Reddit on Thursday informed users that its systems were hacked as a result of what the company described as a sophisticated and highly targeted phishing attack aimed at employees.
According to Reddit, the intrusion was detected on February 5. The hackers gained access to some internal documents, source code, internal dashboards and business systems.
Up until this point in the investigation, Reddit has determined that the exposed information includes limited contact information for hundreds of contacts and current and former employees, as well as some advertiser information.
“Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” Reddit said.
There is no indication that user passwords or accounts have been compromised. The company also said there is no evidence of a breach of production systems, where the platform runs and where a majority of its data is stored.
The data breach was discovered after an employee informed Reddit’s security team that they had fallen for a phishing attack. The attackers targeted Reddit employees with “plausible-sounding prompts” that led them to a phishing website mimicking its intranet gateway.
A Reddit representative noted in an AMA (Ask Me Anything) thread that the employee whose credentials were phished did have two-factor authentication (2FA) enabled on their account, as the company requires it for all employees.
However, it seems that the phishing page targeted not only employee credentials, but also their second-factor tokens.
Several major tech companies were targeted in sophisticated phishing attacks in the past months. One of them is Zendesk, which revealed recently that some employees handed over their credentials to threat actors in the fall of 2022.
At around the same time, companies such as Twilio, Cloudflare and at least 130 others were targeted in a phishing campaign dubbed Oktapus, which appeared to be the work of financially-motivated threat actors.
The United Kingdom’s National Cyber Security Centre (NCSC) has published an advisory to warn organizations and individuals about separate spearphishing campaigns conducted by Russian and Iranian cyberespionage groups.
The advisory focuses on activities conducted by the Russia-linked Seaborgium group (aka Callisto, Blue Callisto and Coldriver) and the Iran-linked TA453 (aka Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster and Phosphorus).
The NCSC noted that the two groups covered by the advisory have similar tactics, techniques and procedures (TTPs) and they target the same types of entities, but there is no evidence that their campaigns are connected or that the two APTs are collaborating.
The goal of these attacks has been to collect information from government organizations, academia, defense firms, NGOs, think tanks, politicians, activists and journalists.
Seaborgium and TA453’s attacks start with a reconnaissance phase that involves using open source intelligence to research their targets. This phase can involve creating fake social media accounts, email accounts impersonating well-known individuals in the target’s field of interest, fake websites, and event invitations. The goal is to gain the victim’s trust.
The hackers don’t immediately deliver malicious content to the victim and instead take their time to build trust, which increases their chances of success. After trust is established, they deliver a malicious link that leads the victim to a phishing page.
These phishing pages are designed to harvest credentials that the Russian and Iranian hackers can then use to access the victim’s email accounts, which can store valuable information.
The attackers have also been observed setting up forwarding rules in compromised email accounts in an effort to monitor the victim’s correspondence. In addition, they have used contact lists for further phishing attacks.
“Although spear-phishing is an established technique used by many actors, Seaborgium and TA453 continue to use it successfully and evolve the technique to maintain their success,” the NCSC said in its advisory.
The advanced persistent threat (APT) tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated (that is, has had its infrastructure abused by other hackers).
TA444 is a North Korean state-sponsored threat group tracked by Proofpoint as actively targeting cryptocurrencies since at least 2017. It has overlaps with other DPRK groups such as APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and Copernicum – but not enough in Proofpoint’s telemetry to be specifically tied to any one of these.
For example, Mandiant has described activity known as CryptoCore and Dangerous Password as a “likely subgroup of APT38”. Proofpoint adds SnatchCrypto, and defines all three as campaigns operated by TA444. If both sets of researchers are correct, it may be that TA444 is a subgroup of APT38. Nevertheless, the overlapping nature of differently named DPRK groups makes it difficult to delineate them clearly, and many people still refer to the umbrella name of Lazarus.
In its first publicly available report on the TA444 group, Proofpoint notes that like other DPRK groups, it is likely tasked with stealing currency to offset sanctions against the state. Around 2017 it began to focus on stealing cryptocurrency. “TA444 had two main avenues of initial access,” notes the report: “an LNK-oriented delivery chain and a chain beginning with documents using remote templates.”
In 2022, however, while continuing to use these methods, it increased its usage of macros for malware delivery. Usually, when threat actors experiment with new delivery mechanisms, they continue to use their existing payloads. Not so with TA444 in 2022. “This suggests,” say the researchers, “that there is an embedded, or at least a devoted, malware development element alongside TA444 operators.”
In early December 2022, the researchers observed a new approach from TA444 – a relatively basic credential harvesting phishing campaign. A TA444 C2 domain began distributing OneDrive phishing emails “rife with typos” to targets in the US and Canada. The infrastructure used suggests it was TA444; the campaign suggests otherwise.
The researchers offer three possibilities: it could be TA444 simply expanding its repertoire; the group could be moonlighting from its primary purpose of sidestepping North Korea’s sanctions; or a different threat actor could have hijacked TA444’s infrastructure.
Whatever the reason, the phishing campaign in December nearly doubled the total volume of TA444 emails observed by Proofpoint for the whole of 2022. Emails were sent to Admin at the target domain. The From entry was “admin[@]sharedrive[.]ink – and the subject was ‘linvoice’ (that is, Invoice starting with a lowercase L rather than uppercase I).
The lure entices the target to click on a SendGrid URL, which redirects to the attackers’ credential harvesting page, which in turn uses common phishing tactics such as loading the victim’s iconography via the logo-rendering service ClearBit.
Proofpoint has ‘moderate to moderately high’ confidence that the campaign is operated by TA444, based on the exclusivity of TA444’s infrastructure. “The emails also had valid DMARC and SPF records, indicating that the sender has control of that domain,” add the researchers.
According to the email received by Coinigy, Zendesk learned on October 25, 2022, that several employees were targeted in a “sophisticated SMS phishing campaign”. Some employees took the bait and handed over their account credentials to the attackers, allowing them to access unstructured data from a logging platform between September 25 and October 26, 2022.
Zendesk told Coinigy that, as part of its ongoing review, discovered on January 12, 2023, that service data belonging to the company’s account may have been in the logging platform data. Zendesk said there was no indication that Coinigy’s Zendesk instance had been accessed, but its investigation is still ongoing.
Zendesk does not appear to have published any statement or notice related to this incident on its website and the company has not responded to SecurityWeek’s inquiry.
However, based on the available information, it’s possible that the attack on Zendesk is related to a campaign named 0ktapus, in which a threat actor that appears to be financially motivated targeted more than 130 organizations between March and August 2022, including major companies such as Twilio and Cloudflare.
The 0ktapus attackers used SMS-based phishing messages to obtain employee credentials and victims included cryptocurrency companies.
Twilio and Cloudflare discovered breaches in August, but there was no indication that the campaign was not ongoing, so it’s possible that the same hackers targeted Zendesk a few months later.
While Coinigy appears to have been notified by Zendesk about the data breach only in January 2023, other victims appear to have been informed much sooner.
The US-based cryptocurrency exchange Kraken informed customers about a Zendesk breach that involved phishing and unauthorized access to the Zendesk logging system back in November. Kraken said at the time that while accounts and funds were not at risk, the attackers did view the content of support tickets, which contained information such as name, email address, date of birth and phone number.
This is not the first data breach disclosed by Zendesk. In 2019, the company revealed that it had become aware of a security incident that hit roughly 10,000 accounts.
Software engineers tracking the quality of software bill of materials have stumbled on a startling discovery: Barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.
Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.
The US government’s cybersecurity agency CISA is giving federal agencies an early February deadline to patch a critical — and already exploited — security vulnerability in the widely used CentOS Control Web Panel utility.
Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.