Cybercrime

Mediabank faces legal action in Australia over massive data breach

Following the 2022 Mediabank’s cyber incident, the Office of the Australian Information Commissioner has initiated legal proceedings against the company, alleging the significant data breach impacted a vast number of customers, including 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers, totalling 9.7 million individuals. 

While Mediabank initially blamed a third party contractor and a ‘misconfigured firewall’ for the incident, a federal court case in Australia has revealed that the breach originated from an IT service desk operator at Medibank who stored multiple account credentials on his work computer which provided a gateway for a hacker to illicitly access Medibank’s systems. The hacker exploited this access for nearly two months and managed to extract a substantial amount of personal data, estimated at around 520GB.

The breach was aggravated by the absence of multi-factor authentication on Medibank’s Global Protect VPN, a security loophole that had been previously flagged in reports by KPMG and Datacom in 2020 and 2021. The Office of the Australian Information Commissioner has criticised Medibank for failing to promptly address these known security vulnerabilities. Legal action has been taken against Medibank in response to the breach. Moreover, the government has identified the alleged perpetrator as a Russian citizen named Aleksandr Gennadievich Ermakov and will be imposing sanctions against him under the new autonomous sanctions law. The incident stresses the critical importance of proactive risk mitigation strategies to safeguard sensitive customer information from malicious cyber threats.

Report uncovers hackers now use emojis to command malware

Researchers from the cybersecurity firm Volexity have uncovered a sophisticated cyber threat that uses the popular Discord messaging service for command and control (C2) purposes. That was discovered during a targeted cyber attack on the Indian government this year, where a malicious software named Disgomoji was deployed. The attack was attributed to a suspected Pakistani threat actor known as UTA0137. The group uses emojis for C2 communication on the Discord platform, showcasing a new covert approach to conduct espionage campaigns against Indian government entities.

The Disgomoji malware, tailored to target Linux systems, specifically the custom BOSS distribution used by the Indian government is highly sophisticated in its design and execution. Initial access to the targeted systems was believed to have been gained through phishing attacks, leveraging decoy documents as bait. Once infiltrated, the malware established dedicated channels within Discord servers, with each channel representing an individual victim. That setup allowed the threat actor to interact with each victim separately, enhancing the precision and effectiveness of the attack.

Upon activation, Disgomoji initiated a check-in process, transmitting crucial system information such as IP address, username, hostname, operating system details, and current working directory to the attacker. The malware exhibited persistence mechanisms which ensured its survival through system reboots and allowed it to maintain a covert presence within the compromised systems. Communication between the attacker and the malware was facilitated through an emoji-based protocol or in other words, with commands issued via emojis. For instance, as Disgomoji executes the command, it responds with a “⏰” emoji, and upon completion, it shows the “✅.”

Why does it matter?

The malware’s capabilities extended beyond basic communication, including advanced functionalities such as network scanning using tools like Nmap, network tunnelling through Chisel and Ligolo, and data exfiltration via file sharing services. Disgomoji also employed deceptive tactics, masquerading as a Firefox update to deceive victims into sharing sensitive information like passwords. 

Volexity’s attribution to a Pakistan-based threat actor was supported by various indicators, including Pakistani time zones in the malware sample, infrastructure links to known threat actors in Pakistan, the use of the Punjabi language, and the selection of targets aligned with Pakistan’s strategic interests. The detailed analysis stresses the evolving sophistication of cyber threats and the critical importance of robust cybersecurity measures to safeguard against such malicious activities.

FCC names Royal Tiger as first official AI robocall scammer gang

The US Federal Communications Commission (FCC) has identified Royal Tiger as the first official AI robocall scammer gang, marking a milestone in efforts to combat sophisticated cyber fraud. Royal Tiger has used advanced techniques like AI voice cloning to impersonate government agencies and financial institutions, deceiving millions of Americans through robocall scams.

These scams involve automated systems that mimic legitimate entities to trick individuals into divulging sensitive information or making fraudulent payments. Despite the FCC’s actions, experts warn that AI-driven scams will likely increase, posing significant challenges in protecting consumers from evolving tactics such as caller ID spoofing and persuasive social engineering.

While the FCC’s move aims to raise awareness and disrupt criminal operations, individuals are urged to remain vigilant. Tips include scepticism towards unsolicited calls, utilisation of call-blocking services, and verification of caller identities by contacting official numbers directly. Avoiding sharing personal information over the phone without confirmation of legitimacy is crucial to mitigating the risks posed by these scams.

Why does it matter?

As technology continues to evolve, coordinated efforts between regulators, companies, and the public are essential in staying ahead of AI-enabled fraud and ensuring robust consumer protection measures are in place. Vigilance and proactive reporting of suspicious activities remain key in safeguarding against the growing threat of AI-driven scams.

International Criminal Court investigates cyberattacks on Ukraine as possible war crimes

The International Criminal Court (ICC) is examining alleged Russian cyberattacks on Ukrainian civilian infrastructure as potential war crimes, marking the first instance of such an investigation by international prosecutors. According to sources, this could lead to arrest warrants if sufficient evidence is collected. The investigation focuses on cyberattacks that have endangered lives by disrupting power and water supplies, hindering emergency response communications, and disabling mobile data services used for air raid warnings.

Ukraine is actively gathering evidence to support the ICC investigation. Although the ICC prosecutor’s office has declined to comment on specific details, it has previously stated its jurisdiction over cybercrimes and its policy of not discussing ongoing cases. It should also be noted that since the invasion began, the ICC has issued four arrest warrants against senior Russian officials, including President Vladimir Putin, for war crimes related to the deportation of Ukrainian children to Russia. Russia, which is not a member of the ICC, has rejected these warrants as illegitimate. Despite not being a member state, Ukraine has granted the ICC jurisdiction over crimes committed within its borders.

In April, the ICC issued arrest warrants for two Russian commanders accused of crimes against humanity for their roles in attacks on civilian infrastructure. The Russian defense ministry did not respond to requests for comment. Sources indicated that at least four major attacks on energy infrastructure are being investigated.

Why does it matter?

The ICC case could set a significant precedent in international law. The Geneva Conventions prohibit attacks on civilian objects, but there is no universally accepted definition of cyber war crimes. The Tallinn Manual, a 2017 handbook on the application of international law to cyberwarfare, addresses this issue, but experts remain divided on whether data can be considered an ‘object’ under international humanitarian law and whether its destruction can be classified as a war crime. Professor Michael Schmitt of the University of Reading, who leads the Tallinn Manual initiative, emphasised the importance of the ICC’s potential ruling on this issue. He argued that the cyberattack on Kyivstar could be considered a war crime due to its foreseeable consequences for human safety.

Qilin group claims responsibility for the cyberattack on London hospitals

The Qilin ransomware group has claimed responsibility for a cyberattack on Synnovis labs, a key partner of the National Health Service (NHS) in England. The attack, which began on Monday, has severely disrupted services at five major hospitals in London, including King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust. The NHS declared the situation a ‘critical incident,’ noting that the full extent and impact of the attack on patient data remain unclear.

Synnovis, a prominent pathology service provider, runs over 100 specialised labs offering diagnostics for various conditions. Due to the ransomware attack, several critical services, such as blood testing and certain operations, have been postponed, prioritising only the most urgent cases. NHS England has deployed a cyber incident response team to assist Synnovis and minimise patient care disruption, though longer wait times for emergency services are expected.

The Qilin group, operating a ransomware-as-a-service model, typically targets victims via phishing emails. The attack on Synnovis has raised significant concerns about the security of healthcare systems and the reliance on third-party providers. Kevin Kirkwood from LogRhythm emphasised that the attack causes operational disruptions and undermines public trust in healthcare institutions. He called for robust security measures, including continuous monitoring and comprehensive incident response plans, to protect healthcare infrastructure better and ensure patient safety.

TikTok battles cyberattacks amid national security concerns

TikTok has recently thwarted a cyberattack targeting several high-profile accounts, including CNN and Paris Hilton, though Hilton’s account remained uncompromised. The company is working closely with affected users to restore access and enhance security measures to prevent future breaches.

The number of compromised accounts is minimal, according to TikTok, which is actively assisting those affected. The incident occurred as TikTok’s parent company, ByteDance, faced a legal battle against a US law that demands the app be sold or face a national ban by January.

The US government has raised national security concerns over Chinese ownership of TikTok. Still, the company maintains that it has taken significant steps to safeguard user data and privacy, asserting that it will not share American user information with the Chinese government.

Chinese national behind 911 S5 botnet arrested in Singapore

The US Department of Justice (DOJ) announced the arrest of a Chinese national, Wang Yunhe, in an international operation targeting cybercrime. Wang, aged 35, was apprehended in Singapore on 24 May for allegedly creating and using malware responsible for cyberattacks, large-scale fraud, and child exploitation. This arrest comes on the heels of a similar high-profile sweep last August, involving 10 Chinese citizens charged with laundering over $2 billion through Singapore.

According to the US Treasury Department, the botnet, known as ‘911 S5,’ was used by criminals to compromise personal devices to further conduct identity theft, financial fraud, and child exploitation.

The Treasury’s Office of Foreign Assets Control has now imposed sanctions on three Chinese nationals behind the platform—Yunhe Wang, Jingping Liu, and Yanni Zheng—and on three entities owned or controlled by Yunhe Wang. FBI Director Christopher Wray described the ‘911 S5’ botnet as likely the world’s largest, comprising malware-infected computers in nearly 200 countries.

According to the DOJ, Wang and unnamed accomplices developed and distributed malware that compromised millions of residential Windows computers worldwide. From 2018 to July 2022, Wang accrued $99 million from selling access to hijacked IP addresses, facilitating cybercriminals in bypassing financial fraud detection systems. These criminals committed fraud, resulting in losses exceeding $5.9 billion, including 560,000 fraudulent unemployment insurance claims.

Wang used the illicitly obtained proceeds to acquire assets globally, spanning properties in the USA, Saint Kitts and Nevis, China, Singapore, Thailand, and the UAE. His possessions included luxury sports cars, numerous bank accounts, cryptocurrency wallets, luxury watches, and 21 properties across multiple countries. Matthew S. Axelrod from the US Department of Commerce’s Bureau of Industry and Security described the case as resembling a screenplay, highlighting the extensive criminal enterprise and lavish expenditures financed by nearly $100 million in profits.

The operation is a collaborative effort led by law enforcement agencies from the US, Singapore, Thailand, and Germany. It underscores the international cooperation required to combat cybercrime effectively.

The FBI has published information at fbi.gov/911S5 to help identify and remove 911 S5’s VPN applications from infected devices.

Israeli private investigator questioned by FBI over hack allegations

An Israeli private investigator, Amit Forlit, who is wanted by the US over hack-for-hire allegations, had reportedly been questioned by FBI agents regarding his work for the Washington public affairs firm DCI Group, according to sources familiar with the matter. This revelation sheds light on a broader US probe into cyber-mercenary activities, suggesting a deeper investigation than previously acknowledged.

Forlit was arrested at London’s Heathrow Airport on 30 April on cybercrime and wire fraud charges related to a ‘hack for hire scheme’ allegedly conducted on behalf of various clients. Following a procedural error by British authorities, he was released two days later but was rearrested on the same charges on Thursday. Forlit has since been released on bail, with conditions including surrendering his passport and remaining in the country.

Despite Forlit’s denial of commissioning or paying for hacking, his connection to convicted Israeli private investigator Aviram Azari, who was sentenced last year, raises questions. Forlit allegedly expressed concern about potential arrest by American law enforcement following Azari’s case. Additionally, Forlit is facing a separate lawsuit in New York federal court over allegations of email theft in 2016, although he denies any involvement. Court records suggest Forlit had business ties with DCI Group, further implicating him in the ongoing investigations.

FCC proposes $6 million fine for scammer impersonating US President Biden in robocalls

The FCC has proposed a $6 million fine against a scammer who used voice-cloning technology to impersonate US President Biden in a series of illegal robocalls during the New Hampshire primary election. This incident serves as a stern warning to other potential high-tech scammers about the misuse of generative AI in such schemes. In January, many New Hampshire voters received fraudulent calls mimicking President Biden, urging them not to vote in the primary. The voice-cloning technology, which has become widely accessible, enabled this deception with just a few minutes of Biden’s publicly available speeches.

The FCC and other law enforcement agencies have made it clear that using fake voices to suppress votes or for other malicious activities is strictly prohibited. Loyaan Egal, the chief of the FCC’s Enforcement Bureau, emphasised their commitment to preventing the misuse of telecommunications networks for such purposes. The primary perpetrator, political consultant Steve Kramer, collaborated with the disreputable Life Corporation and telecom company Lingo, among others, to execute the robocall scheme.

While Kramer faces violations of several rules, there are currently no criminal charges against him or his associates. The FCC’s power is limited to civil penalties, requiring cooperation with local or federal law enforcement for further action. Although the $6 million fine represents a significant penalty, the actual amount paid may be lower due to various factors. Kramer has the opportunity to respond to the allegations, and additional actions are being taken against Lingo, which could lead to further fines or the loss of licenses.

Following this case, the FCC officially declared in February that AI-generated voices are illegal to use in robocalls. This decision underscores the agency’s stance on generative AI and its potential for abuse, aiming to prevent future incidents of voter suppression and other fraudulent activities.

North Korea’s alleged $147.5 million crypto laundering revealed by UN

According to confidential findings by UN sanctions monitors, North Korea utilised the virtual currency platform Tornado Cash to launder $147.5 million in March, following its theft from a cryptocurrency exchange last year. The monitors revealed to a UN Security Council sanctions committee that they had been investigating 97 suspected cyberattacks by North Korea on cryptocurrency companies between 2017 and 2024, totalling approximately $3.6 billion.

As can be seen in these confidential findings, one notable incident involved the theft of $147.5 million from the HTX cryptocurrency exchange late last year, which was then laundered in March. The monitors cited information from crypto analytics firm PeckShield and blockchain research firm Elliptic. In 2024 alone, they investigated 11 cryptocurrency thefts valued at $54.7 million, suggesting possible involvement by North Korean IT workers hired by small crypto-related companies.

North Korea, officially known as the Democratic People’s Republic of Korea (DPRK), has faced UN sanctions since 2006, aimed at curbing funding for its ballistic missile and nuclear programs. The US has previously sanctioned Tornado Cash over alleged support for North Korea, with two co-founders charged with facilitating money laundering. Virtual currency ‘mixer’ platforms like Tornado Cash blend cryptocurrencies to obscure their source and ownership.

Additionally, the monitors highlighted ongoing concerns about illicit arms trade between North Korea and Russia, with suspected shipments between North Korea’s Rajin port and Russian ports. There were also reports of North Korean cargo ships offloading coal in Chinese waters, potentially evading sanctions. Both China and Russia declined to comment on the monitors’ findings.