Our threat intelligence this week focused on the recent the compromises of the ride-sharing service Uber and video game developer Rockstar Games. Through social engineering, the threat actor gained access to an Uber employee’s account and the company’s virtual private network, which enabled access to multiple critical IT services. The threat actor also accessed Uber’s HackerOne bug bounty reports that disclose vulnerabilities present on Uber’s infrastructure, which could be leveraged in further campaigns.
Days later, Rockstar Games suffered a network intrusion resulting in unauthorised access to its Slack server and Confluence wiki. The threat actor stole source code and early development footage for the popular game Grand Theft Auto 6, which has since been shared across social media platforms.
A threat actor under the moniker ‘teapotuberhacker’ has claimed responsibility for both incidents. Uber released a security update attributing the breach to an affiliate of the Lapsus$ data leak extortion group based on commonalities in techniques, targeted data, and focus on high-profile entities. The recent arrest of 17-year-old is suspected to be in relation to the incidents.
An Object-Graph Navigation Language injection vulnerability (CVSS: 9.8|OVSS: 100) that could allow a malicious user to execute arbitrary code on a Confluence Server or Data Center instance. We have recently reported that this vulnerability is being actively exploited by financially motivated cybercriminals to deploy cryptocurrency miners.
An input validation vulnerability (CVSS: 9.8|OVSS: 51) affecting versions 2.4.3-p1 and 2.3.7-p2 and earlier of Magento 2, an open-source e-commerce platform owned by Adobe. This vulnerability is found in the checkout process and can allow arbitrary code execution on unpatched sites. Researchers have reported a recent surge in the exploitation of this vulnerability to deploy Remote Access Trojans.
A zero-day code injection vulnerability (CVSS: 9.8|OVSS: 41) that affects Sophos Firewall version v19.0 MR1 and earlier, found in the User Portal and Webadmin components. If exploited, a remote adversary could perform remote code execution on a target network. Sophos has observed this vulnerability being exploited primarily in South Asia and has recently released a patch.
Key Intelligence Reports
- Russian nation state unit Sandworm masquerades as telecoms providers to deliver Warzone RAT in Ukraine
Since August 2022, Russian nation-state unit Sandworm is masquerading as telecommunications providers to deliver the Colibri Loader and Warzone Remote Access Trojan (RAT) to Ukrainian entities. Read full report >>
- GTA 6 source code and early development footage leaked after Rockstar Games breach
US-based video game publisher Rockstar Games has suffered a network intrusion resulting in unauthorised access to its Slack server and Confluence wiki. As a result of the breach, an adversary using the moniker ‘teapotuberhacker’ has leaked early development footage and source code for the popular game Grand Theft Auto 6 (GTA 6) on GTAForums via a link to a RAR archive file containing 90 stolen videos. Read full report >>
- Atlassian Confluence Vulnerability CVE-2022-26134 exploited to deploy cryptocurrency miners
A critical severity vulnerability in Atlassian Confluence tracked as CVE-2022-26134 (CVSS: 9.8|OVS: 100) is being abused by financially motivated cybercriminals to deploy cryptocurrency miners. Read full report >>
If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny.
What is OVSS?
The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.