Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber. Show all posts
Phishing scam
AI scam Cyber Cyber Fraud Fraud Gmail Hack Google security Phishing scam

Gmail Confirms AI Hack: 2.5 Billion Users Warned of Phishing Scam

 

  
Gmail has issued a warning to its 2.5 billion users about a sophisticated AI-powered phishing attack. Fraudsters are using caller IDs that seem to originate from Google support, convincing users that their accounts have been compromised. Under the pretense of an account recovery process, they send an email with a recovery code that appears to come from a genuine Gmail address, Forbes reports.

Zach Latta, founder of Hack Club, noticed irregularities during an interaction with a so-called Google support agent. "She sounded like a real engineer, the connection was super clear, and she had an American accent," Latta told Forbes. Despite the convincing approach, the scam's goal is to deceive users into providing their login credentials, allowing cybercriminals to take control of their accounts.

Spencer Starkey, Vice President at SonicWall, emphasized the evolving nature of cyber threats: "Cybercriminals are constantly developing new tactics, techniques, and procedures to exploit vulnerabilities and bypass security controls, and companies must be able to quickly adapt and respond to these threats." He advised businesses to adopt a proactive cybersecurity approach, including regular security assessments and incident response planning.

Users Report Similar Fraud Attempts

According to the New York Post, Y Combinator founder Garry Tan shared his experience on X (formerly Twitter) after receiving phishing emails and phone calls.

"They claim to be checking that you are alive and that they should disregard a death certificate filed that claims a family member is recovering your account," Tan wrote, calling it an elaborate scheme to manipulate users into approving password recovery.

Microsoft solutions consultant Sam Mitrovic also encountered this scam months ago. Initially, he ignored the recovery notification and follow-up call, but when it happened again, he decided to answer.

"It's an American voice, very polite and professional. The number is Australian," Mitrovic recalled. He even verified the number on an official Google support page, making the deception more convincing. 

The caller alleged there was suspicious activity on his account and asked if he had logged in from Germany. When he denied it, the agent claimed someone had been accessing his account for a week and offered to help secure it. Mitrovic realized something was off when he spotted a suspicious email address in the follow-up message and stopped responding.

Forbes advises Gmail users to remain calm and immediately disconnect any call from so-called Google support, as Google does not contact users via phone. Instead, users should verify account activity themselves:
  • Use Google Search to check official security support pages.
  • Log into Gmail and navigate to the bottom right corner to review recent account activity.
  • Avoid sharing recovery codes with anyone over the phone.
With cyber threats evolving rapidly, vigilance is key to safeguarding online accounts.

Read more »
Phantom
Cyber Data Breach data security Phantom

Phantom Domains: The New Threat to Enterprise Cybersecurity

 

A recent study presented at the 2024 Web Conference has identified a rising cybersecurity risk known as “phantom domains.” These phantom domains result from unregistered or placeholder dot-com links that hackers can hijack, turning them into dangerous attack vectors. 

Phantom domains arise in two common forms: domain errors and placeholders. Domain errors often occur when web developers misspell a domain name, leaving users vulnerable to clicking on seemingly legitimate but unregistered links. 
For instance, a fictional company, Bob’s Sports Gear, might have a typo in their web link, such as “www.bobsportsgear.com” instead of “www.bobssportsgear.com,” leading to an unregistered phantom domain. 

Hackers can buy these domains and create spoofed versions of the real site, tricking users into providing sensitive information. Placeholder domains are another form of vulnerability. Developers may leave placeholder links in websites for future projects that never materialize, leaving the unregistered domains up for grabs. 

If attackers acquire these domains, they can easily set up malicious sites that resemble legitimate ones. Research suggests that phantom domains are far from rare, with over 572,000 such domains active on the web today. 

These links can go unnoticed for long periods, creating a window of opportunity for cybercriminals to exploit users’ trust in familiar websites. Once hijacked, these links can direct users to spoofed websites designed to steal credentials or deliver malware. 

To counter this threat, experts recommend enterprises scan their websites regularly for broken or incorrect links and educate employees about the dangers of phantom domains. In addition, using credential management tools that autofill login information only for verified domains can help prevent data breaches. 

Ultimately, while phantom domains may not pose an immediate threat if detected in time, they highlight a broader cybersecurity challenge: the need for proactive monitoring and human vigilance in an increasingly digital world.
Read more »
server access
Black Suit hackers Cyber Data Breach Hacker group KADOKAWA cyberattack Ransomware Threat server access

Hackers Warn of Further Attacks on KADOKAWA, Claim Ongoing Access to Servers

 

KADOKAWA is on high alert for potential cyberattacks from the Russian hacker group Black Suit after failed negotiations aimed at resolving a previous major cyber incident. Black Suit, known for its ransomware operations, has warned of further attacks following KADOKAWA's refusal to pay an $8 million ransom (around 1.1 billion yen).

In a recent update to Kyodo News, the hackers disclosed that discussions with the company had broken down.

“We demanded $8 million, but KADOKAWA did not comply,” Black Suit stated, cautioning that the company “will face the same problem repeatedly” as they still have access to KADOKAWA’s systems.

Cybersecurity specialist Katsuji Okamoto from Trend Micro commented on the matter, stressing the severity of the threat.

“Even if this is a bluff, KADOKAWA must reassess its systems and prepare for the worst. Black Suit is notorious for their persistence and thorough execution of attacks, typically carrying them out from start to finish independently.”

KADOKAWA, however, has chosen not to disclose specific details about the incident, citing an active police investigation.

“This is a matter under police investigation, and we cannot comment,” a company spokesperson said.

The company initially reported the cyberattack in early June, noting disruptions across multiple websites and services. Since then, KADOKAWA has provided regular updates on its progress in system restoration and investigation efforts.

On June 27, 2024, Black Suit reportedly revealed the full scale of the breach, claiming they had stolen 1.5 terabytes of sensitive data, including business plans, user information, contracts, and financial records.

The group alleged they exploited vulnerabilities within KADOKAWA’s network infrastructure, gaining access to a “control center” that enabled them to encrypt the entire network, impacting subsidiaries like Dwango and NicoNico.

They threatened to release the stolen data if the ransom was not paid by July 1, 2024.

As of August 5, KADOKAWA confirmed a data leak affecting 254,241 individuals, following an investigation by third-party experts.
Read more »
Smishing Scam
Automotive Industry Cyber cyber attack IRS phishing Ransomware Smishing Scam

IRS Warns Car Dealers of New Phishing and Smishing Threats


 

The Internal Revenue Service (IRS) has issued an urgent warning to car dealers and sellers across the United States, highlighting a surge in sophisticated phishing and smishing scams targeting the automotive industry. These cyber threats pose a significant risk to the daily operations of businesses, potentially leading to severe disruptions.

The warning follows a recent ransomware attack on CDK Global, a software provider for car dealerships. This cyberattack affected approximately 15,000 dealerships nationwide, crippling their scheduling, sales, and order systems. Some dealers were forced to revert to manual processes to continue their operations. In response to the attack, CDK Global reportedly paid a $25 million ransom to regain control of their systems.

According to the IRS, scammers are increasingly impersonating the agency to extract sensitive financial and personal information. These fraudulent communications often come in the form of emails or text messages, urging recipients to click on suspicious links, download malicious files, or provide confidential details. The IRS emphasised that such tactics are a "favourite" among cybercriminals.


Recommendations for Protection

To safeguard against these scams, the IRS provided several recommendations for both businesses and individuals:

1. Stay Alert to Fake Communications: Be cautious of unsolicited messages that appear to come from legitimate organisations, friends, or family. These messages may impersonate banks or other financial entities to deceive recipients into clicking harmful links.

2. Avoid Clicking Unsolicited Links: Never click on links in unsolicited emails or text messages, as they may lead to identity theft or malware installation.

3. Verify the Sender: If you receive a suspicious message, verify its authenticity by contacting the sender through a different communication method. Do not use contact information provided in the unsolicited message.

4. Do Not Open Attachments: Avoid opening attachments in unsolicited emails, as they can contain malicious code that can infect your computer or mobile device.

5. Delete Suspicious Emails: To prevent potential harm, delete any unsolicited emails immediately.


Vigilance is Key

The IRS stressed the importance of vigilance in the face of these evolving cyber threats. By following the recommended precautions, car dealers and sellers can reduce their risk of falling victim to phishing and smishing scams. As cybercriminals continue to refine their tactics, staying informed and cautious remains crucial for protecting sensitive information and maintaining business continuity.


Read more »
ransomware incident
City Hall computer disruption City Hall cyber problems Cleveland Cyber Cyber Attacks Digital threats IT systems breach Ransomware attack ransomware incident

Cleveland Confirms Ransomware Attack Behind City Hall Cyber Issues

 

Cleveland Mayor Justin Bibb’s office informed employees today that the "cyber incident" affecting City Hall computer systems was indeed a ransomware attack.

In an email sent to workers on Friday afternoon, which Signal Cleveland obtained, the city confirmed the ransomware presence following an investigation by city IT staff, the FBI, and the Ohio National Guard’s Cyber Reserve.

"The nature of the attack is still under investigation as we work to restore and recover our systems," the email stated. "At this time, we cannot disclose anything further, as this is a sensitive investigation."

This email marked the city’s first public acknowledgment of the ransomware attack since encountering computer system issues the previous Saturday.

The email noted that ransomware attacks are increasingly common, highlighting that no organization is immune to digital threats. Neither the employee message nor a subsequent news release from the city indicated whether the ransom had been paid.

"We are taking this matter very seriously and are working diligently to assess the full extent of the attack on our systems," the email continued. "We have taken immediate steps to validate our cybersecurity measures and are working to restore our systems as quickly as possible."

City Hall will remain closed to the public on Monday, though employees are expected to report to work. The mayor's office assured that essential services—emergency response, waste collection, recreation centers, the airport, and utilities—are still operational.
Read more »
Vulnerabilities and Exploits
CVE-2024-3400 Cyber Cybersecurity Palo Alto Networks PAN-OS firewall Remote Code Execution Threat actors Volexity Vulnerabilities and Exploits

Zero-Day Exploitation of Palo Alto Networks Firewall Allows Backdoor Installation

 

Suspected state-sponsored hackers have exploited a zero-day vulnerability in Palo Alto Networks firewalls, identified as CVE-2024-3400, since March 26. These hackers have utilized the compromised devices to breach internal networks, pilfer data, and hijack credentials.

Palo Alto Networks issued a warning on the active exploitation of an unauthenticated remote code execution flaw in its PAN-OS firewall software. Patch updates are slated for release on April 14. Given the ongoing exploitation, Palo Alto Networks opted to disclose the vulnerability and provide interim mitigations for customers until patches are fully deployed.

Further insights into the zero-day exploitation emerged from a subsequent report by Volexity, the entity that discovered the flaw. According to Volexity, hackers have been exploiting the vulnerability since March, employing a custom backdoor dubbed 'Upstyle' to infiltrate target networks and execute data theft. The activity, tracked under the designation UTA0218, is strongly suspected to be orchestrated by state-sponsored threat actors.

Volexity's investigation traced the zero-day exploitation to April 10, primarily targeting the GlobalProtect feature of Palo Alto Networks PAN-OS. The subsequent deployment of identical exploitation methods at another customer site underscored the severity of the situation. Despite the exploitation period starting as early as March 26, payloads were not deployed until April 10.

The 'Upstyle' backdoor, facilitated by a Python script, enables remote command execution on compromised devices. The backdoor leverages a path configuration file to execute commands, allowing threat actors to operate stealthily within compromised environments.

In addition to the 'Upstyle' backdoor, Volexity observed the deployment of additional payloads, including reverse shells, PAN-OS configuration data exfiltration tools, and the Golang tunneling tool 'GOST.' In some instances, threat actors pivoted to internal networks to steal sensitive files, such as Active Directory databases and browser data from specific targets.

Volexity recommends two methods for detecting compromised Palo Alto Networks firewalls: generating Tech Support Files to analyze forensic artifacts and monitoring network activity for specific indicators of compromise.

This incident underscores the increasing targeting of network devices by threat actors, as demonstrated by previous campaigns exploiting vulnerabilities in Fortinet, SonicWall, Cisco, TP-Link, and Barracuda devices.
Read more »
real-time crime prevention
Cyber Cyber Security Financial Fraud India-Interpol international crime strategy Interpol cooperation online radicalization real-time crime prevention

India Seeks Strengthened Interpol Collaboration for Real-Time Crime Prevention

 

India has called for coordinated efforts through Interpol channels to address transnational crimes, including terrorism, online radicalization, and cyber-enabled financial fraud, on a real-time basis, officials revealed on Friday. At the 91st General Assembly of Interpol in Vienna, the Indian delegation, headed by CBI Director Praveen Sood, emphasized the necessity of eliminating safe havens for criminals and the proceeds of crime. The delegation also advocated for cohesive strategies to restrict the activities of transnational criminal organizations.

The team, which included NIA Director General Dinkar Gupta, participated in the four-day assembly that commenced on November 28, coinciding with the centenary year of Interpol, established in 1923. The increased utilization of Interpol channels and global law enforcement relationships resulted in the repatriation of 24 criminals and fugitives wanted by India this year, marking a record high, as per the Central Bureau of Investigation (CBI) spokesperson.

In discussions with law enforcement agencies from various countries, India called for enhanced coordination through Interpol to combat organized crime, terrorism, drug trafficking, money laundering, online radicalization, and cyber-enabled financial crimes in real-time. Emphasizing the denial of safe havens for criminals, the delegation highlighted the importance of coordinated strategies against criminal organizations with international reach.

Detailed talks on police cooperation took place with delegations from Austria, the UAE, the US, the UK, Nepal, Brazil, Australia, Mauritius, New Zealand, Japan, Switzerland, Bangladesh, Singapore, and Zambia. The discussions aimed at improving the sharing of criminal information via Interpol channels to expedite mutual legal assistance and extradition requests.

India expressed support for Interpol's 'Vision 2030' and the establishment of the Interpol Future Council, a group of experts to ensure the development and implementation of Vision 2030 aligns with the evolving needs of law enforcement in member countries. The team engaged in discussions with senior officials from Interpol, Europol, Pacific Islands Chiefs of Police Organization, and the US Air Force Office of Special Investigations to enhance cooperation arrangements.

India, a member of Interpol since 1949, has actively participated in the organization, hosting two General Assemblies. During last year's 90th General Assembly, a resolution was adopted to strengthen collaborative responses against financial crime and corruption, combat online child sexual exploitation, and promote diversity within Interpol. Additionally, the Interpol's presence in the Metaverse was launched during the 90th General Assembly.
Read more »
User Safety
Cyber Cyber Approach Cyber Attacks Cyber Data Ransomware User Data User Safety

Beyond Security: The Comprehensive Approach to Tackling Cyberattacks

 

In today's digital landscape, organizations are increasingly facing the harrowing consequences of cyberattacks, particularly ransomware incidents. In these malicious schemes, hackers encrypt vital data, rendering it inaccessible, and then demand exorbitant payments for its restoration. 

Unfortunately, such attacks are becoming alarmingly common, with ransomware reigning as the most prevalent form of cyberattack worldwide. On average, victims are forced to bear the staggering cost of $4 million per breach. Shockingly, some experts predict that by 2031, cumulative damages from ransomware could exceed a staggering $250 billion.

As a response, organizations have been diligently allocating more security resources to prevent such attacks. However, the aftermath of a breach is often overlooked, leaving companies ill-prepared to recover their data. Consequently, the recovery process can drag on for months, causing severe disruptions to business operations.

To minimize the impact of ransomware attacks, a change in mindset is essential. Rather than merely bolstering defensive measures and hoping for the best, organizations must acknowledge the inevitability of such attacks and adopt a proactive approach. A robust data resilience plan becomes imperative, wherein files are safeguarded to withstand the attempts of cybercriminals. 

Modern technological advancements, including artificial intelligence (AI), have made it feasible to establish and manage such a defense effectively. By incorporating AI-driven solutions, organizations can significantly enhance their data protection capabilities and mitigate the devastating consequences of ransomware attacks.
Read more »
Windows
Cyber Data Safety malware Security Windows

Terminator Antivirus Killer: Vulnerable Windows Driver Masquerading as Threat

 

Spyboy, a threat actor, has been actively advertising the "Terminator" tool on a hacking forum predominantly used by Russian speakers. The tool supposedly possesses the ability to disable various antivirus, XDR, and EDR platforms. However, CrowdStrike has dismissed these claims, stating that the tool is merely an advanced version of the Bring Your Own Vulnerable Driver (BYOVD) attack technique. 

According to reports, Terminator allegedly has the capacity to evade the security measures of 24 distinct antiviruses (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) solutions. These include well-known programs such as Windows Defender, targeting devices operating on Windows 7 and later versions.

Spyboy, a seller specializing in software, offers a range of products designed to bypass security measures. Their software is available at various price points, starting at $300 for a single bypass and going up to $3,000 for a comprehensive all-in-one bypass solution.

"The following EDRs cannot be sold alone: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance," the threat actor says, with a disclaimer that "Ransomware and lockers are not allowed and I'm not responsible for such actions."

To utilize Terminator, the "clients" need to have administrative privileges on the targeted Windows systems and must deceive the user into accepting a User Account Controls (UAC) pop-up when executing the tool.

However, according to a CrowdStrike engineer's Reddit post, Terminator employs a technique where it places the legitimate and signed Zemana anti-malware kernel driver, known as zamguard64.sys or zam64.sys, into the C:\Windows\System32\ folder with a randomly generated name consisting of 4 to 10 characters.

Once the malicious driver is written to the disk, Terminator loads it to exploit its kernel-level privileges and terminate the user-mode processes of antivirus (AV) and endpoint detection and response (EDR) software running on the targeted device.

The exact method by which the Terminator program interacts with the driver remains unclear. However, a proof-of-concept (PoC) exploit was made available in 2021, which exploits vulnerabilities in the driver to execute commands with Windows Kernel privileges. This capability could be utilized to terminate security software processes that are typically safeguarded.

According to a VirusTotal scan, currently only one anti-malware scanning engine has detected a driver as vulnerable. To assist defenders in identifying this vulnerable driver used by the Terminator tool, Florian Roth, the head of research at Nextron Systems, and threat researcher Nasreddine Bencherchali have shared YARA and Sigma rules that can be used.

This method is commonly employed by threat actors who aim to evade security software on compromised machines. They achieve this by escalating privileges, installing vulnerable Windows drivers, executing malicious code, and delivering additional harmful payloads.

These attacks, known as Bring Your Own Vulnerable Driver (BYOVD) attacks, involve dropping legitimate drivers with valid certificates onto victims' devices. These drivers can operate with kernel privileges, effectively disabling security solutions and taking control of the system.

Various threat groups, including financially motivated ransomware gangs and state-sponsored hacking organizations, have utilized this technique for several years. Recently, security researchers at Sophos X-Ops discovered a new hacking tool called AuKill being used in the wild. This tool disables EDR software by utilizing a vulnerable Process Explorer driver before launching ransomware attacks in BYOVD scenarios.
Read more »
Safety
API Keys Cyber Data data security malware PyPI Package Safety

This Fraudulent ‘SentinelOne’ PyPI Package Steals Data from Developers

 

Researchers discovered criminals spoofing a well-known cybersecurity firm in an attempt to steal data from software developers. ReversingLabs researchers recently discovered a malicious Python(opens in new tab) package called "SentinelOne" on PyPI. 

The package, named after a well-known cybersecurity firm in the United States, masquerades as a legitimate SDK client, enabling easy access to the SentinelOne API from within a separate project. 

However, the package also includes "api.py" files that contain malicious code and allow threat actors to steal sensitive data from developers and send it to a third-party IP address (54.254.189.27). Bash and Zsh histories, SSH keys,.gitconfig files, hosts files, AWS configuration information, Kube configuration information, and other data are being stolen.

According to the publication, these folders typically store auth tokens, secrets, and API keys, granting threat actors additional access to target cloud services and server endpoints.

Worse, the package does provide the functionality that the developers expect. In reality, this is a hijacked package, which means that unsuspecting developers may use it and become victims of their own ignorance. The good news is that ReversingLabs confirmed the package's malicious intent and had it removed from the repository after reporting it to SentinelOne and PyPI.

The malicious actors were very active in the days and weeks leading up to the removal. The package was first submitted to PyPI on December 11, and it has been updated 20 times in less than a month.The researchers discovered that one of the issues fixed with an update was the inability to exfiltrate data from Linux systems.

The researchers concluded that it is difficult to say whether anyone fell for the scam because there is no evidence that the package was used in an actual attack. Nonetheless, all of the published versions were downloaded over 1,000 times.
Read more »
Safety
Cyber Cyber Security Data data security Safety

For More Than a Month, a Cyberattack has Kept an Entire Nation's Government Offline

 

Cyberattacks on government institutions are nothing new, but they may reach new heights. Recent incidents this fall show that entire municipal or even national governments may be vulnerable to significant disruption from cybercriminals. 

Technologically, the effects can send entire populations decades back in time. The Pacific Island nation of Vanuatu's government has been offline due to a cyberattack since early November. The nature of the attack is still unknown, and only about 70% of government services have been restored after a month. On the first day of its term, November 6, Vanuatu's newly elected government began to notice problems with official computer systems. All government computer services were eventually disabled.

Officials were unable to access government email accounts, citizens were unable to renew driver's licences or pay taxes, and medical and emergency information became unavailable. The country decided to revert to pen and paper for many daily functions.

The government acknowledges that a breach in its centrally connected systems was discovered in early November, but refuses to elaborate. According to some sources, including the press in nearby Australia, which dispatched specialists to assist with system repair, the incident was a ransomware attack. The nature of the breach, however, has yet to be confirmed by Vanuatu's government.

Suffolk County identified a ransomware attack on September 8 and responded by shutting down its computer systems. The blackout impacted government divisions from the police to social services, forcing them to revert to technology from the early 1990s.

Furthermore, the county stated that the attackers stole personal details such as driver's licence numbers from citizens. A county executive accused a cyber group known as BlackCat, which had previously been linked to attacks in Italy and Florida.

Little information has surfaced about Vanuatu's level of preparedness prior to the incident, but Suffolk County officials' concerns were dismissed months before the September attack. The computers in the United States did not use two-factor authentication and were running on obsolete computer systems that would be too expensive to upgrade.

Due to their fewer resources than large governments, regions like Suffolk County and small countries like Vanuatu make excellent cyberattack targets. Because there are so many other small targets for cybercriminals to target around the world, similar incidents are likely to occur in the future.
Read more »
Safey
Cyber Data data security Infostealer malware Safey

This Infostealer has a Lethal Sting for Python Developers

 

Checkmarx cybersecurity researchers discovered over two dozen malicious packages on PyPI, a popular repository for Python developers, and published their findings in a new report (opens in new tab). 

These malicious packages, which are designed to look almost identical to legitimate ones, attempt to dupe inexperienced developers into downloading and installing the wrong one, thereby spreading malware. The practice is known as typosquatting, and it is widely used by cybercriminals who target software developers. 

The attackers use two distinct methods to conceal the malware: steganography and polymorphism. Steganography is the practice of concealing code within an image, allowing threat actors to spread malicious code via seemingly innocent.JPGs and.PNGs. Polymorphic malware, on the other hand, changes the payload with each installation, allowing it to avoid detection by antivirus software and other cybersecurity solutions.

These techniques were used by the attackers to deliver WASP, an infostealer capable of stealing people's Discord accounts, passwords, cryptocurrency wallet information, credit card data, and any other information on the victim's endpoint that the attacker deems interesting.

When the data is identified, it is returned to the attackers via a hard-coded Discord webhook address. The campaign appears to be a marketing ploy, as researchers discovered threat actors advertising the tool on the dark web for $20 and claiming that it is undetectable.

Furthermore, the researchers believe this is the same group that was behind a similar attack reported earlier this month by Phylum(opens in new tab) and Check Point researchers (opens in new tab). It was previously stated that a group known as Worok had been distributing DropBoxControl, a custom.NET C# infostealer that uses Dropbox file hosting for communication and data theft, since at least September 2022.

Worok, based on its toolkit, is thought to be the work of a cyberespionage group that operates quietly, moves laterally across target networks, and steals sensitive data. It also appears to be using its own, proprietary tools, as no one else has been observed using them.
Read more »
Security
attacks Backdoor Cyber Data malware Safety Security

Irresponsibile Malware Operators Squandered an "Undetectable" Windows Backdoor

 

Due to the malware operators' careless behaviour, a "completely undetectable" backdoor has been discovered. 

SafeBreach Labs claims to have discovered a brand new PowerShell backdoor that, when properly executed, grants attackers remote access to compromised endpoints. From there, the attackers could launch a variety of stage-two attacks, ranging from data stealers to ransomware (opens in new tab) and everything in between. 

Based on the report, an unknown threat actor created "ApplyForm[.]docm," a weaponized Word document. It contained a macro that, when activated, ran an unknown PowerShell script.

"The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows," the researchers explained

Updater.vbs would then execute a PowerShell script, granting the attacker remote access. The malware creates two PowerShell scripts, Script.ps1 and Temp.ps1, before running the scheduled task. The contents are concealed and placed in text boxes within the Word document, which is then saved in the fictitious update directory. As a result, antivirus software fails to identify the file as malicious.

Script.ps1 connects to the command and control server to assign a victim ID and receive additional instructions. Then it executes the Temp.ps1 script, which stores data and executes commands. The attackers made the mistake of issuing victim IDs in a predictable sequence, which allowed researchers to listen in on conversations with the C2 server.

While it is unknown who is behind the attack, the malicious Word document was uploaded from Jordan in late August of this year and has so far compromised approximately one hundred devices, most of which belong to people looking for new jobs. The Register reader described their encounter with the backdoor, offering advice to businesses looking to mitigate the damage that unknown backdoors can cause.

“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning."

"They have zero-trust [ZT] and Ringfencing so although the macro ran, it didn't make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this."
Read more »
threats
Cyber Cyber Attacks Data Ransom Ransomware Security threats

How Ransomware Turned Into the Stuff of Nightmares for Modern Businesses

 

Few cyberthreats have progressed as rapidly in recent years as ransomware, which has become a global scourge for businesses over the last two decades. 

Ransomware has evolved from simple infect and encrypt attacks to double- and now triple-extortion attacks, making it one of the most dangerous security threats of the modern era. Meanwhile, with the rise of ransomware-as-a-service, it has become more accessible to would-be cybercriminals as well.

Techradar spoke with Martin Lee, Technical Lead of Security Research at Cisco Talos, to learn more about the threat posed by ransomware and the steps businesses can take to protect themselves.

What characteristics make ransomware attacks so effective and difficult to counter?

Ransomware is essentially the 21st century equivalent of kidnapping. The criminal steals something valuable and demands payment in exchange for its return. The ransomware business model has progressed over time to become a highly efficient source of revenue for criminals.

A ransomware attack should not be taken lightly. Criminals attempt to evoke an immediate response by encrypting and rendering a system inaccessible. If a critical system is disrupted, the bad folks know that the victim will have a strong incentive to pay.

Ransomware attacks are launched through every possible entry point. Criminals will look for any vulnerability in perimeter defences in order to gain access. The profitability of ransomware drives criminals' tenacity; the attacks' ubiquity makes them difficult to defend against. To defend against such attacks, excellent defences and constant vigilance are required.

What are the most significant changes in ransomware operations since the days of simple infect and encrypt attacks?

Modern criminal ransomware attacks first appeared in the mid-2000s. Initially, these were mass-market' attacks in which criminals distributed as much malware as possible without regard for the nature or identity of the systems being targeted. Although the vast majority of malware would be blocked, a small percentage would be successful in infecting and encrypting systems, and a small number of these would result in payment of a ransom.

In 2016, ther noticed a change in the ransomware model. SamSam, a new ransomware variant, was distributed in an unusual manner. The group behind this malware planned ahead of time, exploiting vulnerabilities in externally facing systems to gain a foothold within the organisation. Once inside, they expanded their access, looked for key systems, and infected them with ransomware.

Criminals can significantly disrupt the operation of an organisation by researching their target and disrupting business critical systems. Criminals use this approach to demand a much higher ransom than if they compromise a single laptop, for example.

In what ways do you expect ransomware attacks to develop further in the years to come?

Ransomware has proven to be a reliable source of revenue for criminals. However, the success of the attacks is not guaranteed. The less profitable the activity becomes as more attacks are blocked.

Malicious emails and attempts to download malware can be blocked by perimeter defences. Filtering connections at the IP address or DNS layer can prevent malware from communicating with its command and control systems. End-point protection systems can detect and block malicious malware, and effective backup solutions can restore affected systems.

With a better understanding of the effects of ransomware and stronger defences, fewer successful attacks will be witnessed and ransomware will become unprofitable. However, as organisations become smarter, so do criminals, and ransomware will continue to exist.
Read more »
Meta
Campaign Cyber Data Facebook Hackers malware Meta

Bitter APT and Transparent Tribe Campaigns on Social Media

 

Facebook's parent company, Meta, has recently shut down two cyberespionage efforts on its social networking networks. Bitter APT and Transparent Tribe threat groups were behind these campaigns. Both groups have been based in South Asia.

About Bitter APT:

The first group discovered was Bitter APT or T-APT-17, which targeted firms in the government, engineering, and energy industries. The group used social engineering against targets in India, the United Kingdom, New Zealand, and Pakistan.

To install malware on target devices, it exploited a combination of hijacked websites, URL shortening services, and third-party file hosting companies. To interact with and fool their victims, the hackers impersonated activists, journalists, and young women. Bitter also utilised Dracarys, a new Android malware that exploits accessibility services.

Transparent Tribe

Transparent Tribe, also known as APT36, is less complex than Bitter APT. It employs social engineering techniques as well as widely available malware. Its most recent campaign targeted citizens in India, Pakistan, Afghanistan, Saudi Arabia, and the United Arab Emirates. 

Human rights advocates and military officials were the primary targets of the campaign. The hackers pretended to be recruiters for bogus and real firms, as well as young ladies and military personnel.

In conclusion

Social media has become a playground for cybercriminals of all sorts. Cyberspies utilise these platforms to gather intelligence and lure victims to external sites where malware may be downloaded. As a result, users are advised to exercise caution while befriending strangers online.
Read more »
Singapore
attackers Computer Cyber Cyber Security Hackers Quantum computing Security Singapore

Singapore Increases its Investment in Quantum Computing, to Keep Ahead of Security Risks

 

Singapore aims to improve its quantum computing capabilities through new initiatives to build necessary skill sets and quantum equipment. It emphasises the importance of doing so in order to keep encryption technology resilient and capable of withstanding "brute force" attacks. 

The Singapore government announced on Tuesday that it will set aside SG$23.5 million (17.09 million) to support three national platforms under its Quantum Engineering Programme (QEP) for a period of up to 3.5 years. The scheme is a component of the country's Research, Innovation, and Enterprise 2020 (RIE2020) strategy. 

Two of these platforms were presented today, including the National Quantum Computing Hub, which will pool knowledge and resources from the Centre for Quantum Technologies (CQT), as well as local universities and research institutes, to strengthen key skill sets. 

Teams from CQT, the National University of Singapore, Nanyang Technological University, A*STAR's Institute of High Performance Computing (IHPC), and the National Supercomputing Centre (NSCC) would seek to establish international collaborations and train new talent in order to address a skills shortage in the emerging industry. CQT and IHPC researchers would also create quantum computing hardware and middleware, with potential applications in finance, supply chain, and chemistry. 

The National Supercomputing Center (NSCC) would offer the supercomputing capacity required to design and train algorithms for usage on quantum computers. A second initiative, National Quantum Fabless Foundry, was launched to facilitate the micro and nano-fabrication of quantum devices in cleanrooms run by industrial partners. 

The platform, which would be hosted at A*STAR's Institute of Materials Research and Engineering, would aid in the creation of products in quantum computations, communication, and sensing. Singapore's Deputy Prime Minister and Coordinating Minister for Economic Policies, Heng Swee Keat, stated in his address announcing the new efforts that the country needs to stay alert in the face of growing dangers. Heng compared cyber threats to a "cat and mouse game," saying that efforts were made to keep ahead of hostile actors who were always looking for new holes to attack. 

With the cyber world rapidly developing, he believes quantum technology has the potential to be a "game changer." "Strong encryption is key to the security of digital networks. The current encryption standard, AES 256, has held up, as few have the computing power to use brute force to break the encryption. But this could change with quantum computing," he cautioned. 

"For some cryptographic functions, the fastest quantum computer is more than 150 million times faster than the fastest supercomputer. Quantum computers can solve in minutes a problem which takes a supercomputer 10,000 years." 

This underscored the importance of quantum technology research, the minister said. "Our investment in quantum computing and quantum engineering is part of our approach of trying to anticipate the future and proactively shaping the future that we want." 

He said that as digitalisation increased, so did cyber concerns and that Singapore must continue to spend to keep ahead of possible threats. He went on to say that the fabless foundry will use the country's manufacturing skills to create quantum devices that would tackle "real-world difficulties" in collaboration with industry partners.
Read more »
Ukraine
Cyber Cyber Attacks Cyber Warfare Hackers Hacking Event Network Security Ukraine

Ukraine Hosts Massive Scale Simulation of Cyber-attack Against Energy Grid

 

Cybersecurity experts from throughout Ukraine took part in a large-scale cyber-attack simulation that echoed the destructive real-world strike on Ukraine's power infrastructure in 2015. 

With 250 participants, 49 teams battled – either digitally or in person at a Kiev venue – to earn points by resolving an attack against an imaginary energy provider after it had multiple unexpected system failures. Security experts from Ukraine's governmental and private sectors, as well as higher education institutions, worked for five and a half hours to determine the nature of a hostile network penetration before dismissing the intruder and recovering systems to normal operation. 

The winning team was Berezha Security Group from Kiev, and cybersecurity engineer Dmitry Korzhevin was the best-performing individual participant. The competition, which took place on December 2, was the latest Grid NetWars event hosted by SANS Institute, a US information security training organisation, with previous tournaments held in Singapore, India, Japan, and Australia. 

The event was also coordinated by Ukraine's National Security and Defense Council, State Service of Special Communication and Information Protection, and the Cybersecurity Critical Infrastructure project for the US Agency for International Development (USAID). 

Ihor Malchenyuk, head of cybersecurity regulatory assistance and institutional development at the USAID Cybersecurity for Critical Infrastructure in Ukraine project stated, “Every day 560,000 new malicious programs are detected in the world, therefore it is necessary to constantly improve qualifications and ‘pump’ the skills of cybersecurity specialists.” 

“Such competitions as Grid NetWars provide an opportunity to practice not only the knowledge and skills of each specialist separately but also train joint interaction. After all, the training conditions are as close to reality as possible.” 

Tim Conway, technical director of the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) programs at SANS, assisted event participants with the help of two other US-based infosec experts. 

“Grid NetWars is a product that has existed for a number of years and has been used in country-level exercises since its creation,” Conway told The Daily Swig. 

“It has also been leveraged by practitioners around the world who attend critical infrastructure or industrial control system-specific events like the SANS ICS Summit where Grid NetWars competitions are conducted in the evenings after courses.” 

The latest, Ukraine-based event had successfully enabled “participants to face real-world challenges, develop skillsets, gain exposure to technical tools, and most importantly ‘practice the way they play through collaboration, and provided the opportunity to work together in teams just like they would in a real-world incident response”, he added. 

Conway assisted in the investigation of the 2015 attack on three Ukrainian power distribution centres, which knocked out power for up to six hours and left 225,000 people without power. A year later, the country's electrical grid was hit again, and Ukraine's then-president, Petro Poroshenko, said that thousands of recent cyberattacks on state institutions were proof that Russian secret agencies were waging a cyberwar against the country.
Read more »
Subscribe to: Posts (Atom)