This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 4 minutes read

Ankura CTIX FLASH Update - September 20, 2022

Ransomware/Malware Activity


Revolut Data Breach Exposes 50,000 Customers Personal Information, Phishers Take Advantage

Financial technology company Revolut has suffered a data breach affecting over 50,000 of their customers. In a statement given by a company spokesperson, Revolut identified an unauthorized third party that "had access for a short period of time," to the sensitive information of 0.16% of their customer base. The organization has sent emails to the affected customers, most of which are located in the "European Economic Area," as well as Lithuania. The leaked information includes customers email addresses, full names, postal addresses, phone numbers, and other account data. In an email sent by Revolut, the organization states the type of compromised data varies per customer, though card details, PINs, and passwords were not accessed. The company also stressed that customers’ funds have not been accessed and a team has been created to monitor customer accounts and ensure their users’ funds are secure. The initial attack vector has not been disclosed, though it appears the threat actor used some form of social engineering. Shortly after the incident, customers noticed Revolut's support chat had been defaced with vulgar messages replacing the help text. While customers’ financial accounts may be safe from the threat actor, other hackers are taking advantage of the leaked data. Threat actors have begun smishing (SMS phishing) the affected customers by sending messages spoofing Revolut's automated phone number. Users received a fraudulent text message stating a new card was being shipped to them, prompting them to click on a provided link and enter their details. The phishing site asks for a user’s phone number, passcode, full name, date of birth, as well as their current debit card attached to the account. Using this information, the threat actor can perform online transactions with the user’s card details or send money to accounts they control. CTIX analysts will continue to monitor this situation and will provide updates for any future developments.


Threat Actor Activity


Rockstar Games & Uber Breached by Supposed Lapsus$ Threat Actor

Video game giant Rockstar Games has suffered a massive social engineering attack which resulted in exfiltrated videos of the upcoming Grand Theft Auto VI game. A user by the tag name "teapotuberhacker", tracked as TeaPot, leaked around ninety (90) videos to GTAForums which contained confidential development footage of the next Grand Theft Auto, supposedly extracted from a compromised Rockstar Games Slack channel. In addition, TeaPot also claimed to be in possession of Grand Theft Auto V/VI source code, associated assets, and test realms. This same threat actor has claimed responsibility for the crippling cyber-attack on Uber late last week. Attributed to Lapsus$, TeaPot claimed that they gained unauthorized access into several Uber Technologies systems including Slack channels, AWS, Google Workspace, virtual machines, and their HackerOne bug bounty filing system. The point of compromise in this attack was a successful social engineering attack against an Uber employee through WhatsApp, which ultimately led to the disclosure of account credentials. Several days later, Uber released a statement acknowledging the breach and claiming Lapsus$ as responsible, stating extortion from the group was a high possibility. While not yet confirmed, Lapsus$ is believed to be behind the Rockstar Games breach based on threat actor tactics, techniques, and procedures. CTIX will continue to monitor the fallout of these cyber-attacks and will provide an update as more information is released.


Vulnerabilities


CISA Adds Actively-Exploited Trend Micro Vulnerability to the Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new high-severity vulnerability being actively-exploited in-the-wild to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, patched on September 13, 2022, affects products manufactured by the Trend Micro cybersecurity platform. The addition of this bug to the KEV requires all federal civilian executive branch (FCEB) agencies to patch the flaw no later than October 5, 2022, in accordance with Binding Operational Directive 22-01 (BOD 22-01). Failure of FCEB agencies to comply by the deadline will lead to hefty fines against the delinquent organizations. The vulnerability, tracked as CVE-2022-40139, exists in the Trend Micro Apex One and Trend Micro Apex One as a Service clients, and could be exploited by malicious threat actors to conduct arbitrary remote code execution (RCE) against vulnerable Apex One clients. Apex One is an automated endpoint security platform that provides threat detection and response for businesses employing the framework. In Trend Micro’s security advisory, it explains that “Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a[n] Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution." Specific details about the vulnerability have not yet been published, as it is currently still undergoing analysis. Although dangerous enough to be added to the KEV, the flaw only received a CVSS score of 8.2/10, due to the fact that successful exploitation would require an attacker to first have access to the Apex One server administration console. Trend Micro stated that it has already "observed at least one active attempt of potential exploitation of this vulnerability in the wild." CTIX analysts recommend organizations utilizing Apex One update their infrastructure immediately. Details regarding all of the vulnerabilities added to the KEV can be found in the KEV catalog linked below.


The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

cyber response, cybersecurity & data privacy, data & technology, data privacy & cyber risk, f-risk, technology media telecoms, memo

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with