In the Spotlight this Week:
- Shanghai’s Covid App Falls Victim to Data Breach
- China-Backed RedAlpha APT Builds Sprawling Cyber-Espionage Infrastructure
- Chinese Hackers Backdoor Chat App with New Linux, MacOS Malware
- 2000 Indian Websites Hacked in June to July, Highest Threat from the Far East
- Fake YouTube and WhatsApp Apps Hiding Malware in Google Play Store
In the latest hacking news, Shanghai’s Covid contact tracing app, Suishenma, has fallen victim to a data breach involving 48.5 million users. The hacker under the moniker ‘XJP’ made a post to the online community Breach Forum offering to sell the data for USD 4000, with a sample of data containing phone numbers names and Chinese identification numbers and health code status of 47 people.
Suishenma is a contact tracing app that is a compulsory digital tool for all residents and visitors for commute and access to public transport and venues. The app collects travel data of all users and produces a code which users then have to present in order to enter public spaces. The data is managed by the Chinese government and users access Suishenma via the Alipay app, it is owned by fintech giant and Alibaba affiliate Ant Group, and Tencent Holdings’ WeChat app.
RedAlpha, a Chinese advanced persistent threat (APT) group, has been spying on global humanitarian, think tank, and government organizations as part of a massive phishing campaign that's been active for years. RedAlpha is well-known for mass credential-harvesting via email phishing, registering and weaponizing hundreds of domains spoofing organizations. The APT group is commonly observed directly targeting ethnic and religious minorities such as the Tibetan and Uygher communities, protesters such as the Falun Gong members, and matters related to Taiwan.
Versions of a cross-platform instant messenger application focused on the Chinese market known as 'MiMi' have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems. Cyber security researchers have found Linux rshell samples dating back to June 2021, with its first victim reported in mid-July 2021.
Once deployed the malware harvests and sends system information to its server and waits for commands from the APT27 threat actors. The attackers can then use the backdoor to list folders and files and to read, download, and write files on compromised systems. The backdoor also comes with support for an upload command that instructs it to send files to its server.
Approximately 2000 websites were hacked in India during the months June to July alone. The attacks were initiated by the threat group ‘Dragonforce Malaysia’ and ‘Hacktivist Indonesia’ following statements made by Nupur Sharma, a suspended Indian Politician, on Prophet Muhammad. Personal identifying information (PII) of many other Indian political leaders was also released.
Dragonforce Malaysia is a hacking group known to carry out cyber attacks with politically motivated goals. The hacking group also has a past history of carrying out attacks on organizations and government entities in the Middle East and throughout Asia. Dragonforce also creates open source Distributed-denial-of-service (Ddos) such as Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more.
This hacking incident marks the first case of religiously-motivated cyber crime towards India from the two Muslim-majority countries.
Cyber criminals have been found to have been spoofing legitimate apps on the Google Play store to trick victims into downloading malicious applications that hide malware. These apps include lookalikes of YouTube, WhatsApp, Telegram, and Signal applications. The malware enables the hackers to gain access to the victim's personal information, device details, and control to the device’s camera and microphone to take photos, videos, and record conversations, while avoiding detection by antivirus software.