Over 2B Records Compromised from WeChat & TikTok Via a Compromised Alibaba Storage Instance

AgainstTheWest targets WeChat & TikTok under Operation Renminbi. Over 2 billion user records and 790 GB files leaked. Alibaba Cloud instance exploited.
Updated on
April 19, 2023
Published on
November 3, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Communications Country: China Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • AgainstTheWest targets WeChat & TikTok under Operation Renminbi.
  • Over 2 billion user records and 790 GB files leaked.
  • Alibaba Cloud instance exploited.
  • Risk of unauthorized changes to accounts.
  • Leaked data can be exploited to conduct social engineering attacks, phishing, identity thefts, etc.
  • Keep passwords updated regularly.
  • Use a strong password generation policy.
  • Enable MFA on online accounts.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil has been actively tracking the activities of the threat actor group named AgainstTheWest also operating under the alias of BlueHornet or APT49.
  • The group has been targeting Chinese entities in their ongoing campaign titled Operation China / Operation Renminbi.
  • As their latest activity, the group has breached 2.05 billion records from the Chinese messaging and video sharing apps, such as WeChat and TikTok.
  • The leaked data contained user and payment information.
  • Both the breached entities used Alibaba Cloud instance to store their backend source code and the same was compromised by the group.
[caption id="attachment_21545" align="alignnone" width="1009"]The crux of the threat actor’s post on the forum The crux of the threat actor’s post on the forum[/caption]

Detailed Analysis of the Incident

  • The Alibaba Cloud instance used by the compromised entities had a weak password and served as the initial access point to the group.
  • After gaining access to the Cloud storage instance, the group proceeded to provide live updates on Twitter.
  • The samples from data files attributed to TikTok, confirm that the following information was obtained:
    • User information
    • Paypal ID
    • Private IP Addresses
    • Email addresses
    • Transaction recipient’s name
  • 11 hours after gaining access, 1.37 billion entries had been pulled by the group.
  • Additionally, access to an Oracle server containing 34GB of logs was obtained by the group.
  • The group mentioned that they would not be selling the breached data as the entries contain information of both underage and older people.
  • WeChat’s database was found within the same database as that of TikTok.
  • There was no previous indication that both TikTok and WeChat were sharing user information between themselves.
  • It should be noted that WeChat is a government-owned messaging application and TikTok claims to not share any user information with their government.
  • At the time of writing this Intelligence report, TikTok has not acknowledged the breach.
Also Read Uber’s Intranet Compromised Via Social Engineering

Threat Actor Activity and Rating

Threat Actor Profiling
Active since October 2021
Reputation High (No complaints and credible reputation)
Current Status Active
History Involved in targeting China and Russia to conduct breaches and sell documents/databases for financial gain.
Rating A1 (A: Reliable; 1: Confirmed by Independent Sources)

Impact & Mitigation

Impact Mitigation
  • Privacy breach of TikTok and WeChat accounts revealed flaws in the security posture.
  • Breached data can be used against the affected individuals, to conduct:
    • Phishing/Smishing
    • Social engineering attacks
    • Identity theft
  • Enable security measures such as MFA and password rotation policy.
  • Download software from trusted app sources.
  • Reveal minimal information while creating online accounts.

References

Also Read Malicious crypto miners compromise academic data centers

Appendix

[caption id="attachment_21546" align="alignnone" width="1379"]Parsed logs of TikTok videos - that were found to be corresponding with the videos on the platform Parsed logs of TikTok videos - that were found to be corresponding with the videos on the platform[/caption]   [caption id="attachment_21547" align="alignnone" width="1999"]Payment records from Paypal, that were retrieved as part of the sample released by ATW Payment records from Paypal, that were retrieved as part of the sample released by ATW[/caption]   [caption id="attachment_21548" align="alignnone" width="1345"]This image was shared by AgainstTheWest possibly indicating that some of the breached source code was hosted on GitHub as well This image was shared by AgainstTheWest possibly indicating that some of the breached source code was hosted on GitHub as well[/caption]   [caption id="attachment_21549" align="alignnone" width="856"]Github gist that provides information on the files breached from WeChat Github gist that provides information on the files breached from WeChat[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations