Hey, just a heads up, I'm off on holiday for the next week I have a long weekend of nothing but playing and writing music. I should have the weekend show prerecorded, but there will be no Friday or Monday podcast. I'll be back on March 5th with our regular show. 1.5 billion BABIT heist attributed to North Korean Lazarus Group. Google replaces SMS authentication with QR codes to enhance security.
Massive botnet targets Microsoft 365 accounts with stealthy passwords, spraying attacks, and scammers exploit PayPal's new address feature to send phishing emails. This is Cybersecurity today. I'm your host, Jim Love in a record setting cyber heist. Approximately $1.5 billion in Ethereum was stolen from the cryptocurrency exchange ByBit. Investigations have linked the attack to North Korea's notorious Lazarus group.
The breach occurred during a routine transfer of Ethereum from B Bit's cold wallet to a warm wallet. Now, for those who don't know, and I might be oversimplifying, cold wallets are offline storage, often kept isolated from the internet except for transfers of this type. To the warm wallets that are used for regular transactions.
Now, somehow the attackers manipulated the user interface making it appear that the funds were being sent to the correct address, but they altered the underlying smart contract logic Redirecting the assets to an address under their control security firm Checkpoint suggests that the hackers might have compromised devices of multisig signers, those authorized to approve transactions, possibly through malware phishing, Or even supply chain attacks ByBit has assured its users
that their assets remain secure and that the company maintains full solvency. To date, nearly $43 million of the stolen funds have been recovered thanks to the swift action of various cryptocurrency services, who froze the illicit assets and ByBit has also launched a recovery bug bounty program offering up to 10% of the reclaimed amount to individuals who assist in retrieving the stolen funds.
Multiple cybersecurity firms and experts have attributed the heist to the Lazarus Group, A Hacking Collective with strong ties to the North Korean government. This group has a notorious history of executing significant cryptocurrency thefts often to fund state activities. So this incident underscores the vulnerabilities inherent in digital asset platforms, even those employing cold wallets and multisignature authorization.
It highlights the necessity for continuous advancements in security protocols to safeguard against increasingly sophisticated cyber threats. not only do these exchanges have to revisit their security infrastructure, the speed at which these stolen assets can be transferred and laundered requires some means of ensuring collaboration and maybe even policing these various exchanges. Google is phasing out SMS text messages for multifactor authentication in favor of more secure QR codes.
The change aims to address the security vulnerabilities associated with SMS based authentication. Introduced in 2011 SMS based one-time passcodes have been a staple for Gmail users. However, the method has faced criticism due to security concerns. Attackers have exploited weaknesses in the signaling system. Seven protocol to intercept SMS messages and SIM swapping attacks have allowed fraudsters to hijack phone numbers, gaining unauthorized access to accounts.
In 2016, the National Institute of Standards and Technology or NIST recommended discontinuing SMS for multifactor authentication. Due to these vulnerabilities beyond security issues, SMS authentication has been susceptible to traffic pumping schemes in these scams. Malicious actors generate unnecessary SMS messages to numbers. They control incurring significant costs for service providers.
Elon Musk reportedly highlighted this issue in 2024, noting that such schemes cost Twitter $60 million annually in SMS fees. So to combat these challenges, Google will implement QR code based authentication over the next few months. Instead of receiving a six digit code via SMS, users will scan a QR code with their smartphone's camera app to verify their identity. This method reduces reliance on potentially vulnerable SMS channels And enhances overall account security.
While SMS may still be used in certain scenarios for identity confirmation, the primary authentication process will transition to QR codes. A botnet comprising over 130,000 compromised devices, is executing a large scale password spraying attack against Microsoft 365 accounts, exploiting non-interactive sign-ins with basic authentication. This allows attackers to bypass multifactor authentication and evade detection by security teams.
Non-interactive sign-ins, operate in the background to keep users logged in for things like mobile applications, web applications, and across multiple webpage and even desktop apps that require continuous access to cloud resources.
We don't see them and we don't think about them, but those that pass just a text for a login are inherently insecure and password spraying involves attempting common passwords across numerous accounts, aiming to gain unauthorized access without triggering account lockouts. Now by utilizing these non-interactive sign-ins, the process where automated systems authenticate without direct user input, attackers can perform high volume attempts undetected.
The tactic is particularly concerning as it can bypass MFA and conditional access policies even in well secured environments. The infrastructure supporting this botnet includes command and control servers hosted in the United States with proxies operated through cloud providers linked to China.
The botnet systematically uses stolen credentials from info stealer logs to target a wide range of M 365 accounts, minimizing account lockouts while maximizing the probability of compromise Security scorecard who detected and reported this activity after inspecting the failed login says, as we have seen direct evidence of this behavior in our non-interactive sign-in logs, we encourage anyone operating an M 365 tenant to immediately verify
whether they're affected and if so, to rotate credentials belonging to any organization accounts in the logs. Microsoft who began replacing basic authentication in 2021 say they will have it fully replaced by September, 2025. Cyber criminals have found a way to misuse PayPal's new address features, sending legitimate looking emails from [email protected] to unsuspecting users. In fact, they use this actual address to get by automated checking.
These emails falsely confirm the addition of a new shipping address and mention a high value purchase. An example is usually something like a MacBook M four. That's enough to get people concerned and recipients are urged to call a provided phone number if they did not authorize the transaction. When you get the person on the line, you'd be tricked into downloading a software program, which leads to your eventual compromise. But how did they do this?
The folks at Bleeping Computer dug into it and found that scammers log into their own PayPal accounts, and they add a new shipping address in the address fields. They insert the fraudulent message about high value purchase and include a phone number controlled by the scammer. PayPal automatically sends a confirmation email to the scammer's registered email address, acknowledging the addition of the new address. Now, here's where they've been really clever.
The scammer's email account is set to automatically forward confirmation emails to a mailing list of potential victims. Now, since the original email comes directly from PayPal servers, it now appears authentic and bypasses spam filters and other protection. Concerned recipients believing their account has been compromised, call the provided phone number and then scammers use that to gain remote access to the victim's device under the guise of assisting with account security Now.
This is a pretty tough one to spot, but it could be avoided if proper cybersecurity vigilance was in place. Our colleagues need to be trained. You never use the number provided in an email, nor do you follow a link in an email. You always go back directly to the real app or service, and of course, nobody should ever be allowed to be talked into loading software onto their machine unless they are absolutely certain it's legitimate.
There's a saying in carpentry, which is measured twice, cut once, and that maybe could be applied to cybersecurity. Validate twice before you do anything And if it feels vaguely uncomfortable, validate again. And that's our show. Remember, I'll be off till mid next week, but I'll talk to you again next Wednesday Morning, fresh and back from the Land of Rock and Roll. I'm your host, Jim Love. Thanks for listening.