Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Teachers' Taxes Fraudulently Filed in Glendale Ransomware Attack

  The Glendale Unified School District recently found itself at the center of a distressing situation when teachers, nurses, counsellors, ...

All the recent news you need to know
junk files
Android Browser Cche Cookies Cyber Security Cyberattacks CyberThreat Firefox Google Chrome junk files

Banish Browser Clutter: How to Easily Remove Junk Files on Android

 


A web browser on users' Android phones may collect data, such as cookies and cache, that can be useful, but can also be unwanted and may pose a security risk to their privacy. It is recommended that users clear these data regularly so that junk can be removed from their devices and that unknown data trackers will not be able to store extraneous information on their devices. 

It is important to know that cleaning cache and cookies depends on the type of browser users use, such as Google Chrome, Samsung Internet, or Mozilla Firefox. The process of clearing this data varies from browser to browser and usually involves entering the browser settings and choosing the data that users wish to delete. 

By clicking on the More button in Google Chrome and navigating to History, users can clear their browser's cookies and cache. Deletes can be done in a variety of ways with this browser, such as by deleting browsing history, cookies and site information, cached images and files, or selecting a time range during which they should be deleted. 

It is possible to delete browsing data, cookies, and cache on the Samsung Internet browser app or through the phone's settings menu, just as Samsung Internet offers similar options. As far as Mozilla Firefox is concerned, there are several ways to clear browsing data, including the Open tabs, Browsing History, Site Data, and Downloads folder, as well as the Cookies and Cached images and files. Most of the junk that builds up inside the device's cache and cookies is just plain junk. Some of it could have come from a single site a user visited. 

As a result of this tracking, some companies are showing their users advertisements based on the items they are buying or watching on the internet. Other companies are tracking their browsing history on an active basis, helping them show them advertisements based on those items. As a result, it is essential to clear out the cache frequently. The tool enables users to remove any data they no longer need on their phone, especially if they have a cookie in their phone that contains a cookie from a known data tracker. 

Users will have to log back into some of their favourite websites after clearing the cache, but this is a small price to pay to make sure their phone does not accumulate unnecessary data by doing so. It is important to note that the steps vary slightly depending on the kind of phone and web browser that the user is using. 

In the Android version of Google Chrome, users can delete cookies and cache by first tapping the More button at the top right of the browser, which is indicated by a column of three dots. They can then tap History, and then they can delete their cookies and cache. Chrome users can also access this by clicking the Privacy and Security menu in their Chrome Settings. As well as removing browsing history, cookies, and site data, Chrome offers two advanced settings to clear users' cached files and images. 

The user can select which time ranges to delete from the drop-down menu when selecting whether he/she wants to delete the entire history or select a selection from anywhere within the past 24 hours to within the last four weeks. When users tap on the Advanced tab, users can also access additional options such as deleting saved passwords, auto-complete information for forms, and site settings. 

When they have selected the items they want to delete, tap the blue Clear data button at the bottom of the screen. If Chrome determines that certain websites are "important" to its users, they might receive a prompt asking them to confirm before clearing the cache, if Chrome deems that particular website to be "important" to the user. Similar to the Chrome browser for Android, the Mozilla Firefox Android app also allows users to clear their cache from within the application. 

It is possible to access this feature by tapping on the More button that is located to the right of the address bar, also indicated by three vertically aligned dots. In the Settings menu, tap the Delete browsing data option. Then scroll down and select the option. There is a lot of freedom in Firefox when it comes to the Delete browsing data menu compared to the other three browsers mentioned here, in that it allows users to delete all current open tabs, their browsing history, their site data, their permissions, and even their Downloads folder, along with their Cookies and Cached files and images. 

As with Chrome, users have the option to select a time range, however, they can be more specific regarding the type of data that they wish to remove, as opposed to merely picking a time range. As a bonus, Firefox also comes with an option that allows users not to retain their browsing data after they have signed up for the application but before they begin using it. 

There is an option within the Settings tab that instructs Firefox to delete any combination of these settings every time the user quits the browser. This will eliminate any combination of these settings every time the user quits the browser. If users want to remain tidy with their browser history, this functionality can be quite useful since they can avoid accidentally handing their browsing history over to a person who may have stolen the phone from them or gained access to it in some other way.
Read more »
macOS
Apple Cyber Security iCloud iPhone macOS

Apple ID Shuts Down: Users Panic While Trying to Reset Password

Apple ID Shuts Down: Users Panic While Trying to Reset Password

Apple IDs serve as the gateway to our digital ecosystem. They unlock access to our beloved photos, messages, apps, and more. But what happens when that gateway suddenly slams shut, leaving us confused outside? 

Recently, Apple users have been struggling with this very issue, as widespread reports of forced password resets have surfaced.

Locked out of your Apple ID? Here’s what you need to know

If you've been locked out of your Apple ID in the last day or so without warning, you're not alone

Apple users have been suffering a wave of forced lockouts, with some indicating that they have been forced to reset their passwords to regain access.

The lockouts have resulted in customers losing access to their devices, but there appears to be no root cause or anything in common across incidents, and Apple has yet to comment on the matter. 

The company's System Status website indicates that all services are "operating normally," with Apple ID services particularly listed as "available."

The lockout mystery

If your Apple ID has locked you out, you might panic and try your usual password, but it’s useless. You’re left staring at the blank “Incorrect Password” message. What gives?

The cause behind these lockouts remains hidden in mystery. Experts believe it’s a security measure triggered by suspicious activity, while others suspect a glitch in the matrix. Regardless, the concern is real. Users have taken to social media, sharing their stories of being shut. 

Have you had your password reset?

If your Apple ID has been blocked out and you must change your password, any app-specific passwords you may have created will also need to be reset. That's something you'll have to do whether you utilize apps like Spark Mail, Fantastical, or any number of others.

It could potentially cause significant issues if you use iOS 17.3's Stolen Device Protection. You'll need to use biometrics on your iPhone, such as Face ID or Touch ID, to access your account or use Apple Pay.

Apple’s silence

As the lockout story falls out, Apple has remained silent. No official statements, no explanations. The tech giant continues to operate, but the users are panicking to regain control of their digital lives. Is it a glitch? A security enhancement? At this moment, we can only wait for Apple’s response

What can you do?

1. Reset Your Password: Change the password. But remember the app-specific ones too.

2. Biometrics: If you’ve set up Face ID or Touch ID, use them to reclaim your digital ID.

3. Stay Tuned: Keep an eye on Apple’s official channels. 

Read more »
Ransomware
Chrome Cyber Security Files Firefox Ransomware

Why Shouldn't You Upload Files So Readily On Your Browser?


The digital society we live in has made it abundantly clear that being cautious about online activities goes beyond avoiding suspicious links. Recent findings by cybersecurity researchers have surfaced a new ransomware threat that exploits web browsers, potentially putting users' files at risk.

The Rising Threat

Modern web browsers like Google Chrome and Microsoft Edge offer advanced functionalities, allowing users to seamlessly interact with various online services, from email to multimedia streaming. However, these capabilities also open doors for hackers to manipulate browsers and gain unauthorised access to users' local file systems.

What Is The Risk?

The File System Access API, utilised by browsers, enables web applications to interact with users' files. This means that uploading files to seemingly benign online tools could inadvertently grant hackers access to personal data stored on the user's computer.

The Implications

Imagine using an online photo editing tool. Uploading files for editing could inadvertently expose your entire file system to malicious actors, who could then encrypt your files and demand ransom for decryption.

The Scale of the Issue

Ransomware attacks have become increasingly prevalent, targeting individuals and organisations across various sectors. In 2023 alone, organisations paid over $1.1 billion in ransomware payments, highlighting the urgent need for robust cybersecurity measures.

Addressing the Threat

Researchers at the Cyber-Physical Systems Security Lab at Florida International University have been investigating this new breed of ransomware. Their findings, presented at the USENIX Security Symposium, underscore the severity of the threat posed by browser-based ransomware.

Recommended Practices 

The research team proposed three defence approaches to mitigate the risk of browser-based ransomware. These strategies focus on detecting and preventing malicious activity at the browser, file system, and user levels, offering a multi-layered defence mechanism against potential attacks.

1. Temporarily Halting Web Applications:

This approach involves temporarily suspending a web application's activity within the browser to detect any suspicious behavior related to file encryption. By monitoring the application's actions, security systems can identify and interrupt potential ransomware activity before it causes significant damage. This measure enables users to maintain control over their files and prevent unauthorised access by any threat actors.

2. Monitoring Web Application Activity:

In addition to halting web applications, this defense strategy focuses on continuously monitoring their activity on users' computers. By analysing patterns and behaviours associated with ransomware attacks, security systems can easily detect and respond to any anomalous activities. This real-time monitoring ensures timely intervention and minimizes the impact of browser-based ransomware on users' systems.

3. Introducing Permission Dialog Boxes:

To empower users with greater control over their file system access, this approach proposes the implementation of permission dialogue boxes. When a web application requests access to the user's local files, a dialogue box prompts the user to approve or deny the request, along with providing information about the associated risks and implications. By promoting user awareness and informed decision-making, this measure ensures security posture and reduces the likelihood of inadvertent file exposure to ransomware threats.

As technology continues to transform, so do the tactics employed by cybercriminals. By staying informed and implementing proactive cybersecurity measures, users can safeguard their digital assets against threats like browser-based ransomware.




Read more »
SpaceX
Data Breach Data Leak Ransomware group SpaceX

SpaceX Data Breach: Hunters International Publishes Alleged Stolen Data

 

Elon Musk's aerospace manufacturing and space transport services firm, SpaceX, is believed to have experienced a cybersecurity incident involving a data breach with Hunters International, an infamous hacker group that allegedly released samples of the SpaceX data breach.

The data breach at SpaceX seems to have compromised relatively old data, and Hunters International is using name-dropping as a way of extortion. Interestingly, SpaceX experienced a prior data breach in early 2023 that was linked to the LockBit ransomware group, using the identical samples. 

The hacker group shared samples and databases allegedly related to SpaceX, including access to 149.9 GB of data. This database, which was originally linked to the initial SpaceX data breach prompted by LockBit, was traced back to a third-party source in SpaceX's supply chain, specifically a manufacturing contractor in Texas. 

LockBit allegedly took control of 3,000 drawings or schematics confirmed by SpaceX engineers after compromising the vendor's systems.

In March 2023, the LockBit Ransomware group breached a third-party manufacturing contractor in Texas, which was part of SpaceX's supply chain, taking 3,000 authorised drawings and schematics developed by SpaceX engineers. 

LockBit wrote SpaceX CEO Elon Musk directly, threatening to sell the stolen designs if the ransom was not paid within a week. The gang's brazen approach was intended to profit from the sensitive data, regardless of the vendor's response. Despite fears about compromised national security and the possibility of identity theft, SpaceX hasn't confirmed the hack, leaving the claims unresolved.

This breach, along with the reemergence of published data from previous instances, emphasises the ongoing threat of cyberattacks on critical infrastructure. It highlights the critical necessity for strong cybersecurity measures to protect against such breaches, as the consequences go beyond financial loss and have broader security concerns.

The return of data from last year's SpaceX data breach has raised serious concerns. This recurrence jeopardises millions of people's personal and financial security, putting them at risk of identity theft and fraud. Notably, despite the breach being first reported last year and now resurfacing, SpaceX has yet to confirm the incident, making the claims unconfirmed.
Read more »
threat analysis
2.5 million unique IPs Cybersecurity malware PlugX malware server Researchers sinkhole threat analysis

Researchers Successfully Sinkhole PlugX Malware Server, Recording 2.5 Million Unique IPs

 

Researchers successfully seized control of a command and control (C2) server linked to a variant of the PlugX malware, effectively halting its malicious operations. Over the span of six months, more than 2.5 million connections were logged from diverse IP addresses worldwide.

Beginning in September 2023, cybersecurity firm Sekoia took action upon identifying the unique IP address associated with the C2 server. Their efforts resulted in the logging of over 2.4 million unique IP addresses from 170 countries, allowing for comprehensive analysis of the malware's spread and the development of effective countermeasures.

The acquisition of the C2 server's IP address, at the cost of $7, was facilitated by Sekoia's researchers. Following this, they gained shell access to the server and set up a mimicry of the original C2 server's behavior. This enabled the capture of HTTP requests from infected hosts and provided insights into the malware's activities.

The sinkhole operation revealed a daily influx of between 90,000 to 100,000 requests from infected systems, originating from various locations worldwide. Notably, certain countries accounted for a significant portion of the infections, with Nigeria, India, China, and the United States among the most affected.

Despite the challenges posed by the malware's lack of unique identifiers and its ability to spread through various means, Sekoia's researchers identified potential strategic interests, particularly in regions associated with China's Belt and Road Initiative.

To address the widespread infection, Sekoia proposed two strategies for disinfection, urging national cybersecurity teams and law enforcement agencies to collaborate. One approach involves sending self-delete commands supported by PlugX, while the other entails the development and deployment of custom payloads to eradicate the malware from infected systems and USB drives.

While the sinkhole operation effectively neutralized the botnet controlled by PlugX, Sekoia warned of the possibility of its revival by malicious actors with access to the C2 server.

PlugX, initially linked to state-sponsored Chinese operations, has evolved into a widely used tool by various threat actors since its emergence in 2008. Its extensive capabilities and recent wormable features pose significant security risks, necessitating collaborative efforts to mitigate its impact.
Read more »
Vulnerabilities and Exploits
Cactus ransomware Cyber Servers Cyberattacks CyberCrime Cybersecurity CyberThreat Data Expose Qlik Servers Vulnerabilities and Exploits

Cactus Ransomware Exposes Thousands of Vulnerable Qlik Sense Servers

 


Many organizations remain dangerously vulnerable to the Cactus ransomware group, despite security researchers warning of the threat five months ago. The Cactus ransomware group exploits three vulnerabilities in QlikSense's data analytics and business intelligence platform. Two vulnerabilities were released in August and September by Qlik, which were identified as CVE-2023-41266 and CVE-2023-41265. In August, the company disclosed two vulnerabilities in multiple versions of Qlik Sense Enterprise for Windows that CVE-2023-41266 and CVE-2023-41265 tracked. 

As a result of these vulnerabilities, an attacker can execute arbitrary code on affected systems remotely, unauthenticated, and in a chain. A vulnerability in Qlik CVE-2023-48365 was released in September, which proved to be a bypass of Qlik's fix for the two previously disclosed flaws from August. Two months later, Arctic Wolf reported that operators of the Cactus ransomware had exploited the three vulnerabilities to gain a foothold in targeted systems by exploiting the three vulnerabilities. 

During that period, the vendor was alerting customers of multiple instances of receiving attacks through Qlik Sense vulnerabilities and warned of a rapidly developing Cactus group campaign at the time. It appears that many organizations have not received the memo yet, as a scan conducted by Fox-IT on April 17 revealed that of the 5,205 QlikSense servers that were still susceptible to the exploits of Cactus Group on April 17, there were still 3,143 still vulnerable.

It appears that the majority of those vulnerable servers are found in the countries which have a relatively high number of QlikSense servers, such as Italy, which has 280 exposed servers, Brazil, which has 244 exposed servers, the Netherlands and Germany, which both have 241 exposed servers each. There have been reports that threat actors have been targeting QlikSense servers with software vulnerabilities, and are misleading victims with elaborate stories, as reported by Cyber Security News. 

The reports by Shadowserver indicate that approximately 5,200 Qlik servers are exposed to the internet, of which 3,100 are vulnerable to exploitation by Cactus and the Cactus group. There have been 241 compromised systems identified in the Netherlands by threat actors, and 6 of them have already been compromised. An existing Nuclei template could be used to identify vulnerable QlikSense servers that are exposed to the Internet to identify vulnerable QlikSense servers. 

Using this template, multiple research steps were involved in identifying the list of servers and compromised servers. It was researchers who found vulnerable servers using the “product-info.json” file. As a result of the release label and version numbers in this file, it can be assumed that the exact version of the running QlikSense server could be revealed within this file.

Additionally, the release label parameter contains information such as "February 2022 Patch 3" which indicates that the latest update has been provided to Qlik Sense as well as the relevant advisory system. Using the cURL command, the below .ttf (True Type Font) file can be used to retrieve this information from the product-info.json file. It specifies that a .ttf file will be used to point the request to that file. You can access font files without having to authenticate on QlikSense servers, and you can bypass a 400 bad request response by using the “Host: localhost” parameter. 

The server that has been patched will return a message of “302 Authenticate at this location” in response, while the vulnerable server will return a 200 OK response, containing information regarding the file. Moreover, a response of 302 or a release label parameter of a Qlik server that contains the content of “November 2023” is considered non-vulnerable. Consequently, Fox-IT discovered thousands of vulnerable servers as a result of its research. 

The information that Fox-IT collected and shared was shared with the Dutch Institute for Vulnerability Disclosure (DIVD), as well as with other Dutch authorities, NCSC and the Digital Trust Center (DTC). Besides informing victims at a national level, the DIVD also informed officials and specialists in other countries who could benefit from the information as well. There are currently 5,205 active Qlik Sense servers around the world, of which 3,143 are vulnerable to an attack via the Internet. 

The Cactus group has attacked these servers in the Netherlands in the same way every time, which implies that they are the group's preferred attack route all over the world. A total of 122 Qlik servers have been compromised so far in the campaign. Researchers report that there is a high probability that such a problem has been caused by Cactus. For these servers to be protected against this threat, they must be updated to eliminate it. 

For Dutch companies to take measures to protect themselves, the Digital Trust Center (DTC), which is part of the Ministry of Economic Affairs, notified the companies of the threat so that they could take some precautions. Several foreign cyber organizations, including the American Cybersecurity & Infrastructure Security Agency (CISA) and the FBI, were notified of the vulnerabilities by the Dutch Institute for Vulnerability Disclosure (DIVD). 

Recently, there have been several ransomware attacks on Dutch companies and institutions, which have rattled them. There were several victims among them, including the Dutch Football Association KNVB, the KNVB, the VDL Group, the Maastricht University, Hof van Twente, Radio Nederland, the Netherlands Organization of Scientific Research and Mediamarkt. In most cases, the ransom fee was requested in return for the encryption key. 

There were over 140,000 Dutch companies in the last year who were warned of specific cyber threats as a result of the Digital Trust Center. To mitigate the risk of exploitation by threat actors, organizations and users of Qlik Sense servers are advised to promptly update to the latest version following the provided security advisories.
Read more »
Organization security
Attack Trends Cyber Security End User Microsoft Organization security

5 Attack Trends Your Company Should Be Aware Of

5 Attack Trends Your Company Should Be Aware Of

Cybersecurity is always evolving and demands ongoing awareness

Every day, Microsoft analyzes over 78 trillion security signals to gain a deeper understanding of the current threat pathways and methodologies. Since last year, we've seen a shift in how threat actors scale and use nation-state backing. It's apparent that companies are facing more threats than ever before, and attack chains are becoming more complicated. Dwell times have decreased, and tactics, techniques, and procedures (TTPs) have evolved to be more agile and evasive. 

Based on these findings, here are five attack trends that end-user organizations should be watching regularly.

1. Gaining Stealth by avoiding custom tools and malware

Some threat actor organizations prioritize stealth by using tools and processes that are already installed on their victims' systems. This enables attackers to fly under the radar and go undiscovered by concealing their operations among other threat actors that use similar approaches to launch assaults. 

Volt Typhoon, a Chinese state-sponsored actor, is an example of this trend, having made news for targeting US critical infrastructure using living-off-the-land practices.

2. Blending cyber and influence operations for greater results

Nation-state actors have also developed a new type of tactics that blends cyber and influence operations (IO) techniques. This hybrid, known as "cyber-enabled influence operations," combines cyber methods such as data theft, defacement, distributed denial-of-service, and ransomware with influence methods such as data leaks, sockpuppets, victim impersonation, misleading social media posts, and malicious SMS/email communication to boost, exaggerate, or compensate for weaknesses in adversaries' network access or cyberattack capabilities. 

For example, Microsoft has noticed various Iranian actors trying to use bulk SMS texting to increase and psychologically impact their cyber-influence activities. We're also seeing more cyber-enabled influence operations attempt to imitate alleged victim organizations or key figures inside those organizations to lend legitimacy to the impacts of the malware or compromise.

3. Developing Covert Networks Using SOHO Network Edge Devices

The increased use of small-office/home-office (SOHO) network edge devices is especially relevant for distributed or remote employees. Threat actors are increasingly using target SOHO devices—such as the router at a local coffee shop—to assemble hidden networks. 

Some adversaries will even employ programs to locate susceptible endpoints around the world and identify potential targets for their next attack. This approach complicates attribution by having attacks appear from almost anywhere.

4. Quickly Implementing Publicly Disclosed Proofs of Concept for Initial Access and Persistence 

Microsoft has noticed an increase in the number of nation-state subgroups using publicly released proof-of-concept (POC) code to exploit vulnerabilities in Internet-facing apps.

This tendency can be seen in threat groups such as Mint Sandstorm, an Iranian nation-state actor that quickly exploited N-day vulnerabilities in common corporate systems and launched highly focused phishing attacks to get speedy and effective access to target environments.

5. Prioritizing Specialization in the Ransomware Economy

We've noticed a persistent trend toward ransomware expertise. Rather than conducting an end-to-end ransomware campaign, threat actors are focusing on a limited set of skills and services. 

This specialization has a breaking effect, distributing components of a ransomware attack across different vendors in a complicated underground market. Companies can no longer think of ransomware attacks as originating from a single threat actor or group. 

Instead, they might be attacking the entire ransomware-as-a-service ecosystem. In response, Microsoft Threat Intelligence now tracks ransomware providers individually, identifying which groups deal in initial access and which supply additional services.

As cyber defenses seek better ways to strengthen their security stance, it is critical to look to and learn from past trends and breaches. By examining these occurrences and understanding different attackers' motivations and preferred TTPs, we can better prevent such breaches in the future.

Read more »
Subscribe to: Posts (Atom)