20 August 2021 | Asia Cyber Summary

In the spotlight this week:

  • Japan's Tokio Marine is the latest insurer to be victimized by ransomware

  • Cinobi Banking Trojan targeting Japanese crypto users via malicious ads

  • North Korean APT InkySquid infects victims using browser exploits

  • More than $97 million stolen from Liquid cryptocurrency exchange

  • Colonial Pipeline reports data breach after May ransomware attack

  • T-Mobile data breach exposed the personal info of more than 47 million people

  • This 'unique' Microsoft phishing attack uses morse code to hide its approach

Japan's Tokio Marine is the Latest Insurer to be Victimized by Ransomware

Ransomware struck Japan’s largest property and casualty insurer, Tokio Marine Holdings, at its Singapore branch, the company disclosed on Monday.

Tokio Marine said it did not have any immediate indication that any customer information was breached. Such data could be a smorgasbord for hackers who would use the data to extort victims based on their coverage amounts.

This is at least the third major insurer to disclose a ransomware attack in recent months, following CNA and AXA. And it is the second insurer just this week, with Ryan Specialty Group — fresh off launching an initial public offering — to disclose a cyber incident.

Tokio Marine said it was still trying to determine the scope of the damage and had hired an outside vendor to help. The company said it isolated the affected network, and notified local law enforcement. It did not announce when the attack occurred, or when investigators discovered the breach.

Cinobi Banking Trojan Targeting Japanese Crypto Users via Malicious Ads

The latest malvertising campaign for Japan can deploy a banking Trojan on infected Windows computers and hence, steal credentials related to crypto-currency accounts.

Analysts at Trend Micro claimed in an investigation published last week that the operation was due to a threat actor they named Water Kappa. The cybercriminal was attacking Japanese online banking customers using the Cinobi Trojan by exploiting various tricks and vulnerabilities.

The latest infection routine from Water Kappa is triggered by malware ads for Japanese animated porn games, bonus points apps, or video streaming services, with the target pages asking the victim to download the application. The malware is a ZIP file that mostly contains files from an older 2018 version of the Logitech Capture application, along with other modified files that are used to decrypt the victim's data.

More Than $97 Million Stolen From Liquid Cryptocurrency Exchange

Japanese cryptocurrency exchange Liquid announced that more than $97 million in crypto assets has been stolen in an attack on Thursday morning.

In a statement, the company said its Operations and Technology teams "detected unauthorized access of some of the crypto wallets managed at Liquid" and later discovered that a total of "approximately $91.35 million of crypto assets were moved out of Liquid wallets by an unauthorized party."

The company urged its users to refrain from depositing any crypto assets into their Liquid wallets and said they had halted all crypto withdrawals. Fiat withdrawals and deposits are still available as well as other services like trading and Liquid Earn. Liquid is still assessing how the attack happened and said it will provide continuous updates on Twitter.

Colonial Pipeline Reports Data Breach After May Ransomware Attack

Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to individuals affected by the data breach resulting from the DarkSide ransomware attack that hit its network in May.

The company says that it "recently learned" that DarkSide operators were also able to collect and exfiltrate documents containing personal information of a total of 5,810 individuals during their attack.

Impacted personal info for the affected individuals ranges from names and contact details to health and ID information.

"The affected records contained certain personal information, such as name, contact information, date of birth, government-issued ID (such as Social Security, military ID, tax ID, and driver's license numbers), and health-related information (including health insurance information)," Colonial Pipeline reveals in the data breach notification letters.

North Korean APT InkySquid Infects Victims Using Browser Exploits

Researchers recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea.

Malicious code on the Daily NK website was observed from at least late March 2021 until early June 2021. This post provides details on the different exploits used in the SWC, as well as the payload used, which researchers called BLUELIGHT.

While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers. The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience. Attackers will still have some success, however, and maintain a good chance of avoiding detection based on the clever disguise of exploit code amongst legitimate code. This will pose challenges to the identification of exploit code, as only exploitable user-agents will be granted access to the exploit code, making it difficult to identify at scale (such as through automated scanning of websites).

T-Mobile Data Breach Exposed the Personal Info of More Than 47 million People

T-Mobile has released more information about its most recent data breach, and while the company’s findings fall short of the reported 100 million records, the numbers are staggering.

While T-Mobile did say its investigation is still ongoing, the company confirmed that records of over 40 million “former or prospective customers” who had previously applied for credit and 7.8 million postpaid customers (those who currently have a contract) were stolen. In its last earnings report (PDF), T-Mobile said it had over 104 million customers.

The data in the stolen files contained critical personal information included first and last names, dates of birth, Social Security numbers, and driver’s license / ID numbers — the kind of information you could use to set up an account in someone else’s name or hijack an existing one. It apparently did not include “phone numbers, account numbers, PINs or passwords”.

This 'Unique' Microsoft Phishing Attack Uses Morse Code to Hide its Approach

Microsoft has revealed the inner-workings of a phishing group's techniques that uses a “jigsaw puzzle” technique plus unusual features like Morse code dashes and dots to hide its attacks. The group is using invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts. The technique is notable because it bypasses traditional email filter systems.

"The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments," Microsoft Security Intelligence says.

"In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show," it said.

The main aim of the attack is to acquire usernames and passwords, but it is also collecting profit data such as IP address and location to use for subsequent breach attempts. "This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls", Microsoft said.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.