The 10th of August, Cyber News


News of the IT ARMY of Ukraine

The IT Army returns to the attack on the platform for video communication and remote work TrueConf. “They hid their main site (unsuccessfully) behind the American Cloudflare. But recently they wrote about the fact that they cooperate with a russian company that provides solutions against DDoS attacks. Is this import substitution in russia in the IT sector? :)”, the hacktivists wrote in their Telegram.1



The Website of the Parliament of Finland Was Attacked by russian Hackers

The website of the Finnish Parliament was hacked. According to Yle, the group of russian hackers NoName057 is behind the cyber attack. They announced their intentions in the Telegram application.

“They decided to pay a “friendly” visit to neighboring Finland, whose government is so eager to join NATO,” the statement reads.

Around 5 p.m., Parliament confirmed that the site had indeed been hacked, which began at 2:30 p.m. The press release of the parliament also states that they have taken measures to counter cyber attacks together with the Cyber ​​Security Center.

According to cyber security expert Mikko Hüppenen, there is no reason not to believe the statement of russian hackers that they are behind the cyber attack on the website of the parliament.

“This group is one of the most visible russian groups during the Ukrainian crisis. We are talking about a patriotic hacker group that became active in early March, when the hostilities had just begun. However, like other groups, this one engages only in DDoS (“denial of service”) attacks, that is, it seeks to disrupt services,” the expert noted.

On Wednesday, August 10, the site is back to normal.2


In the Mac App Store, Chinese Applications Were Discovered that Violate the Rules of the Store and Contain Malicious Software

Privacy 1st researcher (Alex Kleber) analyzed 7 different Apple developer accounts managed by the same Chinese developer. He notes that the apps violate the Mac App Store rules.

The most common violation is the fact that the applications contain hidden malware capable of receiving commands from the management server. This allows apps to pass initial App Store security checks before malware is activated. In some apps, Apple’s review team saw a completely different user interface than what appeared in the final version, because developers could change the user interface remotely.

У Mac App Store виявилися китайські додатки, що порушують правила магазину та містять шкідливе ПЗ

The apps work with popular services like Cloudflare and GoDaddy to hide your hosting provider. It was also found that Google’s free sites are used in their privacy policy. At most, they all use the same password to decrypt the JSON file that was used to fool Apple’s review team. This confirms that the programs were created by the same developer.

Other programs use the technique of fake reviews. Developers can buy reviews to make their apps seem more authentic and engaging. It is noted that most of the 5-star reviews are written by non-native English speakers, and multiple reviews often share the same style. The one star reviews are the only ones that seem genuine.

У Mac App Store виявилися китайські додатки, що порушують правила магазину та містять шкідливе ПЗ

The developer also created multiple copies of the same app to gain market share.

Some of these malware have proven to be very popular. PDF Reader for Adobe PDF Files was one of the most downloaded/sold apps in the US Mac App Store, despite tricking users into unwanted subscriptions.

Apple has already removed many fake reviews of these apps and removed some of the apps as well.3


Another crypto bridge attack: Nomad loses $190 million in ‘chaotic’ hack

Heists continue to plague the crypto world, with news of large sums stolen from digital currency firms seemingly every month. But while crypto exchanges were once the main point of attack, hackers now appear to have a new target: blockchain bridges.

Bridges are the infrastructure that allow users to exchange assets between different blockchains, the digital database underpinning major cryptocurrencies. When a bridge service swaps one coin for another, it “wraps” the currency so that it will function on the other blockchain.

A wrapped coin does not become another currency altogether — “it just looks like it,” Tom Robinson, chief scientist at blockchain analysis firm Elliptic, told CNN Business. Instead, a “token” is issued to represent the new coin on the different blockchain. “I deposit my Bitcoin in the bridge. In return for doing that, I receive a Bitcoin token on the Ethereum blockchain, and then I can transfer that Bitcoin token, which is what is known as a wrapped asset, through the Ethereum blockchain,” explains Robinson.

To support these wrapped coins, bridge services hold large reserves of various coins. “You need to trust the bridge really has the assets that are backing those tokens,” said Robinson. “They have huge amounts of assets that back those wrapped tokens.”

These coin reserves are attracting the attention of hackers and turning blockchain bridges into prime targets for heists, according to Elliptic. “They’re just huge honeypots. They just hold huge amounts of crypto assets, and so they are very obvious targets,” said Robinson.

Some $1.83 billion has been stolen from bridges to date, with the majority of that ($1.21 billion) taking place just this year, according to Elliptic. Six major bridges have been hit in thefts so far in 2022, including California-based firm Harmony, which lost $100 million in late June, and Axie Infinity’s Ronin bridge, which suffered a $625 million theft in March.

In the latest example, hackers reportedly stole cryptocurrency valued at $190 million from cryptocurrency bridge provider Nomad, according to blockchain security and data analytics company Peckshield. (Nomad has not confirmed the total amount lost.)4


7-Eleven Сhain of Stores in Denmark Was Knocked out by a Powerful Cyber Attack

The cyber attack occurred on the morning of August 8, 2022 and the company acknowledged the incident on Facebook. In a statement, 7-Eleven said all of the company’s stores will be closed until the investigation into the cyber attack is complete.

In addition, the fact of the hacker attack was confirmed by one of the employees of the chain of stores, publishing a message on Reddit. According to him, the store had to be closed after the cash register systems stopped working.

At this time, there are no additional details about the attack, and it is not known if ransomware was involved. BleepingComputer contacted 7-Eleven to find out more about what happened, but the company said it had nothing to say at this time.5


Slack leaked hashed passwords for 5 years

A popular workspace platform transmitted a hashed version of user password to other workspace members.

Slack notified approximately 0.5% of Slack users that they had reset their passwords in response to a bug.

The vulnerability, discovered by an independent security researcher and disclosed to the company in July, occurred when users created or revoked a shared invitation link for their workspace.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers,” Slack noted.

The flaw affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again,” Slack said.6