DaaS Gang Hijacks Mandiant’s X Account via Brute-Force Attack
On January 3, 2024, the account of cybersecurity firm Mandiant on Elon Musk’s platform X was compromised to disseminate phishing links leading to pages designed for cryptocurrency theft.
The hacked account was restored without any damage to Mandiant’s or Google Cloud’s systems, yet thousands of users were deceived by the malevolent actors.
Investigations revealed that the account was likely compromised due to a password brute force attack. “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We’ve made changes to our process to ensure this doesn’t happen again,” Mandiant explained.
Since December 2023, cybercriminals have been deploying malicious software named CLINKSINK to steal funds and tokens from Solana users. This malicious campaign involves distributing phishing pages on platforms X and Discord, masquerading as legitimate cryptocurrency resources like Bonk, DappRadar, and Phantom.
CLINKSINK is not merely malware, but a comprehensive Drainer-as-a-Service (DaaS) system, providing culprits with a ready-made drainer program for cryptocurrency theft.
Researchers identified 35 different affiliate identifiers and 42 Solana wallet addresses linked to this campaign. Analysis indicated that the operators and affiliates earned at least $900,000, with approximately 80% of the proceeds typically going to the affiliates and the remainder to the operators.
During the attacks, victims are enticed to connect their cryptocurrency wallets to ostensibly receive free tokens. They then sign fraudulent transactions, enabling the criminals to siphon off all the funds from their wallets.
Mandiant’s investigation uncovered several DaaS offerings using CLINKSINK or its variants, including “Chick Drainer” and “Rainbow Drainer”.
Experts also noted a persistent interest of criminals in cryptocurrencies and related services, which could lead to an increase in similar attacks in the future.
At the end of their report, Mandiant experts presented a YARA rule for identifying CLINKSINK activity, which can aid others in safeguarding their assets.
The growing popularity and value of cryptocurrencies, coupled with the low barrier to entry for such attacks, make drainer operations lucrative for financially motivated wrongdoers. It is crucial to remain vigilant and employ robust security methods to avoid falling prey to these cryptocurrency swindlers.
