Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CPR. Show all posts

Iranian Hacker Group Void Manticore Linked to Destructive Cyber Attacks on Israel and Albania

 

A recent report from Check Point Research (CPR) has unveiled the activities of an Iranian hacker group known as Void Manticore, which has been linked to a series of destructive cyber attacks on Israel and Albania. Affiliated with Iran’s Ministry of Intelligence and Security (MOIS), Void Manticore operates alongside another Iranian threat actor, Scarred Manticore, to carry out these attacks. 

The group employs various online personas, such as "Karma" for attacks in Israel and "Homeland Justice" for those in Albania. Their tactics involve gaining initial access to target networks using publicly available tools and deploying custom wipers to render data inaccessible on both Windows and Linux systems. CPR’s analysis details a systematic collaboration between Void Manticore and Scarred Manticore. Initially, Scarred Manticore gains access and exfiltrates data from targeted networks. 

Control is then transferred to Void Manticore, which executes the destructive phase of the operation. This strategic partnership amplifies the scale and impact of their cyber attacks. The report underscores the similarities in the attacks on Israel and Albania, including the exploitation of specific vulnerabilities for initial access, the use of similar tools, and the coordinated efforts between the two groups. These overlaps suggest a well-established routine for the Iranian hacker groups. 

Void Manticore's toolkit includes several custom wipers, such as the CI Wiper, Partition Wipers like LowEraser, and the recently deployed BiBi Wiper, named after Israeli Prime Minister Benjamin Netanyahu. These wipers specifically target files and partition tables, using advanced techniques to corrupt files and disrupt system functionality. 

The revelation of Void Manticore's activities and its collaboration with Scarred Manticore underscores the growing sophistication and coordination of state-affiliated cyber threat actors. The combined use of psychological tactics and destructive malware represents a significant escalation in cyber warfare, posing substantial risks to national security and critical infrastructure. 

As these cyber threats continue to evolve, it is imperative for nations and organizations to strengthen their cybersecurity defenses and enhance their capabilities to detect, mitigate, and respond to such sophisticated attacks. The report from CPR serves as a crucial reminder of the persistent and evolving nature of cyber threats posed by state-affiliated actors like Void Manticore and Scarred Manticore.

The Importance of Security CPR to your Business Cannot be Overstated

 


In a recent article, the FBI indicated that cybercrime increased by 207 percent between 2008 and 2021. There was an estimated loss of $7 billion in business in 2021 due to cybercrime. The probability of a successful cyberattack occurring at present is approximately one every 39 seconds. In the 21st century, cyber security is no longer considered a luxury but a necessity for all businesses. 

Cybersecurity extends far beyond a collection of technologies, applications, and networking infrastructure. A culture of awareness, policies, procedures, supporting technologies, and a support network are all crucial to cyber security. Businesses must be able to recover and respond in the event of a calamity because no protective measures are fully effective. 

A solid cybersecurity foundation can be built based on the Security CPR model, which encompasses three keystones:  
  • Communication and Education 
  • Prevention and protection 
  • Recovery and Response
Communication and Education 

In terms of cybersecurity, the human factor poses a serious risk. Certainly, you and your team want to do the finest job you can for your company and for the people with whom you deal on a daily basis. Human nature is the prime weapon used by cyberattackers to gather information and coerce humans into taking harmful actions.  

These actions, at the time, appeared to be helpful to the attacker. Communicating with your team is the most effective way to ensure they are aware of potential risks. They should know what to look for and know what steps to take to institute action when they encounter them. A situation like this is particularly relevant when there is suspicion of an attack.  

The message of security awareness is reinforced through education and security awareness training. Continuous education is crucial to keeping your team up-to-date with the latest cyber threats while maintaining a focus on cybersecurity at all times. 

Prevention and protection

Defending against an attack involves preventing it from the start. The purpose of protection is to be able to stop an attack from taking place or in the middle of it. Security technology and services must be matched with policies and procedures that are reasonable to accomplish both prevention and protection. 

Keeping attackers out of a system is the key to prevention. Next-generation endpoint protection protects your devices against malware, DNS/web protection blocks malware from infecting your devices, advanced threat protection tests your inbound email for phishing, malicious links, and infected attachments before they reach your device's inbox, and a cloud-based endpoint support system ensures features are continuously updated. 

Protecting against an attack focuses on stopping the attack in its tracks. Using multi-factor authentication (MFA), you can ensure that an attacker with your username and password cannot access your account if they get their hands on your credentials. 

Encryption of your disks and emails prevents an attacker from accessing and reusing your data if it is on your system. Cybersecurity is a field where a wide variety of services are offered. However, these solutions do not have to be expensive. Proper configuration of your current security services is all that is required for some security solutions. Many other services are available for a small monthly fee per user or computer that can be purchased on an as-needed basis. As a company, you can use security services to manage your costs by making sure you prevent and protect against the most common types of attacks. You can also protect against those that would cause the greatest harm to your business. 

Recovery and Response

No prevention or protection can be guaranteed to be foolproof. After a company has been affected by an incident, the process of recovery involves returning it to normal operation. Managing the effects of a successful cyberattack on your organization is determined by how you respond to the challenges and issues that arise. 

It is the entire process of recovering your business from an incident, including the return of your business to normal operations (RTNO) and the return to business as usual (RTO). All of your computers may need to be wiped and reinstalled if they have been infected with ransomware. 

To prevent yourself from becoming a victim of a cyberattack, you need to plan, implement, and verify continuity services before you come under attack. For example, running a pre-attack image of your servers and workstations in a temporary data center enables you to provide a quick return to operations (RTO) while the repair and recovery process is ongoing as an image of the servers is being created. 

Responding to an incident is an activity that takes place across the entire company. If you are victimized by a successful attack, you will need to deal with your insurance carrier, employees, customers, vendors, as well as law enforcement if the attack was successful. The incident may also trigger mandatory reporting requirements in several jurisdictions. It may also trigger litigation and significant financial and other penalties if the possible loss of protected information is involved. 

Conflicting interests are liable to add a level of complexity to your response. Even though your insurance carrier may press you to pay the ransom to save money on the recovery, you may be violating federal law. The law is 18 U.S. Code 2339B, along with other sections that might apply. 

Successful recovery and response is the result of thinking exactly, what needs to be done to recover and respond to a disaster and establishing an incident response (IR) plan, developing and validating the plan of action, and ensuring that the resources you will need are either available directly, or through your insurance company. 

Using the Security CPR model, there are several ways to understand, plan for, and respond to risks and attacks. When dealing with a cyberattack, it is imperative to incorporate these tenets as much as possible. Make sure that you remain aware of them throughout your operations.

WhatsApp Files on Dark Web Show Millions of Records for Sale

 

In mid of November, a cyber threat actor claimed on a dark web forum to have stolen the personal credentials of around 500 million WhatsApp users. Following the incident, Check Point Research (CPR) published a new advisory in which they analyzed the leaked files including 360 million phone numbers from 108 countries. 

However, data coming from each country show a different ratio of exposed data, ranging from 604 in Bosnia and Herzegovina to 35 million attributed to Italy. Additionally, in the initial days of the hack, the hackers set files for sale which included international dial codes, however, now the same data is being distributed free of cost amongst hackers. 

The hack first was exposed on 16th November in a message published by the cyber threat actor on the hacking forum named BreachForums. 

"While the information on sale does not expose the content of any messages themselves, it is still worrying to see such a large volume of phone numbers for sale on the Dark Web. There is the potential that this information could be used as part of tailored phishing attacks in the future,” Deryck Mitchelson, field CISO of EMEA at CPR said. 

Once the threat actors get the access to phone numbers of users  and then sell the same, attacks such as smishing or vishing are likely to follow. 

“The WhatsApp ‘leak’ is nothing more than phone numbers obtained from the Facebook ‘leak’ that took place in 2019. The sample of 5000 WhatsApp data records from Poland is identical to those we already saw in 2019,” Paciorek claimed. 

According to the technical data, Smishing (phishing via SMS) and Vishing (phishing via voicemail) attacks have been observed excessively in the past few years, and it is highly likely these types of attacks will increase. Often these texts come from your bank, asking you to grant personal or financial information including your account or ATM number. Users must remain wary of such texts that appear to be from suspected sources.

Trickbot has Corrupted over 140,000 Devices

 

As per cyber threat intelligence firm Test Level Analysis (CPR), Trickbot, a financial Trojan infection that targets businesses and consumers for personal data, has infected over 140,000 devices belonging to customers of Amazon, Microsoft, Google, and 57 other organizations since November 2020. The investigation focuses on Trickbot, a well-known banking Trojan that was first discovered in 2016 and has since expanded into a botnet, ransomware, and malware ecosystem.

Threat actors have frequently used the bedfellows to mount multiple attacks in the past. TrickBot was frequently provided as a payload in specialized email phishing attacks by Emotet, though TrickBot has also delivered Emotet samples — the hazardous scenario at hand currently.

CPR has detected how Trickbot's writers are targeting high-profile individuals in order to steal and corrupt valuable sensitive data. At the same time, everyone should understand the people in charge of the infrastructure are highly skilled in virus development. Trickbot is mostly used to steal financial information, account credentials, personally identifying information, and even bitcoin. It's a modular malware that can be adapted to a variety of different use scenarios, which makes it far more dangerous.

More than 140,000 devices infected, according to Alexander Chailytko, Check Point's cybersecurity, research, and innovation manager, seem to be mostly computers belonging to the general population, as well as "some companies." The data gathered represents telemetry which has been obtained from its clients, however, it is "greater than" 140,000. As a result, the security vendor may have more or less visibility in specific parts of the world, according to Chailytko. 

"Trickbot has affected one out of every 45 enterprises. Over the previous few months, we've noticed a decrease in Trickbot campaign activity," the cybersecurity researcher stated. Users may defend it against Trickbot by only opening documents from reputable sources, using separate unique passwords profiles, and updating similar functionality and antivirus updated with the latest.  

Flaw in WhatsApp could allow hackers alter messages







A cybersecurity firm has unearthed flaws in the messaging app WhatsApp that could let hackers alter users messages and change the texts.

Israeli-based cybersecurity firm Check Point Research (CPR) discovered the flaw, which could be exploited in three ways,  and warned that 'malicious actors' could easily use the glitch to spread misinformation and fake news.

 The experts detailed their findings at the Black Hat cyber-security conference in Las Vegas, which was attended by many other cybersecurity experts.

They screened a video in support of their findings. The video showed how swiftly a message can be manipulated.

The team claim that they notified Facebook about the issue last year, but they did not heed to their claims, as a result, it is yet to be resolved. 

In a written statement released by the CPR's site, the company said: 'Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application that would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources.

'We believe these vulnerabilities to be of the utmost importance and require attention.' 
However, WhatsApp spokesman declined to comment.