Over 2B Records Compromised from WeChat & TikTok Via a Compromised Alibaba Storage Instance

Summary

AgainstTheWest targets WeChat & TikTok under Operation Renminbi. Over 2 billion user records and 790 GB files leaked. Alibaba Cloud instance exploited.
Category: Adversary Intelligence Industry: Communications Country: China Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • AgainstTheWest targets WeChat & TikTok under Operation Renminbi.
  • Over 2 billion user records and 790 GB files leaked.
  • Alibaba Cloud instance exploited.
  • Risk of unauthorized changes to accounts.
  • Leaked data can be exploited to conduct social engineering attacks, phishing, identity thefts, etc.
  • Keep passwords updated regularly.
  • Use a strong password generation policy.
  • Enable MFA on online accounts.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil has been actively tracking the activities of the threat actor group named AgainstTheWest also operating under the alias of BlueHornet or APT49.
  • The group has been targeting Chinese entities in their ongoing campaign titled Operation China / Operation Renminbi.
  • As their latest activity, the group has breached 2.05 billion records from the Chinese messaging and video sharing apps, such as WeChat and TikTok.
  • The leaked data contained user and payment information.
  • Both the breached entities used Alibaba Cloud instance to store their backend source code and the same was compromised by the group.
The crux of the threat actor’s post on the forum
The crux of the threat actor’s post on the forum

Detailed Analysis of the Incident

  • The Alibaba Cloud instance used by the compromised entities had a weak password and served as the initial access point to the group.
  • After gaining access to the Cloud storage instance, the group proceeded to provide live updates on Twitter.
  • The samples from data files attributed to TikTok, confirm that the following information was obtained:
    • User information
    • Paypal ID
    • Private IP Addresses
    • Email addresses
    • Transaction recipient’s name
  • 11 hours after gaining access, 1.37 billion entries had been pulled by the group.
  • Additionally, access to an Oracle server containing 34GB of logs was obtained by the group.
  • The group mentioned that they would not be selling the breached data as the entries contain information of both underage and older people.
  • WeChat’s database was found within the same database as that of TikTok.
  • There was no previous indication that both TikTok and WeChat were sharing user information between themselves.
  • It should be noted that WeChat is a government-owned messaging application and TikTok claims to not share any user information with their government.
  • At the time of writing this Intelligence report, TikTok has not acknowledged the breach.
Also Read Uber’s Intranet Compromised Via Social Engineering

Threat Actor Activity and Rating

Threat Actor Profiling
Active since October 2021
Reputation High (No complaints and credible reputation)
Current Status Active
History Involved in targeting China and Russia to conduct breaches and sell documents/databases for financial gain.
Rating A1 (A: Reliable; 1: Confirmed by Independent Sources)

Impact & Mitigation

Impact Mitigation
  • Privacy breach of TikTok and WeChat accounts revealed flaws in the security posture.
  • Breached data can be used against the affected individuals, to conduct:
    • Phishing/Smishing
    • Social engineering attacks
    • Identity theft
  • Enable security measures such as MFA and password rotation policy.
  • Download software from trusted app sources.
  • Reveal minimal information while creating online accounts.

References

Also Read Malicious crypto miners compromise academic data centers

Appendix

Parsed logs of TikTok videos - that were found to be corresponding with the videos on the platform
Parsed logs of TikTok videos - that were found to be corresponding with the videos on the platform
 
Payment records from Paypal, that were retrieved as part of the sample released by ATW
Payment records from Paypal, that were retrieved as part of the sample released by ATW
 
This image was shared by AgainstTheWest possibly indicating that some of the breached source code was hosted on GitHub as well
This image was shared by AgainstTheWest possibly indicating that some of the breached source code was hosted on GitHub as well
 
Github gist that provides information on the files breached from WeChat
Github gist that provides information on the files breached from WeChat
   

Table of Contents

Request an easy and customized demo for free