27 Jan 2023 | Asia Cyber Summary

In the spotlight this week:

• Tensions Flare Again as South Korea Investigates Chinese Cyber Attacks
• North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyber Attacks
• Riot Games Receives Ransom Demand From Hackers, Refuses To Pay
• Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages
• US Says It 'Hacked The Hackers' To Bring Down Ransomware Gang, Helping 300 Victims

‍‍

Tensions Flare Again as South Korea Investigates Chinese Cyber Attacks

South Korean authorities accuse China of conducting cyberattacks against a number of regional academic institutions. This could be the latest escalation in tensions that have recently been heightened by a visa dispute over stricter COVID travel restrictions. According to a police official, a string of attacks over the four-day Lunar New Year holiday that ended Tuesday caused access to the websites of at least 12 academic groups to be disrupted, prompting police to launch a formal investigation into the matter on Wednesday. The Chinese group Xiaoqiying, which took credit for the attacks, claimed on Telegram that it had hacked into 79 websites and threatened to make personal data stolen from them public. Police have not yet verified this claim. The group, which has a clear anti-South Korean agenda, had announced that it would target 2,000 websites controlled by the South Korean government. The hackers categorically deny any affiliation with the Chinese government.

‍North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyber Attacks

APT38, a North Korean nation-state group known for crypto heists, has been implicated in a recent rash of malicious email attacks as part of a "sprawling" credential harvesting operation that targets various industry verticals, signaling a significant shift in its tactics. The advanced persistent threat stands out from other state-sponsored organizations in that its activities are driven by money and intended to bring in illegal income for the Hermit Kingdom rather than carrying out espionage and data theft. However, more recent campaigns in early December 2022 saw a "significant deviation," in which the phishing messages instructed the recipients to click on a URL that led to a credential harvesting page. The email blast, which abused email marketing tools like SendGrid to distribute the phishing links, targeted several verticals besides the financial sector, including education, government, and healthcare, in the U.S. and Canada.

‍Riot Games Receives Ransom Demand From Hackers, Refuses To Pay

Riot Games says it will not pay a $10 million ransom demanded by attackers who stole League of Legends source code in last week's security breach. The source code for the Teamfight Tactics (TFT) auto battler game, a legacy anti-cheat platform, and the League of Legends (LoL) multiplayer online battle arena were all taken by the threat actors while they were inside Riot Games' computer systems. According to the game developer, the game source code stolen during the security breach also includes some features that are currently in the development stage but may never be released.

‍Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages

Over 4,500 WordPress websites have been infected as part of a large-scale campaign that has reportedly been ongoing since at least 2017. The infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track[.]violetlovelines[.]com" that's designed to redirect visitors to malicious sites. When unsuspecting users land on one of the hacked WordPress sites, a redirect chain is triggered by means of a traffic direction system, landing the victims on pages serving sketchy ads about products that ironically block unwanted ads.

‍US Says It 'Hacked The Hackers' To Bring Down Ransomware Gang, Helping 300 Victims

In a move that prevented the group from extorting more than USD 130 million in ransomware demands from more than 300 victims, the FBI revealed it had covertly hacked and disrupted a successful ransomware gang known as Hive. The bureau did this by breaking into Hive's network and covertly stealing the digital keys used to decrypt the victim's data. They were then able to alert victims in advance so they could take steps to protect their systems before Hive demanded the payments. News of the takedown first leaked on Thursday morning when Hive's website was replaced with a flashing message that said: "The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware." Hive's servers were also seized by the German Federal Criminal Police and the Dutch National High Tech Crime Unit.