We’ve compiled some of the biggest news stories from the world of cyber security in August 2023, including the closure of Discord.io following a major breach, 2.6 million Duolingo users affected by private data leak, over 600+ Citrix servers compromised to install web shells, cyber criminals abusing Cloudflare R2, and the very latest updates from TryHackMe. Plus much, much more.
Keep reading for your monthly industry updates!
NEW recent threat room: CVE-2023-38408
On the 19th of July, 2023, NIST assigned the CVE identifier ‘CVE-2023-38408’ in response to a critical vulnerability in OpenSSH's PKCS#11 feature, prior to version 9.3p2. This security flaw allows remote code execution if an agent is forwarded to an attacker-controlled system due to an insufficiently trustworthy search path.
This month, TryHackMe released a new recent threat room, CVE-2023-38408, allowing you to learn about the unintended implications of shared libraries, alter signal handlers, and combine cutting-edge methods to achieve RCE!
Discord.io closes following ‘massive’ data breach
On the 14th of August, Discord.io suffered a major data breach, resulting in their database being leaked to unknown actors.
According to TechRadar, hackers stole data belonging to 760,000 users and posted a sample of the data on Breached Forums to ‘sell’. Leaked data included usernames, discord IDs, email addresses, billing addresses, and salted / hashed passwords. As Discord.io does not store payment information, payment information was not affected.
After confirming the extent of the breach, Discord.io shut down all services and operations. The breach is still under investigation, meanwhile, all active subscriptions have been cancelled and users that have taken out a premium membership since 16th July, 2023, will be fully refunded.
The Discord.io home page continues to display the message: “We are stopping all operations for the foreseeable future.”
2.6 million Duolingo users affected by private data released on hacking forum
On the 22nd of August, the scraped data of over 2.6 million users of language learning app, Duolingo, was posted to a dark web hacking forum by a malicious actor.
The hacker claims to have accessed the data through an exposed application interface (API) shared openly by researchers since March 2023. Hackers offered a sample of the data from 1,000 of the 2.6 million accounts affected.
Duolingo confirms that the data was scraped from ‘public’ profile information, with data including the names, usernames, and email addresses of users. With that being said, it’s worth knowing that email addresses are not public information on Duolingo.
As one of the largest language learning sites in the world with over 74 million monthly users, Duolingo continues to uphold its reputation, with an internal spokesperson claiming: “No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.”
Former Tesla employees steal data belonging to over 75,000 staff members
Over 75,000 current and former employees of major car manufacturer, Tesla, have fallen victim to an insider data breach. Stolen data includes home addresses, phone numbers, and/or email addresses of staff.
Upon further investigation, two former employees of Tesla had “misappropriated the information in violation of the manufacturer’s IT security and data protection policies and shared it with the media outlet.” While Tesla has offices in the U.S, Germany, China, and Australia, it isn’t yet clear which offices the incident took place in.
Tesla is continuing to cooperate with law enforcement and external forensics experts, and victims of the data theft are being offered credit monitoring support.
Insider cyber attacks have been on the rise in recent years, with 60% of data breaches caused by insider threats. Employees pose the greatest risk, therefore enforcing cyber security training and establishing a dedicated cyber team can save businesses from detrimental results.
14 ‘suspected’ cyber criminals arrested across Africa
This month, law enforcement investigating 20,674 cyber networks (linked to financial losses of more than $40 million) arrested 14 suspected cyber criminals across Africa.
INTERPOL, in collaboration with AFRIPOL, launched the four-month operation, named ‘Africa Cyber Surge II’ in April 2023, focusing on identifying cyber criminals and compromised infrastructure.
According to INTERPOL, the operation sought to facilitate communication, provide analysis and share intelligence between countries, streamline cooperation between African law enforcement agencies to prevent, mitigate, investigate, and disrupt cyber extortion, phishing, business email compromise and online scams.
By leveraging private sector intelligence in around 150 INTERPOL analytic reports, the operation emphasises how cyber security is most effective when international law enforcement, national authorities, and private sector partners cooperate together.
As a result, the authorities were able to take down two darknet websites, 615 malware hosters in Kenya, and 185 Internet Protocols (IPs) connected to malicious activities in Gambia. In Cameroon, three suspects were arrested on suspicion of involvement in the fraudulent sale of art with an estimated worth of USD 850,000, meanwhile police in Mauritius arrested two money mules linked to scams initiated through messaging platforms.
Malware delivered by threat actors to mimic popular IT tools
This month, it was revealed that threat actors have been using a malvertising campaign (the practice of incorporating malware in online advertisements) to drop malware and info stealers used in initial compromises for ransomware operations.
These threat actors employ the strategy of mimicking well-known IT tools and software to infiltrate systems and networks, thereby evading detection and raising the difficulty of attribution. By adopting the appearances and behaviours of legitimate tools, these malicious actors can deceive security measures and gain unauthorised access.
One recent example is threat actors utilising Google Ads and search engines to display malware pages to unbeknownst victims. In addition, threat actors are deploying network defenders to check the legitimacy of IP sources and previous logs of the IP address to analyse whether the IP has already visited the website. This enables the threat actors to determine whether a VPN or proxy is involved, allowing only clean IPs to see the original contents.
As threat actors disguise their activities as routine IT processes, security teams may struggle to distinguish between genuine and malicious actions. This tactic also makes it increasingly complicated to identify the origins of attacks, complicating efforts to attribute breaches to specific individuals or groups.
Over 600+ Citrix servers compromised to install web shells
In early August, a critical remote code execution (RCE) vulnerability, identified as CVE-2023-3519, impacted more than 600 Citrix servers, resulting in the installation of malicious web shells.
By exploiting Citrix server vulnerabilities, attackers gain unauthorised entry, enabling them to install covert web shells that provide remote control. These breaches span various industries and organisations, presenting a significant threat to their digital infrastructure. The compromised servers serve as entry points for cyber criminals, facilitating continuous unauthorised access and enabling them to orchestrate a range of harmful activities.
In response, organisations are advised to treat these ongoing attacks as a critical reminder of the pressing need to prioritise cyber security measures. This entails thorough risk assessments, rapid patching of vulnerabilities, and the implementation of robust intrusion detection systems to swiftly prevent unauthorised access attempts.
Strengthening employee training through cyber security training, enforcing strict access controls, and conducting regular security audits are crucial measures. By staying informed about emerging threats, organisations can proactively adapt their defenses to counter evolving attack techniques.
Cyber criminals abusing Cloudflare R2 for hosting phishing pages
Since February 2023, Netskope Threat Labs has been tracking a staggering 61-fold increase in traffic to phishing pages hosted in Cloudflare R2.
This abuse allowed them to launch various malicious activities, such as distributed denial-of-service (DDoS) attacks and data breaches. However, Cloudflare R2, a security mechanism designed to protect against DDoS attacks, was found to be misused to amplify the impact of attacks instead.
The majority of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps.
By sending requests with spoofed IP addresses, attackers can cause the Cloudflare R2 protocol to respond with much larger data packets, thereby magnifying the scale of their attacks. This abuse of the protocol highlights the ongoing challenge of securing online services and the need for consistent updates to protect against evolving threats.
UK Electoral Commission hit by cyber attack
The Electoral Commission, responsible for national and local elections in the UK, announced that they had been the subject of a ‘complex’ cyber attack.
Perpetrators had access to the Commission’s servers which hold emails, control systems, and copies of the electoral registers. Affected data held at the time of the attack includes the name and address of anyone in Great Britain registered to vote between 2014 and 2022, the names of those registered as overseas voters during the same period, and the names and addresses of anyone registered in Northern Ireland in 2018.
As the Commission’s email system was also accessible during the attack, private emails (including content and personal images sent to the Commission) were intercepted.
Although it isn’t yet clear how perpetrators gained access to the Commission's servers, security specialists continue to investigate the incident to identify the cause and to take immediate action.
The Electoral Commission claims that the attack is ‘unlikely’ to present a high risk to affected citizens, however, anyone who has been in contact with the Commission, or who was registered to vote in Great Britain between 2014 and 2022, and in Northern Ireland in 2018, should remain vigilant for unauthorised use or release of their personal data.
TryHackMe heads to Vegas!
To kick-start our global tour, the TryHackMe team flew out to Vegas for the annual Black Hat USA conference. Now in its 26th year, Black Hat USA is one of the most renowned cyber security conferences in the world, gathering professionals, researchers, and experts from various industries to delve into cutting-edge developments in information security!
Our Vegas trip didn’t just stop at Black Hat, as we then went on to attend DEF CON 31 on the 11th and 12th of August, sponsoring Blue Team Village and IoT Village.
DEF CON 31, an annual hacker conference held in Las Vegas, brings together cyber security enthusiasts, professionals, researchers, and hackers from around the globe to exchange knowledge, showcase innovative research, and engage in hands-on activities.
Thank you to every single business and individual who came to say hello! We met hundreds of TryHackMe users who popped by, picked up some swag, and took the time to tell us their personal experiences and achievements with the help of our platform! It was incredible meeting you and getting a chance to hear how TryHackMe has changed your lives.
The best things we kept hearing again and again were:
- “I'm loving the new and more advanced content!”
- “I didn't know your business package was so affordable”
- “I've been using TryHackMe for 10 years” (we've only existed for 5 years 😜)
Something is coming to TryHackMe!
Psssttt… something big is coming very soon 😉
We can’t reveal too much, so keep your eyes peeled for the release in early September!
Ben Spring