Search This Blog

Powered by Blogger.

Blog Archive

Labels

Latest News

India Proposes New Draft Rules Under Digital Personal Data Protection Act, 2023

The Ministry of Electronics and Information Technology (MeitY) announced on January 3, 2025, the release of draft rules under the Digital ...

All the recent news you need to know

New Variant of Banshee Stealer Targets macOS with Enhanced Evasion Tactics

 




Cybersecurity researchers have identified a dangerous new version of Banshee Stealer, a sophisticated malware specifically targeting macOS users. This updated strain is designed to bypass antivirus defenses and steal sensitive data from millions of macOS devices.

Originally detected in August 2024, Banshee Stealer was offered as malware-as-a-service (MaaS) to cybercriminals for $3,000 per month. Its capabilities included:
  • Data Theft: Stealing browser data, cryptocurrency wallet credentials, and specific file types.
The malware's source code was leaked in late 2024, briefly halting its spread. However, security experts have now discovered ongoing campaigns distributing an updated and more powerful version.

The latest version of Banshee Stealer, uncovered in September 2024, is being spread through:
  • Phishing Websites: Fake websites impersonating legitimate services to trick users into downloading the malware.
  • Fake GitHub Repositories: Malicious repositories posing as popular software like Google Chrome, Telegram, and TradingView.
Additionally, cybercriminals are simultaneously deploying another malware called Lumma Stealer to target Windows systems, signaling a broader, cross-platform attack strategy.

Key Enhancements in the Updated Version

The new variant of Banshee Stealer features several dangerous improvements:
  1. Advanced Encryption: Incorporates sophisticated encryption methods inspired by Apple's XProtect to evade detection by security tools.
  2. Expanded Targeting: Previously restricted from targeting Russian-language systems, this limitation has been removed, broadening the malware's victim pool.
  3. Social Engineering Tactics: The malware disguises itself as software updates or legitimate applications, increasing its chances of tricking users into installing it.

Related Threats on Other Platforms

Beyond Banshee Stealer, other malware families like Nova Stealer and Hexon Stealer are exploiting social engineering techniques on platforms such as Discord. Attackers lure users with fake promises of the latest video game versions, aiming to steal Discord credentials and access linked accounts for further exploitation.

To mitigate the risk of infection, users should adopt the following cybersecurity practices:
  • Download from Trusted Sources: Always install software from official and reputable platforms.
  • Exercise Caution with Links: Avoid clicking on suspicious links or accepting unsolicited invitations, particularly on social platforms like Discord.
  • Keep Security Software Updated: Regularly update antivirus and security tools to guard against the latest threats.
The resurgence of Banshee Stealer underscores the need for continuous vigilance in cybersecurity. Cybercriminals are constantly evolving their methods, blending technical exploits with social engineering to target both human and system vulnerabilities. Staying informed and cautious remains the most effective defense against such sophisticated attacks.

Japan Attributes Ongoing Cyberattacks to China-Linked MirrorFace Group

 


Japan's National Police Agency (NPA) and the National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) have officially attributed a prolonged cyberattack campaign targeting Japanese organizations and individuals since 2019 to the China-linked threat actor MirrorFace, also known as Earth Kasha.

The cyberattacks were designed to steal sensitive information related to Japan's national security and emerging technologies. MirrorFace is reportedly a subgroup of the Chinese state-sponsored hacking collective APT10, notorious for deploying malware tools such as ANEL, LODEINFO, and NOOPDOOR.

Authorities have identified three distinct phases in MirrorFace's attack operations:
  • December 2019 – July 2023: Spear-phishing emails carrying malware like LODEINFO, LilimRAT, and NOOPDOOR targeted government agencies, think tanks, politicians, and media outlets.
  • February – October 2023: Malware such as Cobalt Strike Beacon, LODEINFO, and NOOPDOOR was deployed through vulnerabilities in network devices to infiltrate sectors like semiconductors, aerospace, and academic institutions.
  • June 2024 – Present: Phishing emails loaded with ANEL malware were sent to think tanks, political figures, and media organizations.

Sophisticated Cyberattack Techniques

MirrorFace utilized advanced methods to evade detection and maintain persistence, including:
  • Windows Sandbox Deployment: Malware was executed within the Windows Sandbox, a virtualized environment that limits malware persistence by erasing data upon system reset.
  • Evasion of Security Tools: This technique allowed malware to operate undetected by antivirus software.

Scale and Impact of the Cyberattacks

The NPA has connected MirrorFace to over 200 cyber incidents spanning five years. The affected sectors include:
  • Government Agencies
  • Defense Organizations
  • Space Research Centers
  • Private Enterprises in Advanced Technologies

Phishing emails often used compelling subjects like "Japan-US alliance" and "Taiwan Strait" to deceive recipients into downloading malicious attachments. Notable attacks linked to similar tactics include:
  • Japan Aerospace Exploration Agency (JAXA): Targeted in a sophisticated cyberattack.
  • Port of Nagoya (2023): Disrupted by a ransomware incident.

In response to these threats, the NPA issued a public warning:

“This alert aims to raise awareness among targeted organizations, businesses, and individuals about the threats they face in cyberspace by publicly disclosing the methods used in the cyber-attacks by ‘MirrorFace.’ It also seeks to encourage the implementation of appropriate security measures to prevent the expansion of damage from cyber-attacks and to avert potential harm.”

The warning underscores the need for heightened cybersecurity practices across sectors to mitigate risks from increasingly sophisticated cyber threats.

California Man Sues Banks Over $986K Cryptocurrency Scam



Ken Liem, a California resident, has filed a lawsuit against three major banks, accusing them of negligence in enabling a cryptocurrency investment scam. Liem claims he was defrauded of $986,000 after being targeted on LinkedIn in June 2023 by a scammer promoting crypto investment opportunities. Over six months, Liem wired substantial funds through Wells Fargo to accounts held by Hong Kong-based entities.

Liem’s ordeal escalated when his cryptocurrency account was frozen under false allegations of money laundering. To regain access to his funds, scammers demanded he pay a fake IRS tax—an established tactic used to maximize financial extraction from victims before vanishing.

The lawsuit names three financial institutions as defendants:
  • Chong Hing Bank Limited (Hong Kong-based)
  • Fubon Bank Limited (Hong Kong-based)
  • DBS Bank (Singapore-based, with a Los Angeles branch)

Allegations of Negligence and Non-Compliance

Liem accuses these banks of failing to follow mandatory “Know Your Customer” (KYC) and anti-money laundering (AML) protocols as required by the U.S. Bank Secrecy Act. The lawsuit asserts that the banks:
  • Failed to Verify Identities: Inadequate due diligence on account holders allowed fraudsters to operate unchecked.
  • Neglected Business Verification: The nature of the businesses linked to these accounts was not properly investigated.
  • Ignored Complaints: Liem reported the scam in August 2024, but the banks either disregarded his concerns or denied accountability.

The lawsuit contends that these financial institutions enabled the transfer of illicit funds from the U.S. to Asian accounts tied to organized scams by ignoring suspicious transactions.

Liem's case highlights the growing debate over banks' responsibility in preventing fraud. While lawsuits of this nature are uncommon, they are not without precedent. For instance:
  • January 2024: Two elderly victims of IRS impersonation scams sued JPMorgan Chase for allowing large international transfers without adequate scrutiny.

Globally, different approaches are being adopted to address fraud:
  • United Kingdom: New regulations require banks to reimburse scam victims up to £85,000 ($106,426) within five days, though banks have pushed back against raising this cap.
  • Australia: Proposed legislation could fine banks, telecom providers, and social media platforms for failing to prevent scams.
  • United States: The Consumer Financial Protection Bureau (CFPB) has taken legal action against Bank of America, Wells Fargo, and JPMorgan Chase for not preventing fraud on the Zelle platform, which has resulted in $870 million in losses since 2017.

As global authorities and financial institutions grapple with accountability measures, victims like Ken Liem face significant challenges in recovering their stolen funds. This lawsuit underscores the urgent need for stronger fraud prevention policies and stricter enforcement of compliance standards within the banking sector.

This New Malware Exploits VPN Apps to Hijack Devices

 

A newly discovered malware, named PLAYFULGHOST, is causing concern among cybersecurity experts due to its versatile capabilities for data theft and system compromise. According to researchers, this malware employs techniques such as screen and audio capture, keylogging, remote shell access, and file transfer, enabling threat actors to launch further attacks.

PLAYFULGHOST is primarily delivered through phishing emails or SEO poisoning techniques, which distribute trojanized VPN applications. Once executed, it establishes persistence using four methods: the run registry key, scheduled tasks, Windows startup folder, and Windows services. This persistence allows the malware to collect a vast array of data, including keystrokes, screenshots, system metadata, clipboard content, and QQ account details, as well as information on installed security products.

The malware also exhibits advanced functionalities such as deploying additional payloads, blocking mouse or keyboard inputs, clearing event logs, deleting cache and browser profiles, and wiping messaging app data. Notably, it can use Mimikatz, a tool for extracting passwords, and a rootkit to conceal registry entries, files, and processes. PLAYFULGHOST further utilizes Terminator, an open-source utility, to disable security processes via a BYOVD (Bring Your Own Vulnerable Driver) attack.

The initial infection often begins with phishing emails containing lures such as warnings about code-of-conduct violations. Alternatively, it leverages SEO poisoning to distribute malicious versions of legitimate VPN apps like LetsVPN. For instance, one victim unknowingly launched a malicious executable disguised as an image file, which subsequently downloaded and executed PLAYFULGHOST. Google’s Managed Defense team notes that this backdoor shares features with the Gh0st RAT, whose source code was leaked in 2008.

PLAYFULGHOST infections employ DLL search order hijacking and sideloading to launch malicious DLLs, decrypting and loading the malware directly into memory. It also uses combined Windows shortcuts and rogue DLL construction for stealthy execution.

How to Protect Yourself

To avoid falling victim to PLAYFULGHOST, adopt the following security practices:
  • Be cautious with phishing emails: Verify the sender and context before clicking links or downloading attachments. If unsure, confirm directly with the sender or relevant departments.
  • Download only from trusted sources: Always access applications from official websites rather than links in emails or messages.
  • Avoid urgency traps: If contacted about urgent matters like account issues, manually visit the company’s website by typing its URL into your browser.
  • Strengthen account security: Use unique passwords, a password manager, two-factor authentication, and robust antivirus software across devices.
For additional protection, consider antivirus programs with integrated VPNs or hardened browsers for enhanced security. Stay informed about phishing techniques and remain vigilant online. As Google’s Managed Defense team warns, “PLAYFULGHOST’s sophistication highlights the need for constant vigilance against evolving cyber threats.”

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data

The latest Android malware called 'FireScam' is being shared as a premium variant of the Telegram application through phishing sites on GitHub that impersonate the RuStore, a Russian app market for mobile devices.

About FireScam vulnerability

Russian internet group VK (VKontakte) launched RuStore in May 2022 as an alternative to Apple's App and Google Play Store, after Western sanctions affected Russian users' mobile software. RuStore hosts apps that are compatible with Russian regulations, it was built with the assistance of the Russian Ministry of Digital Development.

Experts from threat management company Cyfirma believe the infected GitHub page impersonating RuStore first sends a dropper module named GetAppsRu.apk.

The dropper APK is covered using DexGuard to avoid getting caught and gets permissions that allow it to pinpoint installed applications, giving it access to the device’s storage and further install packages.

Once this is done, it retrieves and deploys the main malware payload  “Telegram Premium.apk” which asks for permissions to track notifications, see clipboard data, telephony services, SMS, and a lot of other things.

What is FireScam capability?

Once executed, a deceptive WebView screen shows a Telegram login page stealing the user’s login credentials. FireScam communicates with the Firebase Realtime Database, uploads stolen data in real time, and notes the infected devices with individual identifiers to track.

According to Cyfirma, stolen data is temporarily kept in the database and wiped when the hackers filter it for needed information and copy it to another location.

The malware launches a persistent WebSocket connection with the Firebase C2 endpoint for real-time command execution- asking for specific data, downloading and installing additional payloads, prompting immediate uploads to the Firebase database, or tweaking the surveillance parameters. 

Firescam also tracks changes in screen activity, monitors on/off events, logs the running applications, and monitors activity data for events exceeding 1,000 milliseconds

Additionally, Firescam carefully monitors e-commerce payments to steal sensitive financial data. It can capture what you type, copy to clipboards, drag and drop, and hack data filled automatically from password managers. 

How to be safe?

Cyfirma offers no hints about FireScam's operators, but the researchers describe the malware as a "sophisticated and multifaceted threat" that "employs advanced evasion techniques." It suggests customers exercise caution when opening files from potentially malicious sources or clicking on unknown URLs.

Critical Command Injection Vulnerability Found in Aviatrix Network Controller (CVE-2024-50603)

 


Jakub Korepta, Principal Security Consultant at Securing, has discovered a critical command injection vulnerability in the Aviatrix Network Controller, identified as CVE-2024-50603. This flaw, impacting versions 7.x through 7.2.4820, has been assigned the highest possible CVSS severity score of 10.0. It allows unauthenticated attackers to remotely execute arbitrary code, posing a severe threat to enterprises utilizing Aviatrix’s cloud networking solutions.

The root of this vulnerability lies in improper input handling within the Aviatrix Controller's API. While certain input parameters are sanitized using functions like escapeshellarg, others—most notably the cloud_type parameter in the list_flightpath_destination_instances action—remain unprotected. This oversight permits attackers to inject malicious commands into API requests, leading to remote code execution (RCE).

Jakub Korepta demonstrated this flaw by crafting a malicious HTTP request that redirected sensitive system files to an attacker-controlled server. By appending harmful commands to the vulnerable parameter, attackers can gain unauthorized access and execute arbitrary code on the targeted system.


In a proof-of-concept attack, Korepta successfully extracted the contents of the /etc/passwd file, highlighting the potential for data theft. However, the threat extends beyond data exfiltration. Exploiting this vulnerability could allow attackers to:
  • Execute Remote Code: Attackers can run commands with full system privileges, gaining complete control over the Aviatrix Controller.
  • Steal or Manipulate Data: Sensitive data stored on the system can be accessed, stolen, or altered.
  • Compromise Entire Networks: Successful exploitation could lead to lateral movement within enterprise networks, escalating the attack's impact.

Research uncovered 681 publicly exposed Aviatrix Controllers accessible via the Shodan search engine. These exposed systems significantly increase the risk, providing attackers with easily identifiable targets for exploitation.

Aviatrix has responded promptly by releasing version 7.2.4996, which addresses this vulnerability through enhanced input sanitization. This update effectively neutralizes the identified risk. All users are strongly urged to upgrade to this patched version immediately to secure their systems and prevent exploitation. Failure to apply this update leaves systems vulnerable to severe attacks.

Recommended actions for organizations include:
  • Immediate Patch Deployment: Upgrade to version 7.2.4996 or later to eliminate the vulnerability.
  • Network Access Controls: Restrict public access to Aviatrix Controllers and enforce strict network segmentation.
  • Continuous Monitoring: Implement robust monitoring systems to detect unauthorized activity or anomalies.

Lessons in Proactive Security

This incident underscores the critical need for proactive cybersecurity measures and routine software updates. Even advanced networking solutions can be compromised if proper input validation and security controls are neglected. Organizations must remain vigilant, ensuring that both internal systems and third-party solutions adhere to stringent security standards.

The discovery of CVE-2024-50603 serves as a stark reminder of how overlooked vulnerabilities can escalate into significant threats. Timely updates and consistent security practices are vital to protecting enterprise networks from evolving cyber risks.

1Password Acquires Trelica to Strengthen SaaS Management and Security

 


1Password, the renowned password management platform, has announced its largest acquisition to date: Trelica, a UK-based SaaS (Software-as-a-Service) management company. While the financial details remain undisclosed, this strategic move aims to significantly enhance 1Password’s ability to help businesses better manage and secure their growing portfolio of applications.

In today’s rapidly evolving digital landscape, organizations are increasingly adopting numerous SaaS tools to streamline operations. However, this surge in digital adoption often leads to "SaaS sprawl," where companies lose oversight of active software tools, and "shadow IT," where employees use unauthorized apps without IT supervision. Both issues heighten security vulnerabilities and inflate operational costs.

1Password's Extended Access Management (EAM) platform already focuses on managing access to devices and applications. With Trelica’s advanced SaaS management capabilities, 1Password will be better equipped to tackle these growing challenges by offering a more comprehensive security solution.

What Trelica Brings to 1Password

Founded in 2018, Trelica specializes in simplifying SaaS application management. Its tools empower IT teams to streamline software oversight and bolster security. Key functionalities include:
  • Access Control: Automates granting and revoking employee access to apps during onboarding and offboarding, ensuring seamless transitions.
  • Shadow IT Detection: Identifies unauthorized or unmonitored apps in use, reducing potential security risks.
  • License Optimization: Monitors and manages unused licenses to minimize software costs.
  • Permission Oversight: Tracks user permissions when employees change roles to prevent over-permissioning.
By automating these processes, Trelica helps organizations save time, cut costs, and mitigate risks associated with unmanaged software use.

Integrating Trelica’s tools into 1Password’s platform will empower businesses to regain control over unauthorized applications, reclaim unused licenses, and enforce stronger security policies. This proactive approach ensures that software usage remains compliant and secure.

Jeff Shiner, CEO of 1Password, emphasized that while tools like single sign-on and mobile device management solve some issues, they don’t address all access management challenges. Trelica’s solution effectively bridges these gaps by streamlining user provisioning and license management, offering a more holistic security framework.

Trelica’s platform already integrates with over 300 widely used applications, including industry leaders like Google, Microsoft, Zoom, Salesforce, and Adobe. This wide compatibility allows businesses to centralize SaaS management, improving both productivity and security.

The acquisition positions 1Password as a leader in access and SaaS management, offering enterprises a unified solution to navigate the complexities of the digital age. As businesses increasingly depend on SaaS tools, maintaining security, efficiency, and organization becomes more critical than ever.

1Password’s acquisition of Trelica marks a significant step toward redefining SaaS security and management. By combining Trelica’s automation and oversight tools with 1Password’s robust security platform, businesses can expect a safer, more efficient digital environment. This partnership not only safeguards organizations but also paves the way for smarter, streamlined SaaS operations in a fast-paced digital world.