Breach Roundup: French Police Arrest Alleged Hive Money ManAlso: Amazon Sues Alleged Refund Gang, Ukraine Says It Hacked Russian Tax System
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, French police arrested an alleged Hive "banker," Amazon cracked down on a refund fraud ring, Ukraine military intelligence said it hacked the Russian tax system, the U.K. Ministry of Defense was fined, Kraft Heinz said it is doing fine after an alleged ransomware attack, a cold storage logistics provider sent out breach notifications and Microsoft closed out the year with a modest Patch Tuesday.
Russian Hive Operator Arrested in Paris
French authorities announced on Thursday the Dec. 5 arrest in Paris of a Russian national residing in Cyprus on suspicion of involvement in the Hive ransomware operation. Authorities seized more than 570,000 euros in cryptocurrency assets from his phone, and the money is believed to be part of the funds stolen from French victims. The suspect, identified as a "banker" for Hive affiliates, allegedly assisted in managing the ill-gotten gains.
French official Nicolas Guidoux said the arrest had been facilitated by the individual's activity on social networks. Further investigation is underway as international police search the suspect's residence in a Cypriot seaside resort.
Hive, first observed in June 2021 and consisting of possible Russian-language speakers, is a ransomware-as-a-service group notorious for targeting healthcare organizations. A multinational law enforcement operation seized control of the group's digital infrastructure (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).
Amazon Cracks Down on Global Refund Fraud Ring
Amazon sued alleged members of an international fraud syndicate known as REKK and seven former Amazon employees implicated in a multimillion-dollar refund scheme. Amazon says REKK functions as an organized retail crime group, orchestrating deceptive refunds by manipulating Amazon's support system, bribing insiders and employing social engineering tactics such as phishing to obtain company credentials.
Individuals seeking fraudulent refunds on ordered items - while simultaneously holding onto the merchandise - pay REKK a percentage of the item cost. REKK claims to have obtained more than 100,000 fraudulent refunds from various global retailers. It advertises its services on Telegram, Nulled, Reddit and Discord.
Ukraine Says It Hacked Russian Tax System
Ukrainian military intelligence said Tuesday that it had hacked into the Russian tax system and infected thousands of servers with malware. The agency, known as the GUR, said it also had attacked Russian tax system contractor Office.ed-it.ru.
"As a result of two cyberattacks, the configuration files, which have been ensuring the functioning of the extensive taxation system of the Russian federation for years, were completely eliminated - the entire database and its backup copies were destroyed," the GUR said in an English language statement. "Communication between the central office in Moscow and the 2,300 Russian territorial departments is paralysed," it added. Information Security Media Group was unable to verify the GUR's claims.
The Federal Tax Service of Russia did not respond to ISMG's request for comment, and it refuted the hacking claims in local media. "All services of the Federal Tax Service of Russia, the official website and other channels of interaction both with other departments and with taxpayers are operating as usual. The disseminated information about the destruction of data and the capture of traffic does not correspond to reality," the FTS told newspaper Kommersant.
UK Ministry of Defense Fined $440K for Afghan Data Breach
The U.K. Ministry of Defense faces a 350,000-pound fine for failing to safeguard the information of Afghans seeking relocation after the Taliban takeover in 2021. The Information Commissioner's Office imposed the penalty, emphasizing the breach's potential threat to life.
The incident occurred on Sept. 20, 2021, when the ministry mistakenly sent an email containing personal details of 245 individuals to a group of Afghan nationals eligible for evacuation. The email, intended for the Afghan Relocations and Assistance Policy, exposed email addresses and thumbnail pictures to all recipients. Two individuals inadvertently replied to all, and one disclosed their location.
The ICO said that if the information had reached the Taliban, lives would have been endangered. An investigation revealed two additional breaches - on Sept. 7, 2021, and Sept. 13, 2021 - involving 13 and 55 email addresses, respectively. The relocation team's reliance on blind carbon copy for sensitive data transfer was deemed a violation of data protection law, posing a significant risk of human error.
Ransomware Gang Says It Hacked Kraft Heinz
Ketchup and mayonnaise giant Kraft Heinz said it is "reviewing claims that a cyberattack occurred several months ago" after the Snatch ransomware group on Thursday listed the group on its data leak site. The company is examining a "decommissioned marketing website hosted on an external platform," but is "unable to verify" whether it was hacked, a company spokesperson said.*
"Our internal systems are operating normally, and we currently see no evidence of a broader attack," the spokesperson added in an emailed statement.
The corporation recorded gross revenue of $26.5 billion during 2022 through brand sales including its namesakes as well as Velveeta, Oscar Mayer and Jell-O. The Snatch ransomware-as-a-service group first appeared in 2018 and was the subject of a September warning from U.S. federal authorities who said the group targets a range of critical infrastructure sectors, including the defense industrial base and the food and agriculture and information technology sectors (see: Feds Warn About Snatch Ransomware).
Americold Reveals Breach
Cold storage warehouse and logistics giant Americold revealed that a ransomware attack in April had compromised the personal information of more than 129,000 employees and dependents. The revelation follows the assertion that the company fell victim to the recently surfaced Cactus ransomware operation several months ago.
The April 26 network breach forced a shutdown of operations to contain affected systems. In a Dec. 8 breach notification, the company said stolen data included names, addresses, Social Security numbers, driver's license and passport numbers, financial account details and employment-related health insurance. Following the attack, Americold instructed customers to cancel noncritical inbound deliveries and reschedule outbound shipments.
Microsoft Ends 2023 With Lean Patch Tuesday
Microsoft issued its final Patch Tuesday updates for 2023, tackling 33 flaws, marking one of the lightest months in recent years. Four critical and 29 important vulnerabilities were addressed, including one zero-day.
This month's lone zero-day vulnerability is CVE-2023-20588, which describes a potential information disclosure due to a flaw in certain AMD processors. An advisory from the chip designer says external researchers found that a mathematically impossible division by zero on some processors "can potentially return speculative data." It advised ensuring that "no privileged data is used in division operations prior to changing privilege boundaries."
Despite AMD deeming the vulnerability's potential impact as low, given its requirement for local access, Microsoft classifies it as important, according to its proprietary severity scale.
The vulnerability has been addressed at the Windows operating system level across all supported Windows versions, extending even to Windows Server 2008 for Azure-hosted assets participating in the Extended Security Update program.
With reporting from Information Security Media Group's Prajeet Nair in Bengaluru, India; Akshaya Asokan in London; Mihir Bagwe in Mumbai, India; and David Perera in Washington, D.C.
*Clarification Dec. 14, 2023 21:15 UTC: Clarified that a spokesperson from Kraft Heinz, not hackers, said the possible hacking incident may center on a decommissioned marketing website hosted on an external platform.