Data Breach: Ransomware Group Threatens to Leak Data Stolen from Reddit
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
The BlackCat ransomware threat actors have taken credit for the February 2023 attack on social platform Reddit. The gang also known as ALPHV has threatened to leak the stolen 80GB data unless they’re paid the ransom of $4.5 million. The threat actors have also demanded the rollback of Reddit’s recently announced API pricing policy.
Dominic Alvieri, the cybersecurity researcher was the first one to spot BlackCat’s claim, as hackers behind the 5th February data breach attack on Reddit. The group shared a post named ‘The Reddit Files’ on their data leak blog site, where they not only claimed the cyberattack but shared details about their attempts to contact Reddit. They claim to have contacted the company twice and now are threatening to release the data as their demands are not being met.
At the time of the attack, Reddit’s CTO in a post had confirmed that in a highly-targeted phishing attack, unknown threat actors had gained access to its systems and stolen some internal documents, codes, dashboards and business systems.
The exposed data also included some advertisers’ information and past and current employee credentials. However, the hackers were unable to breach Reddit’s primary server, resulting in non-exposure of any user passwords, credit card information and account details. “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
On discovering the incident, the company immediately deployed containment measures to mitigate the threat. It not only removed the unauthorized access, but also launched an internal investigation. Moreover, they assured users of ongoing monitoring of the incident and strengthening their security systems to avoid similar attacks in the future.
Reddit also urged users to deploy simple, yet effective security measures like setting up a 2FA (two-factor authentication) and using a password manager. In the current times of cyberattacks and data breaches, a password manager helps secure online accounts including personal information and identity.
SpaceCobra Uses Android GravityRAT Malware to Target WhatsApp Backups
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
In a recent discovery, a new version of Android GravityRAT spyware was discovered by researchers at ESET. Targeting WhatsApp users, the trojanized version of the legitimate OMEMO IM app is available to download via BingeChat and Chatico messaging apps.
Active since 2015, GravityRAT is a remote access tool that has been used for specific targets based in India. A cross-platform app whose origin remains unknown, but ESET researchers internally associate it with the group SpaceCobra.
The malware with the capability to compromise platforms including Windows, macOS and Android is believed to be active since August 2022. It not only can access all files stored in WhatsApp backup but also exfiltrate all sensitive information from a user’s device.
The messaging apps, BingeChat and Chatico are not available to download on Google Play store, rather they are distributed through: bingechat[.]net and chatico[.]co[.]uk; dubious websites that promote free file-sharing and chat services.
The malware has been designed to extract all data from WhatsApp backups and receive remote instructions to delete information including call logs, contacts, and specific files. “These are very specific commands that are not typically seen in Android malware,” noted ESET’s research.
Without the victim’s knowledge, GravityRAT also extracts sensitive data like SMSes, location data, files including photos, videos and audio recordings, call logs that are transferred to an attacker controlled C2 server. It is able to extract this information by using the legitimate functionality of an Android app. It requests all standard permissions including access to different functions and files, which is granted by the user.
According to ESET researchers, Chatico is no longer active, but BingeChat is still operational. Both the apps are used to capture specific targets. For instance, the documented SpaceCobra deployed Chatico attack was targeted towards an India-based user. BingeChat can only be downloaded after registration, which is not open to all.
‘’The BingeChat app is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. In any case, the campaign is very likely highly targeted,’’ noted the research.
Since GravityRAT is coming up with new and updated versions, it is essential that Android users adhere to strict security measures including using antivirus to mitigate such threats.
