INFOSEC IN BRIEF Bot defence software vendor Human Security last week detailed an attack that “sold unbranded mobile and connected TV (CTV) devices on popular online retailers and resale sites … preloaded with a known malware called Triada”.
Human dubbed the campaign to infect and distribute the Android devices BADBOX. The infected devices were sold for less than $50. Human’s researchers found over 200 models with pre-installed malware, and when they went shopping for seven specific devices, they found that 80 percent of the units were infected with BADBOX.
Analysis of the infected devices revealed an ad fraud module that Human’s researchers dubbed PEACHPIT. At its peak, PEACHPIT ran on a botnet of 121,000 Android devices per day. The attackers also created malicious iOS apps that ran on 159,000 Apple devices per day at the peak of the PEACHPIT campaign.
These infected devices served over four billion ads per day – all invisible to users.
Human Security’s technical report [PDF] on BADBOX and PEACHPIT describes the campaign: “A Chinese manufacturer (possibly many manufacturers) builds a variety of Android-based devices, including phones, tablets, and CTV boxes.
“At some point between the manufacture of these products and their delivery to resellers, physical retail stores, and e-commerce warehouses, a firmware backdoor … is installed and the product boxes are sealed in plastic, making these devices vulnerable to fraud upon arrival at their destination.”
Human Security worked with Apple and Google to disrupt PEACHPIT, but warned that BADBOX devices are still plentiful.
It’s been four months since the mass exploitation of vulnerabilities in Progress Software’s MOVEit file transfer software was publicly announced, and only recently that the Clop ransomware gang added Sony to its list of victims.
In early October, Sony admitted that it had been a victim. In a breach notification filed with the US state of Maine, Sony admitted that 6,791 of its US employees had their data exposed due to the MOVEit vulnerability, which was susceptible to an SQL injection attack, allowing hackers to elevate their privileges and gain unauthorised access to target environments.
By the end of July, more than 400 organisations and 20 million individuals had been affected by the MOVEit breach, including high-profile customers such as Sony, energy company Shell and the US Department of Energy.
According to the breach letter sent to Sony employees and their family members, Sony Interactive Entertainment – the subsidiary that makes video games and consoles like the PlayStation – had its MOVEit environment compromised as early as 28 May, just days before Progress announced the vulnerability. It was not until 2 June that Sony discovered it had been affected, at which point it immediately took its MOVEit system offline.
Sony redacted the exposed information in its sample form letter to the state of Maine, so it’s not immediately clear what personal information was exposed. The Maine website says only that names “or other personal identifiers” were stolen in combination with social security numbers.
Why Sony waited so long to publicly acknowledge the breach is unclear, although it’s worth noting that this isn’t the only breach Sony is currently dealing with.
Ransomed.vc, which has recently been targeting Japanese companies, claimed to have hacked Sony and stolen 3.14GB of data from its servers – although this claim has been disputed by other hackers. Sony has since confirmed the Ransomed.vc breach, meaning that Sony’s security perimeter has now been breached twice in the last four months.
As we also reported this week, mass exploitation of a vulnerability in another piece of Progress software, WS_FTP, has reportedly begun, so expect more high-profile breaches to come.
2020 Blackbaud ransomware attack still paying dividends for regulators
Think back to 2020, and you may recall that software company Blackbaud was caught covering up a ransomware attack by paying off the perpetrators and attempting to sweep the incident under the rug.
As you might guess from the fact that we’re talking about it, it didn’t work. Blackbaud, which makes software for nonprofits and donor management, forked over $3 million to the SEC in March 2023 for failing to acknowledge the incident and, once it did acknowledge it, failing to acknowledge that a whole bunch of PII was stolen from 13,000 customers as a result.
Now, attorneys general from all 50 states have reached yet another settlement over Blackbaud’s “deficient data security practices and inadequate response” to the incident. The total? Forty-nine and a half million dollars, split between the states.
“Companies that sell software as a service have a duty to protect it at the highest level and must be immediately forthcoming and proactive when a cyber theft occurs,” said New Jersey Attorney General Matthew Platkin of the settlement.
“We believe the FBI’s operation didn’t affect Qakbot’s phishing email delivery infrastructure, only its command and control servers,” Talos said of its findings. Despite the persistence of Qakbot’s operators, the Qakbot malware doesn’t appear to have fared as well.
“We did not see the threat actors distributing Qakbot after the infrastructure was taken down,” Talos said. “If the operators remain active, they may choose to rebuild the Qakbot infrastructure to fully resume their pre-takedown activities.”
Well, thanks for trying, FBI and international law enforcement partners.
