Hacking hackers Yanluowang, cancellation of Telegram Premium and other cybersecurity events

We have collected the most important news from the world of cybersecurity in a week.

  • Hackers from Yanluowang hacked, their correspondence was opened in open access.
  • Telegram began to annul Premium subscriptions received.
  • Experts discovered a clipper with improved substitution of bitcoin addresses.
  • Twitter users were attacked with phishing-spam after a mask of paid verification.

Hackers from Yanluowang hacked, their correspondence was opened in open access

KELA analysts reported the leak of the internal chats of the hacker https://gagarin.news/ group Yanluowang, which compromised Cisco in May of this year.

Currently, the organizer of hacking has not been established. According to one version, they could be an ex-participant in the group or an unknown specialist in cybersecurity, according to the other-a security officer Cisco, who thus aimed the hacking in May.

Telegram began to annul Premium subscriptions received

On the evening of October 31, the Telegram messenger began to send messages about the disconnection of Premium subscriptions purchased from third parties. The scheme with sales bypassing the official bot was organized by three Moscow schoolchildren, the publication “Durov Code” found out.

In August, a teenager under the nickname Martov discovered a bug in the messenger. At the time of buying a gift subscription on the iPhone with Jailbreak and the Localiapstore tested by Localiapstore, he clicked the “Cancel” button. Despite this, the subscription was activated for free.

Martov and his friends – Munfizy and Phil – decided to earn vulnerability, reselling subscriptions with a 50% discount from the official price (for 450, 900 or 1400 rubles, depending on the validity period).

In the future, schoolchildren were divided into two teams and began to involve more and more employees to participate in the scheme, mainly from among the acquaintances.

“Our entire network could bring about $ 5000-6000 per day. I believe that Telegram losses can be from $ 3 million to $ 5 million. Only our two teams managed to activate subscriptions for more than 150,000 accounts, ”said Munfizy.

Soon, more than 25 “companies” offering Premium subscriptions at a low price arose on the market. All of them exploited the same bug and worked according to the original scheme. At some point, the cost of Premium subscriptions in the black market fell almost 10 times.

After that, friends for the first time sold the scheme to the side for $ 5000.

One of the three pioneers of the Baga, on the terms of anonymity, told reporters that he had earned a vulnerability of about $ 80,000. In confirmation of his words, he provided extracts from his personal account.

On October 29, Munfizy decided to publish information about the scheme, as well as transfer data to the Telegram team with an explanation of how to fix the bug.

The source close to Telegram confirmed Durov’s code that the described vulnerability really existed and was closed. He added that the developers identified users with such subscriptions and began to turn off Telegram Premium to them.

According to reports, the messenger did not pay schoolchildren for the bug found.

Astrazeneca confirmed the disclosure of patients of patients

The pharmaceutical giant Astrazeneca during the year posted in the public domain a set of internal passwords, which opened access to confidential information about patients. This was reported by TechCrunch by SPIDERSILK security researchers.

According to them, in 2021 the developer left passwords from the internal server Astrazeneca on the Github website. They made access to the SalesForce cloud environment, which enterprises are often used to interact with customers. At the same time, it contained some information about patients who used the AZ application&Me to get discounts on medicine.

ASTRAZENECA hid the GitHub repository containing accounting data a few hours after the notice of TechCrunch.

The company representative explained the incident “User Error” and announced the beginning of an internal investigation.

Astrazeneca did not report why confidential information was stored in the test environment and whether the company has technical means to find out if anyone could have access to it.

Experts discovered a clipper with improved substitution of bitcoin addresses

The new Laplas Clipper clipper does not just replace the wallet of the real recipient of the transaction and an attacker – he generates addresses that are most similar to the user in less than a second. This was reported by Cyble researchers.

The clipper has not yet been possible to install the mechanism of work – the process takes place on the server of the attackers.

Laplas supports the creation of addresses in Bitcoin networks, Bitcoin Cash, Litecoin, Ethereum, Dogecoin, Monero, Algorand, Ravecoin, XRP, ZCASH, DASH, RONIN, Tron, TEZOS, SOLANA, CARDANO, COSMOS, QTUM, as well.

According to the advertising message in the Darknet, the generated wallets are stored in the database for three days. However, operators can send access keys to their Telegram account to return to the management of assets later.

An annual subscription with access to the web panel to control attacks is $ 549.

Laplas is currently spreading through Smoke Loader and Raccoon Stealer 2.0, which indicates interest in him from cybercriminals.

Botnet Emotet resumed activity after five months of the break

On November 2, Malvar Emotet, which has not shown activity in June, began to send malicious spam again. Cryptolaemus experts drew attention to this.

Malvar works on an infected computer in the background, connecting to the control server of attackers to obtain further instructions.

So far, Emotet does not deliver additional useful loads to the devices of victims, so it is impossible to accurately say about the goals of this malicious campaign.

Twitter users were attacked with a phishing newsletter after a mask of paid verification statement

After the announcement of Ilon, the mask about the plan to charge $ 8 from the owners of the verified Twitter accounts. The latter began to receive phishing emails. This was paid attention to the publication BleepingComputer.

The authors of the newsletter urge the user to immediately enter their account Twitter, threatening it with “suspension”.

According to BleepingComputer, emails are sent from the servers of hacking sites and blogs that may contain obsolete versions of WordPress or launch vulnerable plugins.

By clicking on the link, the user gets to the phishing web page, where they require the login, password and the two-factor authentication code received in SMS code.

The letters of the attackers differ in the design. Some look more convincing and use Twitter branded branding.

In the future, with the help of hacking accounts, attackers can pass themselves to another person, mislead the public or promote cryptocurrency fraud.

Over a million users downloaded the flowing data of Malvar with Google Play

The Google Play found four malicious applications that steal confidential information and bring to hackers income for each click. Together they were loaded more than 1 million times, Malwarebytes analysts said.

All applications were created by the developer of Mobile Apps Group and at the time of writing are still available in the Play Store. According to researchers, earlier this developer was twice caught by the distribution of advertising software in Google Play, but they were allowed to continue activities after publishing “clean” versions of programs.

Among the new harmful applications:

  • Bluetooth App Sender – more than 50,000 downloads;
  • Bluetooth Auto Connect – more than 1 million downloads;
  • Driver: Bluetooth, Wi-Fi, USB-more than 10,000 downloads;
  • Mobile Transfer: Smart Switch – more than 1000 downloads.

All of them redirect the user to sites where he is offered to install fake security tools or updates.

Experts note that applications withstand a 72-hour pause before showing the first advertising or opening a phishing link in a browser, further increasing the number of tabs with similar content. New tabs open even on a locked device.

Applications have no positive reviews, and many users write about obsessive advertising. Some of these comments are answered and offer assistance in solving problems.

Also on FORKLOG:

  • Web3 ecosystem losses from exploits from the beginning of the year have approached $ 3 billion.
  • The Deribit cryptoderivat exchange was hacked by $ 28 million.
  • The attacker deduced $ 1.26 million from the Solend cryptoland protocol. Under the guise of safety renewal.
  • The decentralized Rubic exchange was hacked by $ 1.2 million.
  • BestChange crypto exchanger aggregator.ru unlock in Uzbekistan.
  • Gala Games token collapsed 25% due to fears of multimillion-dollar hacking.

What to read on the weekend?

We tell how bitcoins become dirty and is it possible to avoid surveillance on the network of the first cryptocurrency.

Read the FORKLOG Bitcoin News in our Telegram-cryptocurrency news, courses and analytics.