Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CERT-In. Show all posts
kiberphant0m
BSNL data breach CERT-In Critical Data cyberattack on BSNL cybercriminals Dark web marketplace Data Breach Data protection data security kiberphant0m

U.S. soldier linked to BSNL data breach: Arrest reveals cybercrime

 

The arrest of Cameron John Wagenius, a U.S. Army communications specialist, has unveiled potential connections to a significant data breach targeting India’s state-owned telecom provider, BSNL. The breach highlights the global reach of cybercrime networks and raises concerns about the security of sensitive data across continents. 

Wagenius, stationed in South Korea, was apprehended on December 20, 2023, for allegedly selling hacked data from U.S. telecom companies. According to cybersecurity experts, he may also be the individual behind the alias “kiberphant0m” on a dark web marketplace. In May 2023, “kiberphant0m” reportedly attempted to sell 278 GB of BSNL’s critical data, including subscriber details, SIM numbers, and server snapshots, for $5,000. Indian authorities confirmed that one of BSNL’s servers was breached in May 2023. 

While the Indian Computer Emergency Response Team (CERT-In) reported the intrusion, the identity of the perpetrator remained elusive until Wagenius’s arrest. Efforts to verify the hacker’s access to BSNL servers through Telegram communication and sample data proved inconclusive. The breach exposes vulnerabilities in telecom providers’ security measures, as sensitive data such as health records, payment details, and government-issued identification was targeted. 

Additionally, Wagenius is accused of selling call records of prominent U.S. political figures and data from telecom providers across Asia. The arrest also sheds light on Wagenius’s links to a broader criminal network led by Connor Riley Moucka. Moucka and his associates reportedly breached multiple organizations, extorting millions of dollars and selling stolen data. Wagenius’s involvement with this network underscores the organized nature of cybercrime operations targeting telecom infrastructure. 

Cybersecurity researchers, including Allison Nixon of Unit 221B, identified Wagenius as the individual behind illicit sales of BSNL data. However, she clarified that these activities differ from state-sponsored cyberattacks by groups such as Salt Typhoon, a Chinese-linked advanced persistent threat actor known for targeting major U.S. telecom providers. The case has also exposed challenges in prosecuting international cybercriminals. Indian authorities have yet to file a First Information Report (FIR) or engage with U.S. counterparts on Wagenius’s case, limiting legal recourse. 

Experts suggest leveraging international treaties and cross-border collaboration to address such incidents. As the investigation unfolds, the breach serves as a stark reminder of the growing threat posed by insider actions and sophisticated cybercriminal networks. It underscores the urgent need for robust data protection measures and international cooperation to counter cybercrime.
Read more »
Technology
CERT-In Cyber Fraud Cyber space India Technology

India Cybersecurity: Key Government Initiatives for Cybersecurity

India Cybersecurity: Key Government Initiatives for Cybersecurity

Indian Government to Enforce Robust Cybersecurity Measures

The Indian Government has done it again, reinforcing its main strategies to improve cyber defenses and protect its citizens in the digital space.

In April 2024, the Indian government released a report claiming India had a record 936.16 million internet subscriptions by December 2023, changing India into one of the largest connected nations globally. 

The Indians are now 'Digital Nagriks,' integrating the internet into their daily routine, using it for vital needs like education, financial activities, business transactions, and accessing government services.

The government has recognized the need for a safe digital space, therefore implementing strong policies. These measures are aimed at protecting against the growing threat of cyber attacks.

What is CERT-IN: Backbone of India's Cybersecurity

The Indian Computer Emergency Response Team (CERT-IN) is a national agency for incident response that plays an important role in protecting India's cyber landscape. Working 24x7, CERT-IN ensures quick responses to cybersecurity incidents.

CERT-IN's Fight Against Cybercrime

CERT-IN partners with Law Enforcement Agencies (LEAs), regulators, and service providers to track and bust phishing websites and investigate fraud activities. According to Cyber Express:
  • CERT-In releases advice to ministries outlining steps to improve cyber security for organizations that handle digital personal data and susceptible information.
  • CERT-In publishes advice through the Reserve Bank of India, the country's central bank, regarding audits and the adoption of security policies by firms issuing prepaid payment instruments.
  • CERT-In runs an automated cyber threat exchange platform that distributes targeted notifications across sectors.
  • CERT-In manages the Cyber Swachhta Kendra, which detects and removes dangerous applications and offers security advice.
  • The platform has developed a Cyber Crisis Management Plan to combat cyberattacks in government and essential sectors.
  • CERT-In conducts cybersecurity simulated drills to assess organizational readiness; 92 drills were conducted with involvement from a variety of sectors.

India's Measure Towards Cybersecurity Awareness

Cyber Crime Coordination Centre

The Centre works towards enhancing the coordinated response of LEAs to cybercrimes. The initiative aims to offer a robust framework for addressing digital threats. Currently, the National Cyber Crime Reporting Portal has been launched, allowing the public to directly report cybercrimes.

Citizen Financial Cyber Fraud Reporting and Management System

The program allows immediate reporting of financial fraud and avoids siphoning of funds by scammers. A toll-free helpline number '1930,' is set up to help in registering online cyber complaints, allowing swift response and assistance for victims of cyber fraud.

Read more »
data security
Bounty CERT-In Crypto Funds cryptocurrency cryptocurrency theft Customer Information Cyber Attacks data security

WazirX Responds to Major Cyberattack with Trading Halt and Bounty Program

 

In the wake of a significant cyberattack, WazirX, one of India’s foremost cryptocurrency exchanges, has taken drastic measures to mitigate the damage. The exchange announced a halt in trading and introduced a bounty program aimed at recovering stolen assets. This attack has severely impacted their ability to maintain 1:1 collateral with assets, necessitating immediate action. 

In a series of posts on X, WazirX detailed their response to the breach. They have filed a police complaint and reported the incident to the Financial Intelligence Unit (FIU) and CERT-In. Co-founder Nischal Shetty emphasized the urgency of the situation, stating that the exchange is reaching out to over 500 other exchanges to block the identified addresses associated with the stolen funds. This broad collaboration is essential as the stolen assets move through various platforms. 

To further their recovery efforts, WazirX is launching a bounty program to incentivize individuals and entities to help freeze or recover the stolen assets. This initiative is part of a broader strategy to trace the stolen funds and enhance the security measures of the exchange. The team is also consulting with several expert groups specializing in cryptocurrency transaction tracking to provide continuous monitoring and support during the recovery process. The exchange expressed gratitude for the support from the broader Web3 ecosystem, underscoring the need for a collective effort to resolve the issue and maintain the integrity of the Web3 community. 

Shetty mentioned that the team is conducting a thorough analysis to understand the extent of the damage caused by the attack. This analysis is crucial for developing an effective recovery plan and ensuring that all possible measures are taken to protect customer funds. In addition to their internal efforts, WazirX is working closely with forensic experts and law enforcement agencies to identify and apprehend the perpetrators. This collaboration aims to ensure that those responsible are brought to justice and that as many stolen assets as possible are recovered. 

The cyberattack has resulted in a substantial loss of approximately $235 million, making it one of the largest hacks of a centralized exchange in recent history. Crypto investigator ZachXBT revealed that the main attacker’s wallet still holds over $104 million in funds, which have yet to be offloaded. 

This highlights the ongoing challenges and complexities of securing digital assets in the ever-evolving cryptocurrency landscape. WazirX’s proactive measures and the support from the broader community will be crucial in navigating this crisis and reinforcing the security frameworks essential for the future of cryptocurrency exchanges.
Read more »
Samsung
Android CERT-In Cyber Security Google Google Pixel Phones iPhone Samsung

Mobile Security Alert: CERT-In Flags Risks in Top Brands

The Indian Computer Emergency Response Team (CERT-In) has discovered security flaws in high-profile smartphone brands, including Samsung, Apple, and Google Pixel devices. After carefully analyzing these devices' security features, CERT-In has identified certain possible weaknesses that can jeopardize user privacy and data.

The CERT-In advisory highlights significant concerns for iPhone users, indicating a security flaw that could be exploited by malicious entities. This revelation is particularly alarming given Apple's reputation for robust security measures. The advisory urges users to update their iOS devices promptly, emphasizing the critical role of regular software updates in safeguarding against potential threats.

Samsung and Google Pixel phones are not exempt from security scrutiny, as CERT-In identified vulnerabilities in these Android-based devices as well. The CERT-In advisory underscores the importance of staying vigilant and promptly applying security patches and updates provided by the respective manufacturers. This is a reminder that even leading Android devices are not immune to potential security risks.

The timing of these warnings is crucial, considering the increasing reliance on smartphones for personal and professional activities. Mobile devices have become integral to our daily lives, storing sensitive information and facilitating online transactions. Any compromise in the security of these devices can have far-reaching consequences for users.

As cybersecurity threats continue to evolve, both manufacturers and users need to prioritize security measures. CERT-In's warnings underscore the need for proactive steps in identifying and addressing potential vulnerabilities before they can be exploited by malicious actors.

In response to the CERT-In advisory, Apple and Samsung have assured users that they are actively working to address the identified security flaws. Apple, known for its commitment to user privacy, has pledged swift action to resolve the issues outlined by CERT-In. Samsung, too, has expressed its dedication to ensuring its users' security and promised timely updates to mitigate the identified risks.

Cybercriminals are utilizing techniques that evolve along with technology. Users should prioritize the security of their mobile devices as a timely reminder provided by the CERT-In alerts. When it comes to preserving the integrity and security of smartphones, manufacturers' regular updates and patches are essential. Protecting our personal and business data while navigating the digital landscape requires us to be vigilant and knowledgeable about potential security threats.
Read more »
Taj Hotels data breach
CERT-In customer data compromise Cybersecurity Incident Data Breach Dnacookies hack Taj Hotels data breach

Taj Hotels Faces Data Breach, Revealing Data of 1.5 Million Customers

 

The cybersecurity landscape witnessed a recent data breach that sent shockwaves through the esteemed Taj Hotels chain. Perpetrated by the group "Dnacookies," the hack has potentially impacted more than 1.5 million consumers, prompting heightened concerns about data security, customer privacy, and the overall state of digital defenses within the hotel industry.

According to reports from CNBC-TV18, the compromised data spans a six-year period, ranging from 2014 to 2020. The exposed information includes addresses, membership IDs, mobile numbers, and other personally identifiable details. Despite the hacker's claim that the dataset is "non-sensitive," the reality is that any compromise of personal information can expose individuals to various risks, from identity theft to financial fraud.

The Indian Hotels Company Ltd. (IHCL), the entity overseeing Taj Hotels, promptly responded to the breach. A spokesperson for IHCL acknowledged the situation, emphasizing that the compromised customer data is deemed non-sensitive. However, the company is taking the incident seriously, initiating an investigation and notifying relevant authorities. A commitment to continuous system monitoring is deemed crucial to prevent further unauthorized access.

The severity of the situation is highlighted by the participation of the Indian Computer Emergency Response Team (CERT-In), a government agency responsible for addressing and mitigating cybersecurity incidents in India. CERT-In's involvement suggests that the breach extends beyond a concern for Taj Hotels, carrying broader implications for national cybersecurity.

"Dnacookies" has articulated specific demands, introducing complexity to an already intricate situation. The insistence on a middleman for negotiations, an all-or-nothing approach to data release, and a refusal to provide additional samples hint at a calculated and methodical strategy, raising questions about the motives behind the breach—whether purely financial or with more insidious intentions.
 
Beyond immediate concerns about breached data, the incident poses potential ramifications for both individuals and Taj Hotels. Affected customers face an increased risk of identity theft and financial fraud. Moreover, the reputation of Taj Hotels, synonymous with luxury and trust, is at stake. Customer trust in the overall security measures of the hospitality industry may be compromised.

Taj Hotels and similar establishments find themselves at a critical juncture in reassessing and strengthening their cybersecurity procedures as the investigation unfolds. This involves implementing sophisticated encryption techniques, regularly updating security systems to address new threats, and providing comprehensive training to staff members to raise awareness and prevent security lapses. Staying ahead of cyber threats necessitates collaboration with cybersecurity specialists and government organizations, exemplified by CERT-In's active engagement.
:
The Taj Hotels data breach underscores the intrusive and dynamic nature of cyber threats. Data security should be a primary concern for all businesses, particularly those in the hospitality industry where digital interactions are integral to modern life. The industry at large is urged to learn from the Taj Group's experience, bolster cybersecurity protocols, and collaborate to ensure digital infrastructure resilience against evolving cyber threats.
Read more »
WebKit browser engine
Apple Devices CERT-In Computer Emergency Response Team Cyber Security Ministry of Electronics and Information Technology security risk alert WebKit browser engine

High Security Alert Issued for Apple Devices by India's CERT-In

 

The Computer Emergency Response Team (CERT-In), a branch of India's Ministry of Electronics and Information Technology, has issued a "high" security alert for users of Apple devices. CERT-In's official website has raised concerns about several vulnerabilities that, if not addressed, could lead to unauthorized access to users' phones and the potential theft of sensitive data.

Specifically, CERT-In has highlighted significant security flaws in the WebKit browser engine, utilized by browsers like Safari. This poses a serious risk to users of Apple products such as iPhones and Apple Watches. 

Exploiting these vulnerabilities could enable attackers to deceive users into visiting harmful websites or opening malicious attachments. This could potentially grant unauthorized access to the user's personal data and files, and even facilitate the installation of malware on their device.

The official note states, "Multiple vulnerabilities have been reported in Apple products which could allow an attacker to execute arbitrary code, escalation of privileges or bypass security restrictions on the targeted system." 

In simpler terms, Apple device users are at risk of having their personal information stolen or their devices infected with malware if they are not cautious about the links they click or attachments they open.

CERT-In emphasizes that these vulnerabilities are actively being exploited in the wild in versions of iOS preceding iOS 16.7. The following Apple devices are particularly susceptible:

  • Apple macOS Monterey versions before 12.7
  • Apple macOS Ventura versions before 13.6
  • Apple watchOS versions before 9.6.3
  • Apple watchOS versions before 10.0.1
  • Apple iOS versions before 16.7 and iPadOS versions before 16.7
  • Apple iOS versions before 17.0.1 and iPadOS versions before 17.0.1
  • Apple Safari versions before 16.6.1
To ensure personal data safety, the national authority overseeing cybersecurity strongly advises promptly installing the latest updates for watchOS, tvOS, and macOS on Apple devices. Neglecting these software vulnerabilities in devices like Apple Watches, TVs, iPhones, and MacBooks could potentially expose them to unauthorized access by malicious actors. Apple has provided the necessary upgrades to address this issue on their official website, cert-in.org.in.

Furthermore, users of Apple iPhone, iPad, and WatchOS can benefit from the latest software version, which includes improved security features and device enhancements.
Read more »
ransomware attacks
CERT-In Data Breach Mallox attack Mallox ransomware MS-SQL servers ransomware attacks

CERT-In Warns Against Mallox Ransomware Targeting Unsecured MS SQL Servers


Indian government’s nodal agency, CERT-In has issued warning about the Mallox ransomware that is exploiting MS-SQL servers through dictionary attacks.

By using dictionary attack method, the ransomware acquire unauthorized access to victims’ networks, finally succeeding in server compromise and data breaches.

The CERT-In alert states, “It has been observed that Mallox Ransomware is currently targeting unsecured Microsoft SQL Servers, using them as entry points into victim's ICT infrastructures to distribute the ransomware” “It has also been observed that the threat actor group has used brute force techniques on publicly exposed MS SQL instances to gain initial access to the victim's network infrastructure.”

Apparently, Mallox ransomware uses double extortion techniques, through which it steals sensitive data before encrypting a company’s files. The threat actor then proceeds to threaten victims to leak the stolen data on leak sites if ransom demands are not fulfilled. 

Thus, it has become necessary for companies and individuals to take security measures actively in order to safeguard their MS-SQL servers from these attacks and prevent falling prey to the Mallox ransomware.

More About the Mallox Ransomware

A study by the Unit 42 researchers claims that compared to last year, Mallox ransomware activity has increased by 174%. Strong action is required to counter the threat as a result of the increase in attacks.

The hackers responsible for Mallox have discovered a way to use unprotected MS-SQL servers as a gateway into their victims' networks, expanding their scope and the potential harm they might cause.

Moreover, the ransomware group utilizes several tools, one of them being a network scanner and data exfiltration techniques in order to cover traces of their illicit infiltration and evade security obstacles.

Once the Mallox Ransomware gains access to a target network, it attacks with lethal accuracy. Using the command line and PowerShell, the ransomware payload is downloaded from a remote server, preparing the environment for the malicious encryption procedure. Additionally, it tries to delete volume shadows, which presents a formidable barrier for the affected organization when trying to restore files.

Mallox takes additional deliberate steps to avoid detection and obstruct the forensic investigation. Application, security, setup, and system event logs are cleared by the ransomware, leaving minimal evidence of its operations.

Also, it changes file permissions, blocks users from accessing essential system functions, and shuts down security-related services.

Recommendations by CERT-In 

CERT-In shares a list of strategies that will help organizations mitigate the risk of Mallox ransomware and shares steps to secure their Microsoft SQL Server. 

  • Avoid exposing SQL Servers on the Internet’s default port (1433). Adopt secure connections like VPNs instead.
  • Disable or strengthen the SA account to minimize the risk of unauthorized access. 
  • Audit SQL CLR Assemblies and remove any unwanted ones. 
  • Implementing a firewall, allowing incoming traffic only from trusted networks and IP addresses. 
  • Keep SQL Server up to date with the latest patches and updates. 
  • Enforce the use of strong and unique passwords for all SQL logins. 
  • Configure account lockout policies to counter brute force attacks. 
  • Encrypt data in transit using SSL/TLS to protect against eavesdropping. 
  • Monitor SQL Server activity through auditing to detect and respond to threats promptly.  

Read more »
virus
Advanced Encryption Standard Android Phone CERT-In Cyber Attacks CyberCrime Cybersecurity Daam Government Hacked SMS URL virus

Android Phone Hacked by 'Daam' Virus, Government Warns

 


It has been announced by the central government that 'Daam' malware is infecting Android devices, and the government has issued an advisory regarding the same. CERT-IN, the national cyber security agency of the Indian government, released an advisory informing the public about the possibility of hackers hacking your calls, contacts, history, and camera due to this virus.

The virus' ability to bypass anti-virus programs and deploy ransomware on targeted devices makes it very dangerous, according to the Indian Computer Emergency Response Team or CERT-In, which provided the information. 

As quoted by the PTI news agency, the Android botnet is distributed primarily through third-party websites or apps downloaded from untrusted or unknown sources, according to the Federal Bureau of Investigation. 

The malware is coded to operate on the victim's device using an encryption algorithm known as AES (advanced encryption standard). The advisory reports that the other files are then removed from local storage, leaving only the files that have the extension of ".enc" and a readme file, "readme_now.txt", that contain the ransom note. 

To prevent attacks by such viruses and malware, the central agency has suggested several do's and don'ts. 

The CERT-IN recommends that you avoid browsing "untrusted websites" or clicking "untrusted links" when they do not seem trustworthy. It is advisable to exercise caution when clicking on links contained within unsolicited emails and SMS messages, the organization stated. Specifically, the report recommends updating your anti-virus and anti-spyware software regularly and keeping it up to date.

Once the malware has been installed, it tries to bypass the device's security system. In the case it succeeds in stealing sensitive data, as well as permissions to read history and bookmarks, kill background processing, and read call logs, it will attempt to steal sensitive information of the user. 

"Daam" is also capable of hacking phone calls, contacts, images, and videos on the camera, changing passwords on the device, taking screenshots, stealing text messages, downloading and uploading files, etc. 

In the Sender Information field of a genuine SMS message received from a bank, the Sender ID (abbreviation of the bank) is typically mentioned instead of the phone number, according to the report. 

A cautionary note was provided to users warning them to be aware of shortcut URLs (Uniform Resource Locators) such as the websites 'bitly' and 'tinyurl', which are both URLs pointing to web addresses such as "http://bit.ly/" "nbit.ly" and "tinyurl.com" "/". 

To see the full domain of the website the user is visiting, it is recommended that they hover over the shortened URL displayed. As suggested in the consultation, they may also be able to use a URL checker that allows them to enter both a shortened URL and the complete URL when completing the check. 

This is being viewed as a serious warning by the government to Android phone users throughout the world to remain vigilant and to take all necessary precautions to protect their mobile devices.

The Central Government strives to educate citizens about "Daam" malware, as well as its potential impacts, so citizens can take proactive measures to protect their Android devices and stay safe from cyber threats in the ever-evolving environment we live in today.
Read more »
Vulnerabilities and Exploits
CERT CERT-In Cyberattack Cybersecurity Remote Code Execution Vulnerabilities and Exploits

Take Steps to Protect Your Enterprise Against the Risks

 

Earlier this month, the Apache Software Foundation announced that its log4j Java-based logging utility (CVE-2021-44228) had been vulnerable to a remote code execution vulnerability (CVE-2021-4428). It was rated a critical severity vulnerability by MITRE and given a CVSS score of 10 out of 10. After the release of the Log4j patch, the vulnerability in the database was exploited in the wild shortly thereafter.

Consequently, several governmental cybersecurity organizations throughout the world, including the United States Cybersecurity and Infrastructure Security Agency, the Austrian CERT, and the United Kingdom National Cyber Security Centre, issued alerts urging organizations around the globe to instantly patch their systems. 
 
During a discussion with Jonathan Care, Senior Director Analyst at Gartner a better understanding of the security implications of the Log4j vulnerability was given. In his presentation, he discussed how organizations are susceptible to threats arising from this vulnerability. He also discussed what measures they should be taking to ensure their enterprise systems are protected against potential threats arising from the vulnerability. 
 

Are There Any Systems Affected by the Log4j Vulnerability? 
 

In addition to affecting enterprise applications and embedded systems, Log4j's vulnerability is extremely widespread. Thus, it may influence their sub-components, as well as their sub-systems. Java-based applications including Cisco Webex, Minecraft, and FileZilla FTP are all examples of affected programs, but this is by no means an exhaustive list. Ingenuity, a NASA helicopter mission in the Mars 2020 program, uses Apache Log4j's logging API to record events, so the vulnerability affects this mission as well. 
  
There are many resources available on the web which list vulnerable systems in the security community. Nevertheless, it should be noted that these lists are constantly changing, which makes it imperative to keep an eye on them. As a result, do not take a non-inclusion of a particular application or system as an indication that it will not be impacted by the patch. 

There is a high probability that a particular technology stack will be exposed to this vulnerability. The vulnerability is likely to affect key suppliers such as SaaS vendors, cloud hosting providers, and web hosting providers. 
 

Risk to Enterprise Applications and Systems, if the Vulnerability is Exploited

 
This vulnerability can be exploited by attackers if it is left unpatched, thus allowing them to take control of and infiltrate enterprise networks if it is left unpatched. The vulnerability is already being exploited by malware, ransomware, and a wide array of other automated threats that are actively taking advantage of this vulnerability. 
 
This vulnerability can be exploited with a great deal of ease  all an attacker needs to do is enter a simple string into a chat window, which is all that it takes. 
 
It is referred to as a "pre-authentication" exploit, which means that to exploit the vulnerability, the attacker does not have to sign into the vulnerable system. You should be prepared for the possibility of your web server becoming vulnerable. 
 

To Protect Their Enterprises From Cybersecurity Threats, What Should CyberSecurity Leaders Do? 

 
Identifying this vulnerability and remediating it as quickly as possible should be one of the top priorities for cybersecurity leaders. The first thing you should do is conduct a detailed audit of any applications, websites, and systems within your domain of responsibility that are connected to the internet or can be viewed as public-facing on the Internet. 

Consider the importance of protecting sensitive operational data such as customer details and access credentials, which are stored on systems that contain sensitive operational data. 
 
When you have completed the audit of your remote employees, you should turn your attention to the next step. Personal devices and routers that constitute a vital link in the chain of security should be updated by these provisions. An active, involved approach is likely to be required to achieve this. There is no point in simply issuing a list of instructions since this does not suffice. To gain access to a key enterprise application or data repository, vulnerable routers could be a potential entry point. Your IT team needs to support and cooperate with you in this endeavor. 
 
When an organization has created an incident response plan and initiated formal severe incident response actions, now is the appropriate time to implement formal severe incident response measures. A board of directors, the CEO, the CIO, and the entire organization must be involved in this incident as we believe all levels of the organization should be involved. 

Make sure you have informed senior leadership and that they are prepared to answer public questions about this issue. For at least the next 12 months, vigilance will be crucial for preventing the exploitation of this vulnerability and the attack patterns exploiting it. This is because neither is likely to disappear for some time.
Read more »
Ukraine
CERT-In Hacking Russian Cyber Security Sandworm Telecom Ukraine

Russia- Linked Sandworm Enacted Ukrainian Telecoms for Injecting Malicious Code


It was discovered that a Russian-based hacker known as Sandworm, impersonating Ukrainian telecommunications, targeted its entities and injected malware into them, leading to software infections throughout the country. 
 
The Sandworm is a group of hackers that are closely connected with the foreign military intelligence service of the Russian government called the GRU as a military unit 7445. It is an Advanced Persistent Threat (APT) group, which was responsible for several cyberattacks including on Ukrainian energy infrastructure. 
 
The recorded future was spying over the operations of government as well as private sectors. As per the report of “recorded future”, the rise in activities of Sandworm has been noticed since August 2022, tracked by the Computer emergency response team of Ukraine (CERT-UA). It is obvious from the frequency with which the Sandworm has been observed employing DNS domains for control and command infrastructure that it is a ruse to attack Ukrainian computers. 
 
Recorded Future further added in the report that, the APT group found a new infrastructure of UAC-0113, which imitates the operators such as Datagroup, and EuroTrans Telecom, which were responsible for placing DarkCrystal RAT, previously. 
 
The Recorded Future’s report entails “Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploy Colibri Loader and Warzone RAT malware.” 
 
This new infrastructure of Advanced persistent threat group UAC-0113 distributed the commodity malicious ISO Colibri Loader and Warzone RAT by using HTML smuggling. This smuggling technique uses legalized features of HTML and JavaScript to inject malicious codes under security controls. 
 
The super-hacker team of Russia, Sandworm, is popularly known for its cyberattacks on the Ukrainian electrical grid in 2015 and 2016. In further research, it was also found responsible for the dropping of a botnet known as “Cyclops Blink”, which subjugated internet-connected firewall devices, etc from WatchGuard and ASUS. 
 
This APT group had also captured U.S. software under its cyberattacks, due to which the U.S government announced a reward of $10 million for providing the information of the hackers behind this Russian threat actor group. 
 
There are several examples of domains being used as masquerade such as the domain “datagroup[.]ddns[.]net”, tracked by CERT-UA, in June. It impersonated the data group as its online portal. Another example of deception is Kyivstar, in which the domain “kyiv-star[.]ddns[.net” was used by Sandworm against Ukrainian telecom services.
Read more »
Web Servers
CERT-In Government of India IP Address Nord Security Privacy VPNS Web Servers

Will VPN Providers and the Indian Government Clash Over New Rules on User Data Collection?


The Ministry of Electronics and Information Technology, which administers CERT-in, has mandated all VPN providers and cryptocurrency exchanges save user records for five years. Some of the most well-known VPN providers, such as NordVPN and ExpressVPN, claim to collect only the most basic information about their customers and to provide ways for them to stay relatively anonymous by accepting Bitcoin payments. 

VPNs reroute users' internet connections through a separate network; this can be done for a variety of reasons, such as connecting to a workplace network that is not available from the general internet or accessing prohibited websites by using servers in other nations. 

Another characteristic of VPNs several VPN companies like Nord promote as a selling factor is privacy. They frequently claim to keep no logs; Nord's no-logs policy has been examined by PriceWaterhouseCoopers regularly. However, the IT Ministry's ruling would force the corporation to deviate from such a guideline for servers in India.

What sort of data does the government expect firms to preserve? 
  • Names of subscribers/customers who have hired the services have been verified.
  • Hire period, including dates.
  • IP addresses assigned to/used by members.
  • At the moment of registration/onboarding, the email address, IP address, and time stamp were utilized. 
  • Why are users hiring services? 
  • Validated contact information and addresses.
  • Subscriber/customer ownership patterns when hiring services.

Official orders from CERT-In, the government agency in charge of investigating and archiving national cybersecurity incidents, have generated controversy. It was announced in a press release for all "Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers" would be bound to maintain a variety of user data for at least five years after the service was canceled or discontinued. 

VPN industry's comment on user data?

ExpressVPN stated, that their apps and VPN servers have been meticulously designed to completely erase sensitive data. As a result, ExpressVPN will never be forced to give non-existent client data.

"Our team is currently analyzing the latest Indian government decree to determine the best course of action. Because the law will not take effect for at least two months, we are continuing to work as usual. We are committed to protecting our clients' privacy, thus if no other options exist, we may withdraw our servers from India," Patricija Cerniauskaite, a spokesman for NordVPN stated.

If NordVPN leaves India, would you still be able to use it?

Users will most likely be able to connect to NordVPN's servers in other countries even if the company decides to leave India. According to reports, NordVPN has 28 servers in India which users in India and other countries can connect to. Surprisingly, NordVPN's Indian servers provide access to websites that are normally restricted in India.

India enters an unfortunate list of other large countries where Nord and other VPN providers have either pulled servers or never had a presence: Russia, where Nord and other VPN providers pulled servers just after the country ordered VPN firms to provide backdoor access to government on demand in 2019; and China, where VPN providers are subject to stringent controls. 

The Internet Freedom Foundation, a New Delhi-based digital rights advocacy group, claimed in a comprehensive statement released Thursday afternoon, the requirements were "extreme" and would impair VPN users' "individual liberty and privacy."
Read more »
WhatsApp
CERT-In User Privacy Vulnerabilities and Exploits WhatsApp

Two Outdated Software Bug Patched, Says WhatsApp

 

WhatsApp on Monday stated that it has addressed two bugs that existed on its outdated software program and that it had no cause to imagine that “these vulnerabilities were ever abused”. The official assertion got here within the wake of the latest advisory issued by the CERT-In, which cautioned WhatsApp customers about sure vulnerabilities within the app that might result in the breach of delicate info. CERT-In is the federal expertise arm for combating cyberattacks and guarding the online world.

According to this latest advisory, the vulnerability exists due to certain features on WhatsApp and thus allows hackers to access personal data like chats, images, videos, etc. by running malicious codes remotely. This vulnerability is linked “to a cache configuration issue and missing bounds check within the audio decoding pipeline.” 

“We regularly work with security researchers to improve the numerous ways WhatsApp protects people’s messages. As is typical of software products, we have addressed two bugs that existed on outdated software, and we have no reason to believe that they were ever abused,” a WhatsApp spokesperson informed PTI in a press release. 

The spokesperson added that WhatsApp “remains safe and secure, and end-to-end encryption continues to work as intended to protect people’s messages”.

An “excessive” severity rating advisory issued by the CERT-In, or the Indian Computer Emergency Response Team, on Saturday, had said that the vulnerability has been detected in the software that has “WhatsApp and WhatsApp Business for Android previous to v2.21.4.18 and WhatsApp and WhatsApp Business for iOS previous to v2.21.32”. 

“Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system,” the advisory had stated. The advisory had really useful customers replace their units with the newest model of WhatsApp from the Google Play retailer or iOS App Store to counter the vulnerability menace.

After facing intense scrutiny in India over its upcoming privacy update, consumer protection agencies in Brazil have now asked the government to act on the May 15 privacy update that will allow Facebook to aggregate users' data across all of its platforms.
Read more »
Subscribe to: Posts (Atom)