ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

Dark Readings weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Readings weekly digest of the cant-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.
Dark Readings editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didnt get to earlier but would feel wrong not covering. In this weeks in case you missed it (ICYMI) digest, read on for more on the following:
Neopets & Gamings Lax Security
SolarWinds Hackers Embrace Google Drive in Embassy Attacks
Nation-State Attacks Ramp Up in APT-a-Palooza
Google Ads Abused as Part of Tech Support Scams
Neopets this week became the third gaming platform in the space of a week
to be hit with a cyberattack
(after
Bandai Namco
and
Roblox
), highlighting the interest that attackers have in hitting leisure-activity companies during the summer months. According to reports, the
purveyor of virtual pets was robbed
for its source code as well as the personal information belonging to its 69 million users.
A hacker who goes by the handle of TarTarX is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Fridays exchange rate. The stolen PII appears to include data includes members usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.
Its unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.
“Weve seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect, he says. Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur.
Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for
credential-stuffing attacks
, he adds.
The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets machines.
The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.
In both cases, the phishing documents contained a [Google Drive] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload, according to Unit 42s post
this week
.
APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.
The use of
legitimate cloud services
to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.
“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment, he said in a statement to Dark Reading. Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting
Microsoft 365
. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”
Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance,
Citizen Lab said
that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s
Pegasus mobile spyware
after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.
Googles Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.
CyberAzov is hosted on a domain controlled by the actor and disseminated via links on third party messaging services, according to
Google TAG
. While the app is distributed under the guise of performing DDoS attacks, the DoS consists only of a single GET request to the target website, not enough to be effective.
In reality, the app is designed to map out and figure out who would want to use such an app to attack Russian websites, according to an
additional commentary
from Bruce Schneier.
Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.
As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actors intent was to gain access to source a supply chain-style attack, researchers said
in a posting
this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the companys network or launching additional attacks such as ransomware.
Also notable is the fact the effort revolved around a fairly uncommon piece of malware called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.
And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).
The malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence, according to
the statement
.
People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.
A
malvertising campaign
is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.
The threat actors are … purchasing ad space for popular keywords and their associated typos, researchers explained in
a posting
. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).
In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.
Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them, researchers lamented.
The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused