As a New Year treat, Threat Intelligence Platform (TIP) researchers decided to look back at some of the most newsworthy cybersecurity incidents in 2022—the Revolut Data Breach, the series of attacks launched by Lapsus$, and a newly detected PayPal phishing tactic.

We analyzed and expanded some of their indicators of compromise (IoCs) by gleaning insights from our threat intelligence sources. Our key findings include:

• Revolut Data Breach: From one IoC, we found 220+ artifacts that share either the malicious domain’s registrant organization or text string.
• Lapsus$ Group Hacking Spree: We found 670+ artifacts connected to Lapsus$ IoCs through DNS resolutions and another 70+ domains sharing the same registrant organizations as some of the IoCs.
• PayPal Phishing Scam: We discovered more than 1,500 domains containing the string support and sharing the same name server as the IoC at the time of the attack.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Revolut Data Breach

The Revolut incident exposed the personal data of more than 50,000 customers. In the weeks following the attack, Revolut customers began receiving phishing messages, including those informing them of a new card request. The message also instructed customers to visit revolut-card-cancel[.]com if they did not make the request.

The domain name has already been reported as malicious on TIP, as shown in the screenshot below.

Additional details provided by the tool allowed us to find possible domain connections. We discovered 144 domains currently owned by the same registrant organization, “be base.”

Based on the list of related domains, the threat actor may also be targeting customers of foreign exchange company Monzo, as shown in the word cloud below, revealing other text strings that appeared alongside the target companies’ names. These strings included urgency-inducing words like review, replacement, confirm, and login.

We also found 80 domains containing revolut added from 1 December 2022 to 2 January 2023. TIP flagged 14% of the total number of artifacts as malicious, most of which were WHOIS-connected domains.

Some unflagged Revolut domains continued to host questionable content. Some artifacts remained inactive, likely awaiting to be filled with content, while others were parked. Below are some sample artifacts hosting questionable content.

Lapsus$ Group Hacking Spree

Among the most active threat groups last year was Lapsus$, having successfully attacked large enterprises across a variety of industries, including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.

TIP researchers dove into some of the IoCs connected to the group, comprising more than 40 domains, IP addresses, and email addresses. We determined their geolocations, looked for connected domains, and analyzed the artifacts.

IP Resolution Analysis and Expansion

Most of the active IP resolutions were concentrated in Europe, while several were also geolocated in the U.S. The geographic distribution of the resolving IoCs connected to Lapsus$ is reflected in the following map.

TIP associated the IoCs with 679 domain names since they shared the IoCs’ IP hosts. About 5% of these artifacts have already figured in malicious campaigns and have been reported as dangerous by malware engines.

Some malicious artifacts were finance-themed, either blatantly imitating Scotia Bank, Zerodha, and Uniswap or using terms, such as auth, real estate, and the German equivalent of bank verification. These and other recurring terms are reflected in the following word cloud.

Alarmingly, some of the malicious artifacts continued to host or redirect to live pages. Here are a few examples.

WHOIS Analysis and Expansion

While the Lapsus$ Group was quite active on social media, most of their IoCs had redacted WHOIS records. However, we found a few unredacted registrant details that allowed us to track additional domain connections.

For example, the registrant organization that registered the IoC windows-upgraded[.]com was called “Ozil Verfig.” The entity also appeared in the current WHOIS records of 42 other domains.

Another IoC with unredacted registrant details was discrodappp[.]com, whose registrant organization, Olexandra Kozachenko, registered 34 other domain names.

Only a few WHOIS-connected artifacts had active resolutions, most hosting adult content and login pages. Here are a few examples.

PayPal Phishing Scam

This phishing attack may sound old, but KrebsonSecurity reported a new tactic last year—the phishers sent fake invoices through paypal[.]com, effectively bypassing email validation. The email contained a number to call for disputes. When targeted users called the hotline, they were asked to download a remote administration tool from globalquicksupport[.]com.

Building on this IoC, we found more than 1,500 possibly connected domains containing support and using the same name server used by globalquicksupport[.]com around the time of the phishing attack.

TIP detected some artifacts as malicious, some of which imitated organizations like the Digital Federal Credit Union (DCU), Apple, and CaixaBank. Some domains seemed to host generic support sites like the PayPal phishing scam IoC we analyzed. Based on Wayback Machine results, the domain hosted the content below around the time of the attack.

On the other hand, about 88% of the artifacts had active resolutions, with several hosting live content. Examples are shown below.

These cybersecurity incidents may have occurred last year, but our study shows that some domain connections remain active to this day. These threats may thus continue to persist until 2023 and the years to come. Utmost protection through comprehensive threat intelligence and proactive cybersecurity measures is necessary.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.