Forcepoint Security News: REvil Group Taken Offline by Feds, Attacker Activities and a VPN Company Exposes Data
Editor's Note: Welcome to this issue of Forcepoint Security News. It's curated news meant to provide a quick look at what's happening around the cybersecurity industry.
Here are the top security stories from recent weeks:
- REvil Ransomware Gang Taken Offline (Again) by FBI
- DarkSide Moves to Cash Out $7m in Bitcoin
- Acer Confirms Second Cyberattack Within a Week of Previous Attack
- Quickfox VPN Exposes Data of 1 Million Users
- FIN7 Attempts to Hire Real Security Professionals to Carry Out Cyberattacks
Ransomware-as-a-service group REvil has shut down for a second time this year after the FBI and multi-country intelligence agencies hacked the group’sTor payment portal and Happy Blog leak site. REvil shut down the first time in July after their ransomware attack on software management company Kaseya. This time, government officials used a ransomware tactic against the group: compromising REvil’s backups. The gang unwittingly restored their websites from a backup last month without realizing internal systems were already being controlled by law enforcement.
Following REvil’s infrastructure takedown by law enforcement operations, DarkSide began moving 107 bitcoins, valued at just under $7 million, from their wallet. Beginning on October 21, DarkSide controlled funds were moved through several new wallets over several hours with smaller amounts being siphoned off at each move. This is a common money laundering technique that deters tracing. DarkSide previously shut down operations after the Colonial Pipeline ransomware attack, only to later reemerge rebranded as BlackMatter.
Hardware and electronics company Acer confirmed a cyberattack on their servers in Taiwan after a first attack hit offices in India a week ago. The Desorden Group claimed responsibility for both attacks. The group claimed to have only hacked servers storing employee and product information in the Taiwan attack. Desorden Group’s previous attack on servers in India resulted in 60GB of stolen files, including those with customer data. Acer has since taken affected servers offline and is notifying affected customers in India.
Researchers have discovered that Quickfox VPN, a free VPN service providing access to Chinese websites, has exposed personally identifiable information (PII) of more than a million users from 500 million records and 100GB of data. The exposed data includes emails, phone numbers, and information on device software for about 300,000 users. Users in China, Indonesia, Japan, Kazakhstan and the U.S. were affected. The data leak was due to misconfigured VPN services including Quickfox’s Elasticsearch, Logstash and Kibana (ELK) stack.
FIN7 APT group, also known as the Carbanak Gang or Navigator Group, has been discovered posing as a security firm and recruiting security professionals who later duped into performing real cyberattacks. Posing as fake security company “Bastion Secure,” the group has set up a convincing, albeit copied, website and uses real but now-closed addresses of the legitimate Bastion Security company. According to researchers, potential hires must go through two interview stages and then are asked to perform an assignment which is in reality a cyberattack. Researchers theorize that FIN7 uses this method in hopes of obtaining a larger share of profits as hiring from underground markets is more expensive.