Amazon-owned ‘Ring’ hacked!

Mar 21 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s the Stormy Daniels to our competitors’ Trump cards.

Today’s hottest cyber security stories:

  • The bells Ring out for Hackmas day. Amazon-owned ‘Ring’ hacked!
  • Kill(net) targets health(care)
  • Crypto-jack attack! $1.6m stolen General Bytes Bitcoin ATMs


Love them or hate them, Ring doorbells have become a fixture of front doors around the country, and indeed the world.

Someone’s knocking at your door…

Most of us can easily summon to memory that tuneless three-note beckoning call that our poor old delivery drivers probably hear in their sleep.

Well, bad news ladies and gents, they’ve been hacked and we’re sad to report, it’s the dreaded ransomware once again.

In case ‘ransomware’ isn’t ringing any bells (sorry, this is serious), it’s the latest craze that’s swept the criminal cyber-sphere wherein scammers hack into a system, either lock users out or straight up steal the data (depending on the sensitivity of said data) and essentially hold it ransom until the victim pays up.

The hackers usually demand to be paid in cryptocurrency and usually in Monero coin or, as we covered last week, Dero coin). And the worst part is, these sorts of attacks often work.

Scary stuff, especially when we’re talking about live video feeds as in the case of Ring.

So, what do we know so far about the latest attempt to extort Ring doorbell company? Well, the story is hot off the presses and still unfolding but here are the key takeaways, at time of writing:

  • Firstly, it’s technically not Ring but a third-party vendor used by Ring that’s been compromised, according to the company
  • “There’s always an option to let us leak your data,” a message posted on the ransomware group’s website reads next to Ring’s logo.
  • The ransomware group claiming responsibility for the attack is ALPHV, whose malware is known as BlackCat.
  • From an internal Amazon Slack channel: “Do not discuss anything about this. The right security teams are engaged.” Ominous but good they’re on the case!
  • Ring claims the affected third-party vendor does not have access to Ring customer records.

Welcome to 2023 folks, a time when your own doorbell’s plotting your demise, and honestly I swear the toaster’s been acting a little shifty lately. Am I being paranoid?

Hey-ho, with Ring’s security team on the case, hopefully it won’t be long before ring, ring, ring, and it’s SHUTDOWN.


We’ve covered Killnet a few times here at Gone Phishing (you tend to remember a name like that!) and, wouldn’t you know it, the Russian rapscallions are up to their old tricks again, this time with healthcare in their sights.

Killnet isn’t DDoS-ing about!

In this latest string of attacks, the infamous hacking group has been executing DDoS attacks. This stands for Distributed Denial of Service attacks and it entails flooding servers with requests until they can’t hack it anymore and basically meltdown.

These sorts of attacks are often politically motivated with no financial incentive for the perpetrators.

Killnet has been increasingly launching DDoS attacks against healthcare organizations hosted in Azure since November 2022 and they’ve become a matter of concern for U.S. law enforcement agencies.

The hacker group was established following the Russia-Ukraine war in February 2022 and spent most of the last year launching DDoS attacks against governments and organizations across the globe.

Russia’s got a bloody lot to answer for as of late! That said, we acknowledge that there’s good people everywhere and we would never judge a country by its government and/or hacking collectives.


It’s hacking on a military scale! So, what happened and what’s being done? P.S. Sorry for the depressing news today, folks; we usually try and include at least one positive story but sadly we have to go where the stories take us and today, the bad guys won.

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software.

The company said in an advisory published over the weekend: “The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using ‘batm’ user privileges.

‘Ocean’, ‘Cloud’ – what is this the malware cycle?

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean,” it further added.

You know what they say, there’s plenty more phish in the Digital Ocean. Sorry, we didn’t quite grasp that last bit. But perhaps some of you will!

Stay safe, friends!

So long and thanks for reading all the phish!

Recent articles