FBI Busts Alabama Man for SIM-Swap Attack on SEC X Account

Check out our sponsor, Anchore. which helped bring you today's issue:

Anchore enables organizations to secure software supply chains and automate compliance to save time and reduce risk. Built for cloud-native applications and air-gapped environments, organizations can generate SBOMs and fix vulnerabilities while maintaining continuous government and industry compliance.

The US Justice Department announced that the FBI arrested Alabama man Eric Council for his suspected role in hacking the SEC's X account to make a fake announcement that Bitcoin ETFs were approved.

Justice said that Council and conspirators conducted a SIM-swap attack to take over the identity of the person in charge of SEC's X account.

The SEC's X account was hacked on January 9th, 2024, to tweet that it had finally approved Bitcoin ETFs to be listed on stock exchanges. "Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges. The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection," read the fake post on X.

This tweet included an image of SEC Chairperson Gary Gensler and a quote praising the decision. Bitcoin quickly jumped in price by $1,000 over the announcement and then just as quickly plummetted by $2,000 after Gensler tweeted that the SEC account had been hacked and the announcement was fake.

The next day, the SEC confirmed the hack was possible through a SIM-swapping attack on the cell phone number associated with the person in charge of the X account.

According to the SEC, the hackers did not have access to the agency's internal systems, data, devices, or other social media accounts. The SIM swap occurred by tricking their mobile carrier into porting the number.

Once the threat actors controlled the number, they reset the password for the @SECGov X account to create the fake announcement.

Council was indicted on October 10th by a federal grand jury in the District of Columbia for his alleged role in the attack. The suspect is now charged with one count of conspiracy to commit aggravated identity theft and access device fraud, which faces a maximum penalty of five years in prison. (Lawrence Abrams / Bleeping Computer)

Related: Justice.gov, Justice.gov, The Record, Infosecurity Magazine, Forbes, The Stack, WAFF, PC Gamer, Ars Technica, Reuters, The Verge, Cointelegraph, Cryptonews, The Defiant, BBC News, Rappler News, TechNadu, Tech-Economic Times

An Israeli business said it was infected with a wiper after a staffer clicked a link in an email seemingly sent from the ESET Advanced Threat Defense Team in Israel, but ESET denies being compromised.

The email itself passed DKIM and SPF checks against ESET's domain, although according to a screenshot shared by one security pro, Google Workspace flagged it as malicious.

The email was first sent on October 8, targeting cybersecurity professionals in Israel, with the .ZIP download hosted on ESET servers.

Targets were informed their devices were being aimed at by "a state-backed threat actor" and invited to ESET's Unleashed program—which doesn't appear to exist as a standalone program, but Beaumont noted the vendor sometimes uses the branding.

The download contains various ESET DLLs and a malicious setup.exe which was fake ransomware.

The source of the malicious activity isn't known, but the MO aligns neatly with that of the pro-Palestine Handala group, which, for the past few months, has attacked Israeli organizations and figureheads. (Kevin Beaumont / Double Pulsar and Connor Jones / The Register)

Related: Help Net Security, ESET Security Forum

In an SEC filing, life and health insurance giant Globe Life says an unknown threat actor attempted to extort money in exchange for not publishing data stolen from the company's systems earlier this year.

Globe Life previously disclosed a data breach on June 13 after discovering they had been compromised while reviewing potential vulnerabilities related to access permissions and user identity management for its web portal.

At the time, the company warned that the hackers may have accessed consumer and policyholder data following a successful breach of one of the web portals.

Although the company's operations weren't significantly disrupted due to the incident, there was concern about what data might have been stolen, as such a scenario could potentially impact millions.

Globe Life told the SEC that at least 5,000 customers of its subsidiary, American Income Life Insurance Company, are impacted. However, this number may increase as the investigation continues.

The company also says that the cybercriminals behind the attack attempted to extort the company into paying a ransom in exchange for not publishing the stolen data.

The stolen information includes the following data types, which vary per individual: full names, email addresses, phone numbers, postal addresses, Social Security Numbers, health-related data, and policy information.

Global Life has also clarified that the extortion attempt does not involve ransomware, so there has been no data encryption of file locks on the company's systems.

Regarding the financial impact of the incident, as of today, Global Life believes that it will not have a material impact on its business operations and does not expect it to affect its financials. (Bill Toulas / Bleeping Computer)

Related: SEC, The Register, TechCrunch, WFAA, Marketwatch, The Record, The Cyber Express, Cyber Daily

DeFi firm Radiant Capital halted its lending markets after the cross-chain lending protocol suffered a more than $50 million cybersecurity breach on BNB Chain and Arbitrum.

“Radiant Capital contracts were exploited on BSC & ARB chains with the ‘transferFrom’ function, which allowed to drain users’ funds, namely $USDC $WBNB $ETH and others,” Web3 cybersecurity firm De.Fi Antivirus said in an Oct. 16 post on the X platform.

De.Fi said the exploit drained approximately $58 million, mirroring estimates from another cybersecurity firm, Ancilia Inc., which pegged losses at around $50 million, according to another X post.

“We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum,” Radiant said.

Radiant is controlled by a multisignature wallet, or “multisig.” The attacker purportedly gained control of several signers’ private keys and then seized control of several smart contracts. (Alex O'Donnell / Cointelegraph)

Related: Coinspeaker, crypto.news, CoinDesk, CoinGape, The Cyber Express, Protos, Decrypt, CCN, The Crypto Times, The Block

Researchers at Group-IB published new details about the Cicada3301 ransomware-as-a-service (RaaS) group's affiliate panel and ransomware strains.

Cicada3301 first began recruiting affiliates in late June 2024 and has since claimed at least 30 victims, mostly in the United States and the United Kingdom. The group gained attention in September due to analyses that found several similarities between its ransomware and that of the defunct ALPHV/BlackCat ransomware gang.  

While it is still unclear if Cicada3301 is an ALPHV/BlackCat rebrand or if the group purchased ALPHV/BlackCat’s source code when it was put up for sale earlier this year, Group-IB says there are “very strong similarities” with key differences, including much fewer command line options, differences in access key use, no embedded configuration and slight differences in ransom note naming convention.

The report also provided a detailed overview of the features available to Cicada3301 affiliates via the affiliate panel, including the ability to easily manage victim companies and customize attacks for each victim. (Laura French / SC Media)

Related: Group-IB, Infosecurity Magazine, Digit

Microsoft notified customers that over two weeks of security logs for some of its cloud products are missing, leaving network defenders without critical data for detecting possible intrusions.

According to a notification sent to affected customers, Microsoft said that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform” between September 2 and September 19.

The notification said a security incident did not cause the logging outage and “only affected the collection of log events.”

Business Insider first reported the loss of log data earlier in October. Details of the notification have not been widely reported. As security researcher Kevin Beaumont noted, the notifications that Microsoft sent to affected companies are likely accessible only to a handful of users with tenant admin rights.

Microsoft said the incident was caused by an “operational bug within our internal monitoring agent.”

John Sheehan, a Microsoft corporate vice president, said, “We have mitigated the issue by rolling back a service change. We have communicated to all impacted customers and will provide support as needed." (Zack Whittaker / TechCrunch)

Related: Bleeping Computer, Times of India, Born City, Business Insider

Researchers at Sekoia report that a new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems.

ClickFix is a social engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint. It was used by a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive.

The errors prompted the victim to copy a piece of PowerShell code to clipboard that would fix the issues by running it in Windows Command Prompt.

Sekoia says some of the more recent campaigns have been conducted by two threat groups, the Slavic Nation Empire (SNE) and Scamquerteo, considered sub-teams of the cryptocurrency scam gangs Marko Polo and CryptoLove.

The threat actors are using fake pages for Google Meet, the video communication service part of the Google Workspace suite, which is popular in corporate environments for virtual meetings, webinars, and online collaboration. Once the victim gets on the fake page, they receive a pop-up message informing them of a technical issue, such as a microphone or headset problem.

If they click on "Try Fix," a standard ClickFix infection process starts where PowerShell code copied by the website and pasted on the Windows prompt infects their computer with malware, fetching the payload from the 'googiedrivers[.]com' domain.

The final payloads are info-stealing malware Stealc or Rhadamanthys on Windows. The threat actor drops the AMOS Stealer on a macOS machine as a .DMG (Apple disk image) file named 'Launcher_v194.' (Bill Toulas / Bleeping Computer)

Related: Sekoia, HackRead, Forbes, Help Net Security

Microsoft researchers unveiled a new macOS vulnerability called HMSurf that attackers can exploit to gain unauthorized access to protected data for which a patch has been available since September 16th.

Macs use Transparency, Consent, and Control (TCC) technology to prevent apps from accessing users' personal information, such as location, browsing history, camera, microphone, or others, without their consent.

Researchers from Microsoft Threat Intelligence discovered a bypass technique that removes TCC protection for the Safari browser directory. Usually, any app on macOS asks for the user’s permission to access sensitive services or data.

However, Apple reserves some entitlements to its own apps, and Safari can freely access the address book, camera, microphone, and more. By default, Safari still displays a popup when accessing these features.

However, attackers can modify configuration files to remove TCC protections for the Safari directory. Attackers could take camera snapshots or trace the device's location if the user opens a malicious webpage.

Following a responsible disclosure, Apple released a fix for the vulnerability on September 16th, 2024, as part of security updates for macOS Sequoia.

Microsoft has already detected malicious activity that potentially exploits this bug.

Microsoft said, “We encourage macOS users to apply these security updates as soon as possible. Behavior monitoring protections in Microsoft Defender for Endpoint have detected activity associated with Adload, a prevalent macOS threat family, potentially exploiting this vulnerability." (Ernestas Naprys / Cybernews)

Related: Microsoft, Security Affairs

Industrial cyber risk management firm DeNexus raised $17.5 million in a Series A venture funding round.

Punja Global Ventures led the round with participation from AXA XL, Prosegur Tech Ventures, and HCS Capital. (Kevin Townsend / Security Week)

Related: The Paypers, Coverager, Silicon Angle, FinTech Global, Reinsurance News, PR Newswire, FinSMEs

Best Thing of the Day: Who Couldn't Use a Spare $100K?

Google announced a Cloud Vulnerability Reward Program (VRP) that offers a top award of $101,010 to security researchers who find bugs in Google Cloud.

Worst Thing of the Day: If Ever There Were Something You Should Opt Out of, It's This

Twitter updated its Privacy Policy to indicate that it would allow third-party “collaborators” to train their AI models on X data unless users opt out.

Closing Thought