8 Weird & (Not So) Wonderful Cyber Attacks, Vulnerabilities, and Slip-Ups

28th June 2022

Cyber attacks have now well and truly joined the ranks of “just another risk to deal with in business”. They are no longer an exception to the norm, the threat they pose is the norm.

Though there are too many humdrum, workaday threats doing the rounds to count, there are also some rather entertaining, oddball cyber stories out there too. So, let’s shake off the drudgery of the usual digital woes and explore some more off-the-wall cyber attacks – old and new; “good” and evil; intelligent to just plain dumb.

1. The Hacker Whose Fingerprints Preceded Them

A would-be cyber criminal did the number one thing that ties someone to the scene of a crime – leaving clear fingerprints behind. However, this bumbling hacker managed to do so digitally. Yes, they uploaded their own fingerprints to the scene of a crime they were trying to commit. You can’t make it up.

Darktrace AI, an autonomous cybersecurity AI, detected a hack that took place at what is only being described as a “luxury goods business” by the media. The company had installed fingerprint scanners at their warehouses to reduce the risk of theft. Which is smart – keys can be lost and PIN-number locks can be easily foiled, so using biometric authentication is a step in the right direction.

However, in order to gain access to a system that authenticates people by their fingerprints, the system has to have people’s fingerprints on file. So, after discovering a vulnerability in one of the scanners, our bumbling hacker did what seemed like a natural next step (to them, at least): they uploaded their own fingerprints in order to try and gain physical access.

Thankfully, Darktrace identified that the scanner was acting strangely within moments. It sounded the alarm to the company’s IT security boffins who handed over the fingerprints, clear as day, to law enforcement.

2. Ransomware That Demands Acts of Kindness

“Hacktivism” is nothing new. Using cybercrime tactics to enact political or social activism has been around since at least the mid-90s when the term was first coined. In more recent years, you’ve most likely heard of worldwide hacktivist groups like Anonymous, Lulzsec, and even the recent (and governmentally endorsed) IT Army of Ukraine.

Hacktivists usually focus on disrupting crucial IT infrastructure; defacing digital assets, or breaching data that shows the target organisation’s immorality or malpractice. However, the anonymous (with a lowercase “a”) attackers in this story are taking a different route.

Instead of the usual strains of ransomware that demand crypto payments in exchange for access to encrypted or blocked IT assets, the GoodWill ransomware (discovered in the wild by CloudSEK) encourages the victim to carry out a series of charitable acts to regain access to their systems.

Nobody with a good heart could argue with the specific acts themselves: donating clothes and blankets to the homeless; feeding children from underprivileged backgrounds; and helping the sick with their medical costs.

However, the fact that you are required to document the acts on your phone, taking photos and videos of complete strangers (including children) and posting them to social media could contravene privacy laws depending on where you are in the world. The ransomware also requests that victims gather 5 random children from off the street and take them out to eat. There are countless ways to be charitable that don’t run the risk of kidnapping charges!

There’s also the argument that forced charity is no charity at all, and that the malware could impact communities that it is ostensibly designed to “help”. It could also be highly embarrassing for the parties receiving the charity to be pictured on a public forum.

There are no publicly known victims of the ransomware at the time of writing, though it is believed that the ransomware’s creators are based in India due to comments in the malware’s code and the servers it uses. This story is ongoing at the time of publication, so it’s one to watch in the coming weeks…

3. A Phone Charging Cable That Can Hack You

We’ve all been there – our phone displays the “battery critically low” notification just as we need it to stay in the land of the living for just a few more minutes. If you’re in an office or co-working space, you might be tempted to ask to borrow someone’s charger – you may even find one lying around. However, be cautious.

There are cables out there that are designed to look just like genuine Samsung or Apple chargers but actually have a cyber-sting in their tail. Hak5’s O.MG range of ethical pentesting products are designed to look like innocuous cables and devices, but when they’re plugged in, they create a WiFi network that enables the hacker to keylog their target, issue commands on the target device, and even detect WiFi networks around it.

Obviously, the products sold by Hak5 are all strictly intended for use by those on the right side of the law – chiefly ethical hackers and law enforcement. But they present a very stark feasibility study: that hacking someone through a dodgy phone cable or mystery dongle is very much possible. The devices themselves can even monitor the networks around them and silently “self-destruct” if needed.

In the wrong hands, devices like this could be disastrous. With cables and adapters being an essential part of our relationship with tech, it’s easy to see how a cable like this could be used in a “baiting”-driven social engineering attack.

Got a spare 10 minutes? MrWhosetheboss on YouTube explains all about these devices here:

4. Ye Olde Man-in-the-Middle Attack

A man-in-the-middle attack is a kind of cyber attack whereby a hacker intercepts legitimate communications and either listens in or tampers with the communications silently.

So, with that in mind, when do you think the first man-in-the-middle attack was? The 2000s and the rise of broadband internet? The 90s and the dot-com boom? The 60s when ARPANET, a military precursor to the modern internet, was around? Or perhaps the Second World War and the days of the Enigma machine?

Try 1903. The world’s first hacker had a delightfully characteristic Edwardian name, too: Nevil Maskelyne. Harking from a long line of magicians and illusionists, Maskelyne used wireless telegraphic tech in his performances to send hidden Morse-code messages to his assistants.

Inventor Guglielmo Marconi was also interested in wireless communication, and famously sent the first wireless telegraph signal across the Atlantic Ocean. Marconi was adamant that messages sent over the wireless telegraph were secure and private.

But Maskelyne – and possible collaborators at the Eastern Telegraph Company – had other ideas. Whether it was a personal desire to damage Marconi’s reputation, a plan to thwart Marconi’s patent plans, or an effort to turn the public away from wireless technology and back to cable telecoms is lost to time. Yet we do know what came of it.

In a planned public demonstration at London’s Royal Institution, John Ambrose Fleming was on hand to receive a Morse code message from Marconi who was in Cornwall. Maskelyne was able to successfully send a mocking coded diatribe that Fleming later described as “scientific vandalism” – a whimsical term that we feel needs to be resurrected!

5. “Gizza Job – or Else”

How do you go about getting an IT job at a global hotel chain? Normal folk would probably give answers like “make sure your CV is exceptional”, others may say “practice your interview skills”, others still may say “interact with the relevant people on LinkedIn”. All great answers.

However, the job-seeker in our story turned to cyber-blackmail. You know, as you do.

He sent an infected email to numerous employees at the Marriott Hotels chain that allowed him to steal swathes of confidential and financial information from across the chain’s whole network. He then threatened to release this information unless he was given a job on Marriott’s IT team.

Marriott informed US law enforcement and together they laid a trap. A Secret Service agent posed as a Marriott HR team member, discussing a job proposition with the “candidate”. They set up a sting operation (on the pretence of a job interview) to get the hacker on-site, and asked him all about the hack which he told them gladly.

He left in handcuffs and didn’t have to worry about finding a job again for another 30 months.

6. “This Hack’s Really Underground, You’ve Probably Never Heard of It” 

Not OK, computer. Moral victories don’t come very often in the world of cyber security. Yet when indie rock royalty suffered a cyber attack, they dealt with it flawlessly.

Hackers got their hands on a trove of unreleased material from mopey legends Radiohead, demanding a ransom of $150,000 in exchange for keeping it under wraps.

The band’s guitarist Jonny Greenwood stated on Facebook that the hacked material comprised a MiniDisk archive of unreleased tracks from the band’s late 90s heyday. (Crikey, anyone here remember MiniDisks?!)

Rather than paying the ransom, the band did something that the hackers were probably not expecting. They released an album called “Minidisks [Hacked]” and made it temporarily available through Bandcamp.

Greenwood’s characteristically sardonic post read “Instead of complaining – much – or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion. So, for £18 you can find out if we should have paid that ransom.”

In another rock related cyber attack, hackers lobbed malware at Iranian nuclear facilities that played AC/DC’s Thunderstruck at full volume at random intervals, including in the middle of the night. Quite the dirty deed, though no word on the price…

7.The New Hottest Impersonator Around: Artificial Intelligence

Skilled impersonators have graced our screens for years, but human impersonators beware – there’s a new mimic in town! And these robotic impersonators aren’t necessarily being used for good.

In 2019, hackers used highly advanced AI software to impersonate an executive’s voice and made off with €220,000 in the process.

Artificial intelligence was used to mimic a C-Suite boss at a German company who then made a call to a CEO at a British subsidiary. The recipient of the call didn’t suspect a thing when the German exec – effectively his boss – requested that he make the urgent payment to a Hungarian supplier.

The UK CEO reportedly recognised “his boss’ slight German accent and the melody of his voice on the phone”. Scary stuff.

An even more expensive AI vishing attack was hatched in 2020 when a Hong Kong bank manager received a call from a director at a company he worked with, requesting $35 million in transfers. The bank manager even received an email trail between the supposed caller and a lawyer to further legitimise the transfers. But it was all a ruse.

If someone calls or emails you, asking for a random, unexpected payment to a new party, always double check with them over a different channel than the request was made. Strange email from your FD? Give her a ring. Odd phone call from a colleague? Shoot them an email or Slack message to confirm their request.


8. IoT Leaves Casino in Hot Water

We’ve talked at length on our blogs about securing Internet of Things (IoT) and industrial control devices. US retailer Target suffered a withering theft of personally identifying data enacted through their internet connected air-con system. The German steel mill that suffered a safety system hack that resulted in excessive damage. We’ve even seen malicious Russian attacks on Ukrainian power grids – both before and during their so-called “special military operation”.

But this IoT attack is a little more bizarre. Though IT bods will likely now keep a hawk-like watch over HVAC systems, internet-enabled safety controls, and infrastructural persistent threats, some may oversee securing a humble fish tank.

Hackers exploited a vulnerability in a North American casino’s internet enabled aquarium thermostat to exfiltrate 10 GB of data to a mystery server in Finland using protocols usually reserved for media streaming. Our jury’s still out on why something like this needs to be internet-enabled in the first place.

We advise that all internet connected devices be vetted for vulnerabilities before installing. We’d also give a device like this a bit of a sense-check: sure, temperature, salinity, and feeding can and should be automated for the good of the animals… but do those controls really need to be online? Answers on a postcard.

Cyber nasties can come at you from all angles, whether it’s from a highly sophisticated cabal of criminals, a bumbling would-be hacker, or even a desperate job hunter! Hopefully these weird and wonderful stories will help you avoid some of the more unusual cyber attacks out there. 

You’re in safe hands with our cyber security team