TikTok celebrity accounts targeted

Jun 06 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s trending like #OnlyFans πŸ†πŸ‘πŸ’¦

Today’s hottest cybersecurity news stories:

  • ⏰ TikTok celebrity accounts targeted by zero-click attacks βš”οΈ

  • βš”οΈ Knight ransomware 2.0 is hitting up healthcare, business πŸ‘¨β€πŸ’»

  • 🍜 SE Asian governments targeted by Chinese-backed hackers πŸ‰

⏰ Clock ticks TikTok on zero-click d*cks πŸ’€

🚨 TikTok Faces Zero-Click Security Breach πŸ”“

TikTok has acknowledged a security flaw exploited by threat actors to hijack high-profile accounts. The breach involves a zero-click takeover, where malware spread via direct messages compromises accounts without user interaction.

πŸ“‰ Scope and Response

The exact number of affected users is unknown. However, TikTok has implemented preventive measures to stop the attack and prevent future occurrences. The company is working with affected users to restore access, asserting that only a "very small" number of accounts were compromised. Details about the attack and mitigation techniques remain undisclosed.

πŸ”’ Past Security Issues

TikTok has faced several security challenges:

January 2021: Check Point identified a flaw enabling attackers to compile user databases and phone numbers.

September 2022: Microsoft discovered a one-click exploit in TikTok's Android app allowing account takeovers via specially crafted links.

Turkey Incident: 700,000 accounts compromised due to insecure SMS greyrouting, allowing adversaries to intercept one-time passwords.

πŸ“± Ongoing Concerns

Malicious actors continue to exploit TikTok, using challenges like the Invisible Challenge to distribute information-stealing malware. TikTok’s Chinese ownership raises concerns about data privacy and propaganda, prompting legislative actions and bans.

🌍 Global Impact

Legal Actions: TikTok is challenging a U.S. law requiring divestment from ByteDance, citing free speech violations.

Bans: Countries like India, Nepal, and Kyrgyzstan have banned TikTok. The U.S., U.K., Canada, Australia, and New Zealand restrict its use on government devices.

TikTok continues to navigate security vulnerabilities and international scrutiny as it works to secure its platform and user data.

Triggering Knight or flight responses from targeted organisations 😬

🚨 RansomHub: The Evolution of Knight Ransomware πŸ›‘οΈ

RansomHub, a rebranded version of Knight ransomware (formerly Cyclops), has been identified as an updated threat in the cybersecurity landscape. Knight ransomware first appeared in May 2023, using double extortion to steal and encrypt data across multiple platforms, including Windows, Linux, macOS, ESXi, and Android.

πŸ“‰ Distribution and Evolution

Knight ransomware was initially promoted on the RAMP cybercrime forum and spread through phishing and spear-phishing campaigns. In February 2024, its source code was sold, likely leading to its rebranding as RansomHub. The new strain quickly launched attacks on Change Healthcare, Christie’s, and Frontier Communications, among others.

πŸ”’ Shared Characteristics and New Features

Both Knight and RansomHub ransomware are written in Go and use Gobfuscate for obfuscation. They share similar command-line help menus, ransom notes, and encryption techniques. RansomHub introduces a new "sleep" command, allowing the ransomware to remain dormant before execution, a feature seen in other ransomware families like Chaos/Yashma and Trigona.

βš™οΈ Tactics and Tools

RansomHub uses known security flaws like ZeroLogon to gain initial access, deploying remote desktop software such as Atera and Splashtop before executing ransomware. The strain has been linked to 26 confirmed attacks in April 2024, trailing behind other ransomware groups like Play and Black Basta.

πŸ’Ό Recruitment and Expertise

Google-owned Mandiant reports that RansomHub is recruiting affiliates from recently shut down groups like LockBit and BlackCat. Veteran cybercriminals with extensive experience are believed to be behind RansomHub’s rapid establishment and operations.

πŸ“ˆ Rising Ransomware Activity

Ransomware incidents surged in 2023, with many new variants like BlackSuit, Fog, and ShrinkLocker. One-third of these new families are variants of older ransomware, highlighting code reuse and rebranding trends. Most ransomware deployments occur outside work hours, with 76% happening early in the morning, and attackers increasingly use legitimate tools to evade detection.

πŸš€ Advanced Techniques

ShrinkLocker, another emerging ransomware, uses VBScript and BitLocker for file encryption, targeting countries like Mexico, Indonesia, and Jordan. This strain manipulates partition sizes to create new boot partitions, demonstrating a deep understanding of Windows internals.

RansomHub’s emergence underscores the evolving and persistent threat posed by ransomware, necessitating robust cybersecurity measures and constant vigilance.

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

It’s an Asian invasion 😳

🚨 Crimson Palace: Chinese Espionage Targets Southeast Asian Government πŸ•΅οΈβ€β™€οΈ

A high-profile government organisation in Southeast Asia has been the target of a "complex, long-running" Chinese state-sponsored cyber espionage operation, codenamed Crimson Palace. Sophos researchers detailed this sophisticated campaign aimed at cyberespionage to support Chinese state interests.

🌏 Suspected Target and Objectives

While the exact country remains undisclosed, it's speculated to be the Philippines due to ongoing territorial conflicts with China. The campaign's goals include maintaining access to critical IT systems, performing reconnaissance on specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications.

πŸ”— Intrusion Clusters

Crimson Palace consists of three intrusion clusters with some activities dating back to March 2022:

● Cluster Alpha (Mar 2023 – Aug 2023): Shares tactics with BackdoorDiplomacy, REF5961, Worok, and TA428.

● Cluster Bravo (Mar 2023): Commonalities with Unfading Sea Haze.

● Cluster Charlie (Mar 2023 – Apr 2024): Overlaps with Earth Longzhi, a subgroup within APT41.

Sophos believes these clusters are part of a coordinated campaign directed by a single organisation.

πŸ›‘οΈ Malware and Techniques

The attack features undocumented malware like PocoProxy and an updated EAGERBEE, alongside known families such as NUPAKAGE, PowHeartBeat, RUDEBIRD, DOWNTOWN (PhantomNet), and EtherealGh0st (CCoreDoor). Notable techniques include DLL side-loading and overwriting DLL in memory to evade detection.

πŸ” Cluster Activities

Cluster Alpha: Focused on mapping server subnets, enumerating admin accounts, and Active Directory reconnaissance.

Cluster Bravo: Used valid accounts for lateral movement and dropped EtherealGh0st.

Cluster Charlie: Used PocoProxy for persistence and HUI Loader to deliver Cobalt Strike.

These clusters reflect the coordinated operations of distinct actors with shared objectives and tools.

βš™οΈ Chinese Cyber Threats

The disclosure follows reports of APT41 (aka Brass Typhoon, HOODOO, Winnti) targeting Italian organisations with KEYPLUG malware, a potent tool supporting multiple network protocols for C2 traffic.

🚨 Global Implications

The Canadian Centre for Cyber Security has warned of increasing Chinese state-backed attacks targeting government, critical infrastructure, and R&D sectors. Chinese cyber threat activity is noted for its volume, sophistication, and broad targeting, utilising techniques like compromised SOHO routers and living-off-the-land tactics to avoid detection.

This detailed analysis of Crimson Palace underscores the persistent and evolving threat of state-sponsored cyber espionage, highlighting the need for robust cybersecurity measures and vigilant monitoring.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles