- AgainstTheWest targets WeChat & TikTok under Operation Renminbi.
- Over 2 billion user records and 790 GB files leaked.
- Alibaba Cloud instance exploited.
- Risk of unauthorized changes to accounts.
- Leaked data can be exploited to conduct social engineering attacks, phishing, identity thefts, etc.
- Keep passwords updated regularly.
- Use a strong password generation policy.
- Enable MFA on online accounts.
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil has been actively tracking the activities of the threat actor group named AgainstTheWest also operating under the alias of BlueHornet or APT49.
- The group has been targeting Chinese entities in their ongoing campaign titled Operation China / Operation Renminbi.
- As their latest activity, the group has breached 2.05 billion records from the Chinese messaging and video sharing apps, such as WeChat and TikTok.
- The leaked data contained user and payment information.
- Both the breached entities used Alibaba Cloud instance to store their backend source code and the same was compromised by the group.
[caption id="attachment_21545" align="alignnone" width="1009"]
The crux of the threat actor’s post on the forum[/caption]
Detailed Analysis of the Incident
- The Alibaba Cloud instance used by the compromised entities had a weak password and served as the initial access point to the group.
- After gaining access to the Cloud storage instance, the group proceeded to provide live updates on Twitter.
- The samples from data files attributed to TikTok, confirm that the following information was obtained:
- User information
- Paypal ID
- Private IP Addresses
- Email addresses
- Transaction recipient’s name
- 11 hours after gaining access, 1.37 billion entries had been pulled by the group.
- Additionally, access to an Oracle server containing 34GB of logs was obtained by the group.
- The group mentioned that they would not be selling the breached data as the entries contain information of both underage and older people.
- WeChat’s database was found within the same database as that of TikTok.
- There was no previous indication that both TikTok and WeChat were sharing user information between themselves.
- It should be noted that WeChat is a government-owned messaging application and TikTok claims to not share any user information with their government.
- At the time of writing this Intelligence report, TikTok has not acknowledged the breach.
Also Read Uber’s Intranet Compromised Via Social Engineering
Threat Actor Activity and Rating
|Threat Actor Profiling
||High (No complaints and credible reputation)
||Involved in targeting China and Russia to conduct breaches and sell documents/databases for financial gain.
||A1 (A: Reliable; 1: Confirmed by Independent Sources)
Impact & Mitigation
- Privacy breach of TikTok and WeChat accounts revealed flaws in the security posture.
- Breached data can be used against the affected individuals, to conduct:
- Social engineering attacks
- Identity theft
- Enable security measures such as MFA and password rotation policy.
- Download software from trusted app sources.
- Reveal minimal information while creating online accounts.
Also Read Malicious crypto miners compromise academic data centers
[caption id="attachment_21546" align="alignnone" width="1379"]
Parsed logs of TikTok videos - that were found to be corresponding with the videos on the platform[/caption]
[caption id="attachment_21547" align="alignnone" width="1999"]
Payment records from Paypal, that were retrieved as part of the sample released by ATW[/caption]
[caption id="attachment_21548" align="alignnone" width="1345"]
This image was shared by AgainstTheWest possibly indicating that some of the breached source code was hosted on GitHub as well[/caption]
[caption id="attachment_21549" align="alignnone" width="856"]
Github gist that provides information on the files breached from WeChat[/caption]