Apologies to everyone for missing last week! It was a bit of a weird one with a storm BERYLing in (see what we did there?). In all seriousness though, we're thinking of everyone and their families across Caribbean that weren't as lucky as we were here in Cayman.
In this week's Cyber Bits, we look into Cloudflare's BGP incident, a Go-based ransomware variant targeting VMs, Ticketmaster still struggling with recovering from a ransomware incident, hackers were able to associate and leak phone numbers to Twilio accounts, and malicious Cobalt Strike servers being shutdown by the feds.
Cloudflare BGP Hijacking Incident
Link: Bleeping Computer
Cloudflare attributed a recent outage to a Border Gateway Protocol (BGP) hijacking, disrupting services for many users. For those unfamiliar with a BGP, Cloudflare describes it as the postal service of the Internet, choosing the most efficient way to get data from one point to the next. This incident underscores the vulnerability of Internet-facing infrastructure to BGP misconfigurations and malicious activities.
Eldorado Ransomware Targeting VMs
Link: Bleeping Computer
The new Eldorado ransomware is actively targeting Windows and VMware ESXi virtual machines, emphasizing the growing threat to virtual environments. This new Ransomware as a Service (RaaS) variant leverages Go, allowing it to encrypt both Windows and Linux platforms through two distinct variants. Eldorado encrypts based on the specified drives, filetypes, and paths the attackers want (for Windows systems).
Ticketmaster Extortion Escalation
Link: Bleeping Computer
Hackers have leaked what they claim is Ticketmaster barcode data for 166,000 Taylor Swift concert tickets and demanded a $2 million ransom to prevent further leaks. The attackers, known as ShinyHunters, previously sold data on millions of Ticketmaster customers. Ticketmaster confirmed that their SafeTix technology, which refreshes barcodes every few seconds, prevents the stolen tickets from being used. The company has not engaged in ransom negotiations and disputes claims of offering $1 million to delete the data.
Twilio's Authy App Exposes Phone Numbers
Link: The Hacker News; Twilio
Hackers accessed data related to Authy accounts by taking advantage of an unauthenticated endpoint, leading to phone numbers associated to accounts being published online by ShinyHunters. Twilio has secured the endpoint and advises users to update their Authy apps and state they will remain vigilant against phishing and smishing attacks. Despite the leak, there is no evidence of unauthorized access to Twilio’s systems or other sensitive data.
Global Police Operation Shuts Down Cybercrime Network
Link: The Hacker News
A coordinated international police operation, dubbed MORPHEUS, has successfully shut down nearly 600 servers linked to cybercriminal activities using the Cobalt Strike tool. The crackdown involved authorities from multiple countries, targeting illegal versions of the penetration testing software frequently misused by cybercriminals for ransomware and espionage. This operation highlights the global effort to combat cybercrime by dismantling infrastructure used for large-scale attacks and preventing further exploitation by malicious actors.
