India-Linked Threat Actors Utilized Telegram for Coordinating Cyberattacks in Asia - 1

India-Linked Threat Actors Utilized Telegram for Coordinating Cyberattacks in Asia

  • Written by Ari Denial Cybersecurity & Tech Writer

The cyber intelligence firm Group-IB has revealed a series of phishing attacks carried out by a suspected threat group with ties to Indian nationalists. The attacks targeted a range of government, military, and legal organizations throughout Asia, as reported by Group-IB.

The group behind the attacks, SideWinder aka Hardcore Nationalist (HN2), reportedly targeted more than 60 organizations in countries such as Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka. Government agencies were the primary targets, with 44 being singled out, while only four attacks were aimed at military organizations. Almost half of the attacks were directed at targets in Nepal, which shares a border with India.

“The group has been carrying out cyber espionage attacks against government organizations in the Asia-Pacific region since at least 2012. In June 2022, Group-IB discovered the group’s newest custom tool, SideWinder.AntiBot.Script, which was used in previously documented phishing attacks against Pakistani organizations. SideWinder is notable for its ability to conduct hundreds of espionage operations within a short span of time,” said Group-IB researchers .

According to the cyber analysts, SideWinder utilized Telegram, a widely-used messaging app, to process data from the targeted systems. Telegram has gained popularity among Advanced Persistent Threat (APT) groups and financially-motivated cybercriminals as a command-and-control center or a base of operations, due to its user-friendly interface.

Group-IB reported that SideWinder has updated its toolkit and is now using two new tools:

  • SideWinder.RAT.b — a remote access Trojan
  • SideWinder.StealerPy — a custom information stealer designed to extract data from the victim’s computer.

The tool is capable of extracting a range of sensitive information from the victim’s computer. This includes Google Chrome browsing history, details of saved directories and folders, credentials saved in the browser, metadata, and contents of .txt, .docx, and .pdf files.

It remains unclear whether any of the phishing campaigns were successful. Notably, Group-IB analysts identified two phishing projects that imitated cryptocurrency companies. The increasing interest of SideWinder in cryptocurrency could be related to recent efforts to regulate the crypto market in India.

An Android Video Game With 1 Million Downloads Compromised Users’ Personal Information - 2

An Android Video Game With 1 Million Downloads Compromised Users’ Personal Information

  • Written by Ari Denial Cybersecurity & Tech Writer

Tap Busters: Bounty Hunters, a well-known mobile game, has exposed users’ confidential data.

In Google Play Store, Tap Busters: Bounty Hunters has been downloaded more than one million times and has a 4.5-star rating based on more than 45k reviews. In gameplay, players become bounty hunters looking to dominate the galaxy by defeating villains and gathering loot as they go through alien worlds.

Cybernews researched and discovered that Tap Busters: Bounty Hunters kept their database open for public access for at least five months, exposing users’ private conversations. In addition, sensitive data had been hardcoded into the client side, exposing it to further breaches.

The 349MB sized unprotected database includes usernames, user ids, timestamps, and private messages. The user’s private messages could have been permanently lost if the leaked data had not been backed up and a hacker had chosen to delete it. The developers left sensitive information hardcoded in the application’s client side along with an open Firebase instance. Here are the keys that were found:

  • fir ebase_database_url
  • gcm_defaultSenderId
  • Google_app_id
  • Google_storage_bucket
  • Google_crash_reporting_api_key
  • Default_web_client_id
  • Google_api_key

Tilting Point, the game’s developer, owns multiple successful titles with a large user base. Some of these have racked up over five million downloads. Once they were notified of the data breach, they neglected to shut down public access to the database.

According to Cybernews, “The app developers did not reply to Cybernews questions about the duration of the instance’s public accessibility or the possibility that malicious actors might exploit hardcoded secrets, resulting in sensitive data breaches.”