the threat actor has made the announcement and shared 4 private keys that can decrypt the files of older attacks, internal information from a Cisco attack, and leaked source code of Witcher 3 by CD Projekt. There’s no evidence of any new attacks by HelloGookie, and the website doesn’t show any recent leaks. 

Although many people have used the decryption keys to get back their data for free, the CD Projekt Red leak has already had consequences. Many developers have compiled playable versions of Witcher 3 from the leaked source code. We’re still unsure who HelloGookie ransomware will target and if it will keep making headlines like HelloKitty did. 

Implementing robust ransomware protection protocols, such as regular data backups, network segmentation, and the use of advanced endpoint security solutions, can significantly mitigate the risk of falling victim to such attacks. Regular employee training and simulated phishing exercises, known as phishing simulation, can foster a culture of phishing awareness within organizations.

Deceptive Game Cheat Distributes Malware to Steal Information from Gamers

HelloGookie’s release of the Witcher 3 source code isn’t the only thing that happened this past week because there’s also a new info-stealing malware that is impersonating Cheat Lab. 

The name of the malware is Redline, and it is a major info stealer that threat actors can use to exfiltrate information from infected devices, such as passwords, autofill, cookies, crypto wallet info, and more.

The malware has been gaining popularity and was researched by McAfee’s team, who shared that it works on the Lua bytecode to evade detection.

Redline payloads hide under the garb of cheating tools like Cheat Lab and Cheater Pro and are distributed as ZIP files that contain an MSI installer. But that’s not all—the threat actors have also started a campaign offering a fully licensed copy of the cheating program for free if a friend or acquaintance downloads and installs the malware as well. The malware is not an executable but an uncompiled bytecode that is stored in a separate readme.txt file. Once you run the installer, it compiles the code and installs the malware on your device. 

This attacks shows that even trustworthy installers may hide malware and can infect your devices so it’s best not to download anything from untrusted sources. If you’re not sure about the legitimacy of a cheat program, do some research online before downloading it. Robust malware protection can also aid in mitigating such threats.