{"id":71898,"date":"2022-12-24T10:00:00","date_gmt":"2022-12-24T08:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=71898"},"modified":"2025-09-08T11:46:13","modified_gmt":"2025-09-08T08:46:13","slug":"trojan-for-bitcoin-wallets-okta-breach-and-other-cybersecurity-events","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/trojan-for-bitcoin-wallets-okta-breach-and-other-cybersecurity-events\/","title":{"rendered":"Trojan for Bitcoin wallets, Okta breach and other cybersecurity events"},"content":{"rendered":"<p>We round up the week&#8217;s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\" id=\"block-26d6ad25-bffe-40f1-bd90-5b763c1f61d4\">\n<li>Crypto-wallet holders targeted by the Android banking Trojan Godfather.<\/li>\n<li>Okta reports breach of its GitHub repositories.<\/li>\n<li>LastPass clarifies the impact of the December breach.<\/li>\n<li>Ukraine\u2019s Ministry of Digital Transformation confirms attack by Ukrainian hackers on Rutube.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Crypto-wallet holders targeted by the Android banking Trojan Godfather<\/strong><\/h2>\n<p>Users of hundreds of banking apps, crypto wallets, and Bitcoin exchanges were targeted by the Android banking Trojan Godfather. This was reported by Group-IB researchers.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p lang=\"en\" dir=\"ltr\">Group-IB\u2019s <a href=\"https:\/\/twitter.com\/hashtag\/ThreatIntelligence?src=hash&#038;ref_src=twsrc%5Etfw\">#ThreatIntelligence<\/a> detected more than 400 international financial companies targeted by the <a href=\"https:\/\/twitter.com\/hashtag\/Godfather?src=hash&#038;ref_src=twsrc%5Etfw\">#Godfather<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&#038;ref_src=twsrc%5Etfw\">#Android<\/a> banking <a href=\"https:\/\/twitter.com\/hashtag\/Trojan?src=hash&#038;ref_src=twsrc%5Etfw\">#Trojan<\/a> between June 2021 and October 2022. Godfather\u2019s predecessor is another <a href=\"https:\/\/twitter.com\/hashtag\/banking?src=hash&#038;ref_src=twsrc%5Etfw\">#banking<\/a> Trojan named <a href=\"https:\/\/twitter.com\/hashtag\/Anubis?src=hash&#038;ref_src=twsrc%5Etfw\">#Anubis<\/a>:<a href=\"https:\/\/t.co\/Kf2IGvrLnk\">https:\/\/t.co\/Kf2IGvrLnk<\/a> <a href=\"https:\/\/t.co\/JERnAuNfAC\">pic.twitter.com\/JERnAuNfAC<\/a>\u2014 Group-IB Global (@GroupIB_GIB) <a href=\"https:\/\/twitter.com\/GroupIB_GIB\/status\/1605484697135349760?ref_src=twsrc%5Etfw\">December 21, 2022<\/a><\/p>\n<\/blockquote>\n<p><script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to them, the malware has been spreading since June 2021 and as of October 2022 targeted 215 international banks, 94 crypto wallets, and 110 Bitcoin exchanges. Most are in the United States, Turkey, Spain, Canada, Germany, France, and the United Kingdom.<\/p>\n<p>Godfather is an upgraded version of the banking trojan Anubis. On the victim&#8217;s device it collects usernames, passwords, and also two-factor authentication codes via SMS.<\/p>\n<p>The malware is distributed as legitimate apps on Google Play and under a &#8216;malware-as-a-service&#8217; model.<\/p>\n<p>Experts could not estimate the number of victims; however, according to Cyble&#8217;s report, Godfather is distributed in Turkey as a popular music app. It has been downloaded over 10 million times on Google Play.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Okta reports breach of its GitHub repositories<\/strong><\/h2>\n<p>Attackers breached Okta&#8217;s GitHub repositories and stole the source code of the leading identity-management solutions provider.<\/p>\n<p>According to an internal memo, GitHub had already warned Okta about suspicious access to Okta Workforce Identity Cloud code repositories in early December. The Auth0 Customer Identity Cloud product was not affected.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/PAPLaPFYrc2R1jzTdIjKM51KXTiVpLcVCD9BJa7s_HKW5dj3iHzLCH9nIj-oTM-HBNksFYnhTL06N09NSPk7bljRGZAMlYq7Je8pgxLZZaipzlBAkE32Qaa9-T-7rYwa7wyHb5m7pohbHZBsooObJNFoTA8zpSX6h9jai9pZUewecCyyoU93iApblErlBA\" alt=\"Trojan for Bitcoin wallets, Okta breach and other cybersecurity events\"\/><figcaption>Source: Bleeping Computer.<\/figcaption><\/figure>\n<p>Okta says that attackers did not gain access to corporate or customer environments, and the incident did not affect service.<\/p>\n<p>Following information about possible suspicious access, Okta imposed temporary restrictions on access to GitHub repositories, paused all integrations with third-party applications, and notified law enforcement.<\/p>\n<h2 class=\"wp-block-heading\"><strong>LastPass clarifies impact of December breach<\/strong><\/h2>\n<p>LastPass has completed the investigation into the breach that occurred <a href=\"https:\/\/u1f987.com\/en\/news\/scam-deals-with-ton-domains-a-major-twitter-data-leak-and-other-cybersecurity-developments\">earlier in December<\/a>.<\/p>\n<p>Attackers gained access to encrypted vault data. They contain customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, phone numbers and LastPass access IP addresses.<\/p>\n<p>Developers emphasise that the vault&#8217;s sensitive data remains securely encrypted thanks to a zero-knowledge security model.<\/p>\n<p>Meanwhile, unencrypted financial data were not affected, as they were archived in a cloud storage container.<\/p>\n<p>LastPass does not disclose the total number of affected users, but advised fewer than 3% of its customers to take additional steps to safeguard their sensitive data.<\/p>\n<p>LastPass notes that the breach could be used later for phishing, credential stuffing, or brute-force attacks on LastPass accounts. <span data-descr=\"brute-force attack\" class=\"old_tooltip\">brute-force<\/span><\/p>\n<h2 class=\"wp-block-heading\"><strong>Hackers steal Viber accounts by posing as hypermarkets<\/strong><\/h2>\n<p>Hackers posed as well-known hypermarkets to steal Viber users\u2019 accounts, according to the Telegram channel <a href=\"https:\/\/t.me\/belamova\/32106\">\u201cBelarus Brain\u201d<\/a>.<\/p>\n<p>Since the start of winter, several dozen such cases have been reported.<\/p>\n<p>The scammers send a phishing link with a \u201cpromo code\u201d from well-known retailers, and by following it the user loses access to their account.<\/p>\n<p>After that, cybercriminals call victims from stolen numbers and, under various pretexts, persuade them to take out a loan in their name.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Hackers bypassed 2FA when hacking Xfinity email<\/strong><\/h2>\n<p>Since December 19, Xfinity Mail users began receiving notifications of account information updates. They lost access after passwords were changed.<\/p>\n<p>After regaining access, users discovered they had been breached, and unknown parties added an extra email address with the domain yopmail.com to their profile.<\/p>\n<p>Despite the two-factor authentication enabled on accounts, attackers managed to bypass it. They allegedly used a private method of OTP bypass for the Xfinity site, enabling them to forge successful 2FA verification checks. <span data-descr=\"one-time password \u2014 a password valid for a single authentication session\" class=\"old_tooltip\">OTP<\/span><\/p>\n<p>After that, the attackers reset the password and changed the additional email address for future password recoveries from other sites, primarily cryptocurrency exchanges Coinbase and Gemini.<\/p>\n<p>Xfinity did not comment officially, but according to a client, the company is aware of the breach and is investigating.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Ransomware attackers halt The Guardian publication<\/strong><\/h2>\n<p>On the evening of December 20, The Guardian was hit by an unnamed ransomware program, according to <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2022-12-21\/the-guardian-newspaper-hit-with-suspected-ransomware-attack\">Bloomberg<\/a>.<\/p>\n<p>The incident affected the IT systems and several business units, prompting the editors to instruct staff to work from home for the rest of the week.<\/p>\n<p>The publication continued to publish on its site and apps, and by December 23, print edition resumed.<\/p>\n<p>Technical details of the incident are unavailable; an investigation is ongoing.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Ukraine\u2019s Ministry confirms attack by Ukrainian hackers on Rutube<\/strong><\/h2>\n<p>Minister of Digital Transformation of Ukraine Mykhailo Fedorov acknowledged that Ukrainian hackers conducted the cyberattack on the Russian video hosting Rutube on May 9. Bloomberg reports.<\/p>\n<p>According to Fedorov, since the war began the IT Army of Ukraine has repeatedly disrupted Russian services. He noted that the Rutube attack was timed to Victory Day.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe IT Army even managed to hack Rutube employee badges to prevent them from entering the company,\u201d the minister added.<\/p>\n<\/blockquote>\n<p>On May 9 Rutube faced the strongest cyberattack in its history and could not operate for several days. At that time, Anonymous claimed responsibility. They reported damaging more than 75% of the primary databases and infrastructure and 90% of backups and DR clusters.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Russian taxi services will grant FSB access to their databases<\/strong><\/h2>\n<p>The State Duma of the Russian Federation, in third reading, passed a law regulating taxi services.<\/p>\n<p>The document obliges taxi services to provide the FSB access to their information systems and databases used to process and store orders.<\/p>\n<p>The technical means required to process orders, and the databases, must be hosted on the territory of the Russian Federation.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Bitcoins stolen from a Russian darknet marketplace were sent to aid Ukraine.<\/li>\n<li>Authorities in Italy and Albania uncovered a fraudulent crypto-investment scheme.<\/li>\n<li>On OpenSea, Bored Ape tokens worth millions of dollars were stolen.<\/li>\n<li>Hackers demanded $2.25 million in Bitcoin from a Chinese electric-car manufacturer.<\/li>\n<li>Telegram reported mass account thefts.<\/li>\n<li>Since the start of the year, scammers launched nearly 120,000 tokens.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>In late June, the Ronin sidechain was relaunched after the March $625 million hack. We suggest reading a piece on the project and one of the largest hacker attacks in the history of DeFi.<\/p>\n<p>Read ForkLog&#8217;s Bitcoin news in our <a href=\"https:\/\/telegram.me\/forklog\" target=\"_blank\" rel=\"nofollow noopener\">Telegram<\/a> \u2014 cryptocurrency news, prices and analytics.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We round up the week&#8217;s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":71899,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-71898","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"18","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/71898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=71898"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/71898\/revisions"}],"predecessor-version":[{"id":71900,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/71898\/revisions\/71900"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/71899"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=71898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=71898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=71898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}