Total Tests:
Blog Filters reset x
By Incident
By Jurisdiction
Show More

US Recovers $500,000 in Ransom Payments from North Korean Hackers

Read also: Knauf Group hit with Black Basta ransomware, 50,000 payment cards compromised in the Magecart campaigns, and more.

Thursday, July 21, 2022
Views: 8.2k Read Time: 2 min.

US Recovers $500,000 in Ransom Payments from North Korean Hackers

US recovers $500,000 in ransom payments from North Korean hackers

The US authorities have seized nearly $500,000 paid last year as ransom by healthcare providers in Kansas and Colorado to a North Korean state-sponsored hacker group that deployed ransomware known as “Maui”.

The Kansas hospital paid approximately $100,000 in Bitcoin to the Maui ransomware group in May 2021 to restore its systems after a ransomware attack. Thanks to the victim’s cooperation with the authorities, the FBI was able to trace the cryptocurrency to China-based money launderers and track another payment of $120,000 from a health care provider in Colorado.

50,000 payment cards stolen from over 300 US restaurants in two Magecart campaigns

Payment card details of customers of at least 311 restaurants across the United States were stolen in two Magecart web-skimming campaigns targeting three online ordering platforms: MenuDrive, Harbortouch, and InTouchPOS.

Security researchers have identified over 50,000 credit card records stolen from the infected restaurants, which were put up for sale on the dark web.

The first campaign, which started on January 18, 2022, affected 80 restaurants using MenuDrive and 74 that used the Harbortouch platform and was conducted by the same Magecart threat actor. In both cases, the web skimmer was injected into the web pages of the restaurants.

A separate, unrelated Magecart campaign targeted InTouchPOS, starting from November 2021, with 157 restaurants using the platform infected with e-skimmer.

According to the researchers, both campaigns are still active.

At least 30 Thai activists targeted with the Pegasus spyware

A joint investigation conducted by Citizen Lab together with the Thai civil society groups iLaw and DigitalReach revealed that cell phones of at least 30 activists in Thailand involved in pro-democracy protests were infected by the infamous Pegasus software developed by the Israel-based technology company NSO group.

Pegasus is a proprietary tool, capable of remote surveillance of smartphones. Previous reports claimed that the spyware was used to target human right activists, journalists, and politicians in various countries.

According to Citizen Lab, in case of the Thai activists, the infections occurred between October 2020 to November 2021, and came to light after Apple sent notifications of a possible state-backed attack on the victims’ phones. After the news broke, Thai officials admitted that the country uses surveillance software in cases involving national security or drugs.

Building supply manufacturer Knauf suffers a Black Basta ransomware attack

German building and construction material provider Knauf Group has suffered a ransomware incident prompting the company to temporarily shut down its services.

According to a short statement on Knauf’s website, the attack occurred on June 29. The company did not provide additional information on the intrusion, but, according to news media reports, the Black Basta ransomware gang appears to be the perpetrator behind the hack. Over the weekend, the group added Knauf to the list of victims on their data leak website and published 20% of documents allegedly stolen from the company.

The published files, which have been accessed by over 350 visitors so far, included sensitive info about employees, ID scans and product documents.

Low-skilled 8220 Mining Gang expands its cloud botnet to 30K infected hosts globally

A financially-motivated cryptomining group known as 8220 Gang or 8220 Mining Gang has grown its cloud botnet to nearly 30,000 infected hosts globally, up from 2,000 bots in mid-2021.

The rapid expansion of the botnet is linked to the use of Linux and common cloud application vulnerabilities and poorly secured configurations. The infection typically takes place via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis services.

According to the security researchers, the gang doesn’t target their victims geographically, but rather identifies them by their internet accessibility.

What’s next:

Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law.
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential