Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Data. Show all posts

Android Flaw Exposes DNS Queries Despite VPN Kill Switch

 


Several months ago, a Mullvad VPN user discovered that Android users have a serious privacy concern when using Mullvad VPN. Even with the Always-On VPN feature activated, which ensures that the VPN connection is always active, and with the "Block connections without VPN" setting active, which acts as a kill switch that ensures that only the VPN is the one that passes network traffic, it has been found that when switching between VPN servers, Android devices leak DNS queries. 

It is important to understand that enabling the "Block Connections Without VPN" option (also known as the kill switch) ensures that all network traffic and connections pass through an always-connected VPN tunnel, preventing prying eyes from tracking all Internet activity by users. During the investigation, Mullvad discovered that even with these features enabled in the latest version of Android (Android 14), a bug still leaks some DNS information. 

As a result, this bug may occur when you use apps that make direct calls to the getaddrinfo C function. The function provides protocol-independent translation from a text hostname to an IP address through the getaddrinfo function. When the VPN is active (and the DNS server is not configured) or when the VPN app re-configures the tunnel, crashes or is forced to stop, Android leaks DNS traffic. 

This leakage behaviour is not observed by apps that are solely based on Android's API, such as DNSResolver, Mullvad clarified. As a result, apps such as Flash Player and Chrome that currently have support for getting address information directly from the OS are susceptible to this issue since they can access the address information directly. This is rather concerning since it goes against what you would expect from the OS, even if security features are enabled. 

Users may want to use caution when using Android devices for sensitive tasks, and may even want to employ additional protective measures until Google addresses this bug and issues a patch that is compatible with both original Android and older versions of Android, in light of the severity of this privacy issue. 

The first DNS leak scenario, which occurs when the user changes the DNS server or switches to a different server, is easily mitigated if the VPN app is set to use a bogus DNS server at the same time. It has also failed to resolve the VPN tunnel reconnect DNS query leak, which is a significant issue for all other Android VPN apps because this issue is likely to affect all other VPN apps as well. 

Mullvad also discovered in October 2022 that, every time an Android device connected to a WiFi network, the device leaked DNS queries (such as IP addresses and DNS lookups), since the device was performing connectivity checks. Even when the "Always-on VPN" feature was enabled with the "Block connections without VPN" option enabled, Android devices still leaked DNS queries.

The leak of DNS traffic can potentially expose users' approximate locations and the online platforms they use as well as their precise locations, posing a serious threat to user privacy. Since this is a serious issue, it may be best to stop using Android devices for sensitive activities or to adapt additional safeguards to mitigate the risk of such leaks until Google fixes the bug and backports the patch to older versions of Android to mitigate the risk.

Securing Wearable Devices: Potential Risks and Precautions

 

In the rapidly evolving landscape of digital security, individuals are increasingly vulnerable to cyber threats, not only on conventional computers and smartphones but also on wearable devices. The surge in smartwatches and advanced fitness trackers presents a new frontier for potential security breaches.

Just like traditional devices, wearables store and transmit valuable data, making them attractive targets for hackers. If successfully compromised, these devices could become conduits for unauthorized prescription orders or even allow the tracking of an individual's location through the embedded GPS feature. The threat extends beyond personal wearables, with concerns arising about vulnerabilities in medical offices and equipment. The FDA has issued warnings about potential loopholes that hackers could exploit to target critical medical devices such as pacemakers and insulin pumps.

The risk isn't confined to personal privacy; there's a growing concern about the impact a hacked wearable could have on corporate networks. With the proliferation of connected devices, a compromised smartwatch might provide an easier entry point for hackers seeking to infiltrate company systems, especially if the wearable syncs with multiple networks.

One notable vulnerability lies in the Bluetooth connection that wearables commonly share with smartphones. While any internet-connected device carries inherent risks, wearables often use smartphones as intermediaries rather than operating as standalone devices. Presently, security compromises have mainly originated from devices connected to wearables or compromised external databases, making wearables a theoretical but legitimate concern.

To mitigate these risks, users are advised to exercise caution when installing apps on their wearables. Verifying the legitimacy of sources, checking user reviews, and researching app safety are essential steps to ensure the security of wearable devices. This advice extends to smartphones, where users should scrutinize app permissions, restricting access to unnecessary information and promptly deleting suspicious apps.

In this era of pervasive connectivity, safeguarding personal and corporate data requires a proactive approach, extending beyond conventional devices to include the emerging frontier of wearable technology.

Report: Possible Chinese Malware in US Systems a 'Ticking Time Bomb'

 

According to a report by The New York Times on Saturday, the Biden administration has raised concerns about China's alleged implantation of malware into crucial US power and communications networks. The officials fear this could act as a "ticking time bomb" capable of disrupting US military operations in the event of a conflict.

The malware, as reported by the Times, could potentially grant China's People's Liberation Army the capability to disrupt not only US military bases' water, power, and communications but also those of homes and businesses across the country. 

The main concern is that if China were to take action against Taiwan, they might utilize this malware to hamper US military operations.

This discovery of the malware has led to a series of high-level meetings in the White House Situation Room, involving top military, intelligence, and national security officials, to track down and eliminate the malicious code.

Two months prior to this report, Microsoft had already warned about state-sponsored Chinese hackers infiltrating critical US infrastructure networks, with Guam being singled out as one target. 

The stealthy attack, ongoing since mid-2021, is suspected to be aimed at hindering the United States in case of a regional conflict. Australia, Canada, New Zealand, and Britain have also expressed concerns that Chinese hacking could be affecting infrastructure globally.

The White House, in response, issued a statement that did not specifically mention China or military bases. The statement emphasized the administration's commitment to defend the US critical infrastructure and implement rigorous cybersecurity practices.

These revelations come at a tense moment in US-China relations, with China asserting its claim over Taiwan and the US considering restrictions on sophisticated semiconductor sales to Beijing.

Kenya's eCitizen Service Faces Downtime: Analyzing the Cyber-Attack

 

Russian hacking groups have predominantly targeted Western or West-aligned countries and governments, seemingly avoiding any attacks within Russia itself. 

During the Wagner mutiny in June, a group expressed its support for the Kremlin, stating that they didn't focus on Russian affairs but wanted to repay Russia for the support they received during a similar incident in their country.

The attack on Kenya involved a Distributed Denial of Service (DDOS), a well-known method used by hackers to flood online services with traffic, aiming to overload the system and cause it to go offline. This method was also used by Anonymous Sudan during their attack on Microsoft services in June.

According to Joe Tidy, who conducted an interview, it is difficult to ascertain the true identity of the group responsible for the attack. 

Kenya's Information Minister revealed that the attackers attempted to jam the system by generating more than ordinary requests, gradually slowing down the system. Fortunately, no data exfiltration occurred, which would have been highly embarrassing.

Kenya had a reasonably strong cybersecurity infrastructure, ranking 51st out of 182 countries on the UN ITU's Cybersecurity Commitment Index. 

However, the extensive impact of the attack demonstrated the risks of relying heavily on digital technology for critical economic functions without adequately prioritizing cybersecurity. Cybersecurity and digital development should go hand-in-hand, a lesson applicable to many African countries.

Out of 50,000 Cybercrimes Reported in 6 Years, Only 23% Successfully Solved

 

Over the span of nearly six and a half years, a significant number of cybercrime cases, totaling 50,027, were reported in the city up until May 31 of this year. 

However, the resolution rate for these cases is rather low, with only 11,895 (approximately 23%) of them being solved, and merely 29 individuals convicted. The home minister, G Parameshwara, revealed these statistics in response to a query during a legislative assembly session.

The data further revealed that the highest number of cybercrime cases, 10,553, were recorded in 2019, while the lowest, 2,042, was reported in 2017 The trend continued with 9,940 cases in 2022 and a total of 6,226 cases in the first five months of 2025, indicating a potential increase in cybercrime incidents this year.

Among the various types of cybercrimes, a substantial portion, 41% (20,662 cases), were related to debit/credit card fraud and illegal money transfers online. Other prevalent scams included advance fees frauds (9,198 cases - 18%) and card skimming (5,012 cases - 10%). In the case of advance fees or gift scams, online fraudsters would convince victims that they have received gifts, but they need to pay various fees to release them from customs authorities.

Addressing this concerning trend, Bengaluru police commissioner, Dayananda, emphasized the importance of raising public awareness as a key measure to combat cybercrime effectively. He acknowledged that cybercriminals continuously develop new techniques, making it crucial to alert the public about emerging threats. 

The police have been actively disseminating cautionary messages through social media platforms to alert the public about cybercrimes. Additionally, they have been conducting awareness programs in educational institutions such as schools and colleges to educate students about different forms of cybercrimes and ways to protect themselves.

To enhance their capabilities in handling cybercrime cases, the police have been conducting regular workshops for police personnel to keep them updated with the latest developments and investigative techniques in the field of cybercrime.

Google Cloud's Security Strategy: Emphasizing 'Secure by Design' and 'Secure by Default'

 

As artificial intelligence takes center stage, organizations are grappling with new considerations regarding the appropriate security measures and their evolution. For Google LLC and Google Cloud, ensuring security across the organization involves a combination of central teams providing consistent infrastructure and tooling. 

This approach aligns with the company's philosophy of being "secure by design" and "secure by default" for both infrastructure and products. According to Phil Venables, the Vice President and Chief Information Security Officer of Google Cloud, the company has specialized security engineering teams embedded within different product areas, such as the Google Kubernetes Engine (GKE).

During an interview at the Supercloud 3 event, Venables discussed the importance of making security intrinsic to products and reducing software supply chain risks. The main challenge highlighted by Chief Information Security Officers today is the lack of cybersecurity talent.

Venables emphasized that Google aims to alleviate this challenge by adopting a secure by design and secure by default approach, aiming to assist customers in securing their environments without adding to their burdens.

The company also embraces the shared fate model, extending its responsibility to provide better defaults, guidance, and guardrails to customers, regardless of whether they use Google Cloud or other platforms like Azure or AWS. 

Google focuses on equipping customers with the necessary tools and services to secure their environments across various platforms, including Chronicle, VirusTotal, and other products. 

Additionally, Google actively contributes to open-source and standards communities, emphasizing security improvements to benefit not only the cloud but the entire IT infrastructure. This commitment to security not only builds trust in technology and cloud services but also helps manage risks effectively.

Beyond Security: The Comprehensive Approach to Tackling Cyberattacks

 

In today's digital landscape, organizations are increasingly facing the harrowing consequences of cyberattacks, particularly ransomware incidents. In these malicious schemes, hackers encrypt vital data, rendering it inaccessible, and then demand exorbitant payments for its restoration. 

Unfortunately, such attacks are becoming alarmingly common, with ransomware reigning as the most prevalent form of cyberattack worldwide. On average, victims are forced to bear the staggering cost of $4 million per breach. Shockingly, some experts predict that by 2031, cumulative damages from ransomware could exceed a staggering $250 billion.

As a response, organizations have been diligently allocating more security resources to prevent such attacks. However, the aftermath of a breach is often overlooked, leaving companies ill-prepared to recover their data. Consequently, the recovery process can drag on for months, causing severe disruptions to business operations.

To minimize the impact of ransomware attacks, a change in mindset is essential. Rather than merely bolstering defensive measures and hoping for the best, organizations must acknowledge the inevitability of such attacks and adopt a proactive approach. A robust data resilience plan becomes imperative, wherein files are safeguarded to withstand the attempts of cybercriminals. 

Modern technological advancements, including artificial intelligence (AI), have made it feasible to establish and manage such a defense effectively. By incorporating AI-driven solutions, organizations can significantly enhance their data protection capabilities and mitigate the devastating consequences of ransomware attacks.

Cybercriminals Masquerade as Cybersecurity Company to Hijack Entire PCs

 

In the latest cyber threat, hackers have devised a new approach to deceive unsuspecting victims, even using reputable names as a cover. A ransom-as-a-service (RaaS) attack called "SophosEncrypt" has emerged, masquerading as the cybersecurity vendor Sophos.

The operation of SophosEncrypt was brought to light by MalwareHunterTeam on Twitter and has since been acknowledged by Sophos. Initially, there were suspicions that this might be a red team exercise conducted by Sophos itself—a simulated attack to test their security measures. 

However, it has been confirmed that SophosEncrypt is entirely unrelated to the cybersecurity firm and has only adopted its name to instill a sense of urgency and seriousness for victims to comply with the attackers' demands.

The ransomware is distributed through yet unknown means, but common methods include phishing emails, malicious websites, popup ads, and exploiting software vulnerabilities. BleepingComputer reports that the ransomware campaign is active and explains how the encryption process functions.

When executed, SophosEncrypt demands a token associated with the targeted victim, which is verified online before initiating the attack. Nevertheless, researchers have discovered that disabling network connections can bypass this step. 

Once operational, the attacker gains the ability to encrypt specific files or the entire device, appending the ".sophos" extension to the encrypted files. Subsequently, victims are prompted to contact the attackers for file decryption, with payment usually demanded through untraceable cryptocurrency. Simultaneously, the Windows desktop wallpaper is changed to notify the user of the encryption using the Sophos name.

Sophos has managed to gather some information about the attackers, revealing their association with Cobalt Strike command-and-control and crypto-mining software.

To safeguard against the rising tide of ransomware attacks, it is essential to exercise caution. Refrain from accepting files from unfamiliar sources, even from individuals you know, as they could be unwitting carriers of malicious content due to being hacked themselves. 

Additionally, be aware that legitimate cybersecurity companies would never encrypt files and demand payment for recovery. Hence, if something seems suspicious, it is best to err on the side of caution and take steps to protect yourself from potential threats.

Sophisticated Cloud Credential Theft Campaign Targets AWS, Expands to Azure and Google Cloud

 

A cybercriminal group behind a sophisticated cloud-credential stealing and cryptomining campaign has recently expanded its targets beyond Amazon Web Services (AWS) to include Microsoft Azure and Google Cloud Platform (GCP). 

Researchers from SentinelOne and Permiso have been tracking the campaign and have found significant similarities between the tools used in this campaign and those associated with the notorious threat actor known as TeamTNT, who is primarily driven by financial motives.

The campaign's broader targeting started in June and has been evolving with incremental refinements since December. The recent attacks on Azure and GCP cloud services involve the same core attack scripts used in the AWS campaign. 

However, according to Alex Delamotte, a threat researcher at SentinelOne, the capabilities for Azure and GCP are less developed compared to those for AWS.

TeamTNT is well-known for exploiting cloud misconfigurations and vulnerabilities to target exposed cloud services. Originally focused on cryptomining campaigns, the group has now expanded its activities to include data theft and backdoor deployment. 

Recently, the attackers have been targeting exposed Docker services using modified shell scripts capable of profiling systems, searching for credential files, and exfiltrating them. They also collect environment variable details to identify valuable services for potential future attacks.

The attacker's toolset works across different cloud service providers and does not show significant automation for Azure or GCP beyond credential harvesting, indicating that much of the activity may involve manual intervention.

In addition to the shell scripts used in earlier attacks, TeamTNT has started using a UPX-packed, Golang-based ELF binary that drops and executes another shell script for propagating to other vulnerable targets. 

This worming propagation mechanism specifically targets Docker instances with certain user-agent versions, which could be hosted on Azure or GCP.

The researchers from SentinelOne and Permiso believe that TeamTNT is currently testing its tools in Azure and GCP environments without pursuing specific objectives on impacted systems. However, organizations using Azure and GCP should remain vigilant, as similar attack frameworks to those used against AWS may be employed against their cloud environments.

Recently, Sysdig also updated a report linking the ScarletEel cloud credential stealing and cryptomining campaign to TeamTNT's activity, further emphasizing the threat posed by this group. To defend against such attacks, administrators are encouraged to collaborate with their red teams to understand the most effective attack frameworks for these cloud platforms.

"Pacu is a known red team favorite for attacking AWS," she says. "We can expect these actors will adopt other successful exploitation frameworks."

A Few Cybercriminals Account for All Email Extortion Attacks, New Research Reveals

 

New research conducted by Barracuda Networks, in collaboration with Columbia University, has revealed that a surprisingly small group of cybercriminals is responsible for the majority of email extortion attempts worldwide. The study examined over 300,000 flagged emails, identified as extortion attacks by the company's AI detectors, over a one-year period.

To estimate the findings, the researchers traced the bitcoin wallet addresses provided in the emails, as cybercriminals often prefer this method of payment due to the anonymity and ease of transactions in the cryptocurrency realm.

However, the number of bitcoin addresses doesn't necessarily indicate the exact number of attackers. According to Columbia Master's student Zixi (Claire) Wang, who authored the report, the actual number of attackers is likely even fewer than 100, as attackers often use multiple bitcoin addresses.

The monetary demands in these email attacks were relatively low, with approximately a quarter of the emails requesting less than $1,000 and over 90% asking for less than $2,000. Wang speculates that cybercriminals opt for smaller amounts to avoid raising suspicion with victims' banks or tax authorities, and victims are more likely to comply with lower demands without investigating the legitimacy of the threat.

The researchers also observed that Bitcoin was the sole cryptocurrency used by the attackers in their dataset. Wang suggests this is because Bitcoin offers a high level of anonymity, allowing anyone to generate numerous wallet addresses.

The common scams employed by the attackers involved claims of possessing compromising photos or videos obtained by hacking the target's device camera. These threats aimed to extort money from victims under the threat of releasing the alleged content. However, the research revealed that the majority of attackers were bluffing and had no such incriminating material or infected the target systems with malware.

The silver lining in this research is that the small number of perpetrators worldwide could be advantageous for law enforcement efforts. Wang believes that tracking down even a few of these attackers could significantly disrupt this cyber threat.

Furthermore, given the similarity in tactics and templates used by extortion attackers, Wang suggests that email security vendors could block a substantial portion of these attacks using relatively simple detectors. This could provide an additional layer of protection against such cyber threats.

Massive Data Breach at HCA Healthcare: 11 Million Patients' Information Compromised by Hackers

 

Hospital and clinic operator HCA Healthcare has announced that it experienced a significant cyberattack, posing a risk to the data of at least 11 million patients. 

The breach affects patients in 20 states, including California, Florida, Georgia, and Texas. HCA Healthcare, headquartered in Nashville, disclosed that the compromised data includes potentially sensitive information such as patients' names, partial addresses, contact details, and upcoming appointment dates.

This breach, discovered by the company on July 5, is considered one of the largest healthcare breaches in history. HCA Healthcare revealed that the hackers accessed various types of information, including patient names, cities, states, zip codes, emails, telephone numbers, dates of birth, genders, service dates, locations, and next appointment dates.

"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," the company said in its Monday announcement.

"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate," it said.

If the estimated number of affected patients reaches 11 million, this breach would rank among the top five healthcare hacks reported to the Department of Health and Human Services Office of Civil Rights. The most severe breach in this sector occurred in 2015 when medical insurer Anthem was compromised, affecting 79 million individuals. In that case, Chinese spies were indicted, but there is no evidence that the stolen data was ever sold.

According to the Associated Press, the suspected hacker behind the HCA breach initially posted a sample of the stolen data online on July 5, attempting to sell it and potentially extort HCA. The hacker claimed to possess 27.7 million records and subsequently released a file on Monday containing nearly 1 million records from HCA's San Antonio division.

To ensure the legitimacy of any invoices or billing requests, HCA is advising patients to contact the chain at (844) 608-1803 before making any payments. The company has reported the incident to law enforcement and engaged third-party forensic and threat intelligence advisors. 

HCA maintains that the breach, which exposed approximately 27 million rows of data related to around 11 million patients, did not include highly sensitive information such as patients' treatment or diagnosis details, payment information, passwords, driver's license numbers, or Social Security numbers.

Although DataBreaches.net initially reported on the hack and shared a code sample purportedly offered by the hacker, HCA's spokesperson clarified that the code was an email template developed by the company, and the client ID mentioned referred to a doctor's office or facility, not a patient.

HCA Healthcare assured that it has not discovered any evidence of malicious activity on its networks or systems related to this incident. As an immediate containment measure, the company has disabled user access to the storage location. 

HCA intends to reach out to affected patients to provide additional information and support, complying with legal and regulatory obligations. It will also offer credit monitoring and identity protection services where necessary. HCA Healthcare operates more than 180 hospitals and 2,000 care locations, including walk-in clinics, across 20 states and the U.K., according to its website.

Kimsuky Hackers from North Korea Back in Action with Advanced Reconnaissance Malware

 

Kimsuky, a North Korean APT outfit, has been discovered deploying a piece of bespoke malware named RandomQuery as part of a reconnaissance and information exfiltration operation.

"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," Aleksandar Milenkoski and Tom Hegel of SentinelOne noted in a report published.

According to the cybersecurity firm, the current targeted campaign is particularly aimed at information services as well as organizations supporting human rights advocates and North Korean defectors.
Kimsuky, who has been active since 2012, has demonstrated targeting patterns that correspond to North Korea's operational directives and priorities.

As SentinelOne disclosed earlier this month, the information collection missions have featured the employment of a broad assortment of malware, including another reconnaissance program named ReconShark.

The group's most recent activity cluster began on May 5, 2023, and employs a form of RandomQuery that is specially tailored to enumerate files and siphon sensitive data.

RandomQuery, along with FlowerPower and AppleSeed, are among the most widely disseminated tools in Kimsuky's arsenal, with the former acting as an information stealer and a conduit for the distribution of remote access trojans such as TutRAT and xRAT.

The attacks begin with phishing emails purporting to be from Daily NK, a famous Seoul-based online daily covering North Korean events, in order to convince potential targets to open a Microsoft Compiled HTML Help (CHM) file.

It's worth noting at this point that CHM files have also been used as a lure by ScarCruft, another North Korean nation-state actor. When the CHM file is launched, a Visual Basic Script is executed, which sends an HTTP GET request to a remote server to receive the second-stage payload, a VBScript flavor of RandomQuery.

The virus then proceeds to collect system metadata, running processes, installed apps, and files from various folders, which are all sent back to the command-and-control (C2) server.
"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.

"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."

The discoveries come only days after the AhnLab Security Emergency Response Centre (ASEC) discovered Kimsuky's watering hole assault, which comprises putting up a mimic webmail system used by national policy research organizations to capture credentials entered by victims.

Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers in order to drop the Metasploit Meterpreter post-exploitation framework, which is then used to spread Go-based proxy malware.

Industrial Espionage: Here's All You Need to Know

 

Cyberattacks are actively guarded against by all responsible firms. However, one security concern that many firms ignore is industrial espionage. Industrial espionage and cyberattacks are frequently carried out for the same reason: to steal confidential information. 

Industrial espionage, on the other hand, is carried out by a corporate competitor rather than a random hacker. Industrial espionage is the theft of confidential information from a company in order to gain a competitive edge. It can take many forms, but the most sophisticated attacks include an employee of the company being targeted. A rival may try to hire someone at the target company, or they may approach an existing employee and offer them money in exchange for information.

Competitive Intelligence vs. Industrial Espionage

Competitive intelligence and industrial espionage are not the same thing. Both methods entail gathering information about the competition. Competitive intelligence, on the other hand, is only conducted legally. A company performing competitive intelligence takes advantage of publicly available information on the internet. It does not include any kind of surveillance or unlawful conduct. Industrial espionage entails gathering any knowledge that may be profitable.

Industrial espionage targets any information that could be profitable, such as upcoming product details, financial information, client lists, and marketing strategies. Obtaining such information can provide a competitive edge by allowing a business to improve its own products, offer better deals to providers and employees, undercut prices, damage reputation, or copy and release similar marketing strategies. Client information can also be used to identify potential customers and pricing strategies and marketing information can be used to promote similar products or compete with effective strategies.

In order to protect against industrial espionage, all businesses should take the following precautions.
  • Invest in Cybersecurity
  • Encrypt All Private Data
  • Increase Physical Security
  • Require Confidentiality Agreements
  • Prevent Insider Threats
Most businesses should protect themselves against industrial espionage. Every company has information that could be useful to its competition. There are also numerous ways it might be stolen. While insider threats are the most effective means to steal information, physical trespassing is frequently simple and effective. Cyberattacks are another formidable tool that certain competitors may use.

To protect against industrial espionage, all firms should be cautious about who they hire, keep an eye out for displeased employees, secure physical locations, and adopt cybersecurity.

FBI Obtained Detailed Database Exposing 59K+ Users of the Cybercrime Genesis Market

 

In its takedown of Genesis Market, a site famous in the cybercriminal realm for selling access to user accounts, the FBI gathered information on possibly tens of thousands of hackers. Senior FBI and Justice Department officials stated in a Wednesday briefing that law enforcement found and duplicated the backend servers for Genesis Market's main site. These servers store stolen victim passwords and session cookies, as well as information on customers of the infamous hacking site. 

According to a US official, the server copies contain information about around 59,000 individual user accounts, including usernames, passwords, email addresses, and secure messenger accounts, as well as a history of user activity.

In connection with the site's closure, the FBI and its partners have already made 119 arrests, including 24 in the United Kingdom. However, the information obtained from the server seizures could assist law enforcement in apprehending even more criminals. 

The Justice Department admits that some of the apprehended suspects are US citizens, but it is unable to provide a precise figure. US officials are also reluctant to clarify whether any Genesis Market leaders had been arrested. The Treasury Department, on the other hand, stated that the hacker site "is believed to be located in Russia," a country that has traditionally refused to extradite criminal suspects to the United States. 

As a result, the primary operators of Genesis Market are likely to have escaped arrest and will attempt to resume their operations. The FBI has taken down the marketplace's primary domain. The dark web onion site for Genesis, on the other hand, is still active.

For the time being, US officials have only stated that they are focusing on capturing the site's leaders and putting pressure on the cybercriminal globe. The takedown comes just weeks after authorities shut down another prominent hacker forum, BreachForums. In doing so, the FBI said that it had gotten a backend database for BreachForums, which is likely to contain information on several hackers.  

“Each takedown is yet another blow to the cybercrime ecosystem,” US Deputy Attorney General Lisa Monaco said in today’s announcement.

ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access

 

An ALPHV/BlackCat ransomware affiliate was spotted gaining early access to the target network by abusing three flaws in the Veritas Backup product. The ALPHV ransomware operation first appeared in December 2021, and it is thought to be controlled by former members of the Darkside and Blackmatter programs, which shut down abruptly to avoid law enforcement scrutiny. 

Mandiant identifies the ALPHV affiliate as 'UNC4466,' noting that the method differs from the conventional breach, which depends on stolen credentials. Mandiant reports that on October 22, 2022, it spotted the first occurrences of Veritas flaw exploitation in the field. UNC4466 focuses on the following high-severity flaws:
  • CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
  • CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
  • CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
The Veritas Backup software is affected by all three issues. They were disclosed by the vendor in March 2021, and a remedy was published with version 21.2. Despite the fact that it has been over two years, many endpoints remain vulnerable since they have not been updated to a safe version.

According to Mandiant, a commercial scanning service discovered more than 8,500 IP addresses on the public web advertising the "Symantec/Veritas Backup Exec ndmp" service on the default port 10000 as well as ports 9000 and 10001.

"While this search result does not directly identify vulnerable systems, as the application versions were not identifiable, it demonstrates the prevalence of Internet exposed instances that could potentially be probed by attackers" - Mandiant

On September 23, 2022, a Metasploit module to exploit these flaws was made available to the public. The code enables attackers to establish a session and interact with the compromised endpoints. According to Mandiant, UNC4466 began using the specific module a month after it was released.

Specifics of the attack

According to Mandiant's findings, UNC4466 compromises an internet-exposed Windows server running Veritas Backup Exec by utilizing the publicly accessible Metasploit module and gains persistent access to the host.

Following the first compromise, the threat actor gathered information on the victim's surroundings using the Advanced IP Scanner and ADRecon utilities.  Next, they downloaded  more tools on the host like LAZAGNE, LIGOLO, WINSW, RCLONE, and ultimately the ALPHV ransomware encryptor through the Background Intelligent Transfer Service (BITS).

To interact with the command and control server, the threat actor employed SOCKS5 tunneling. (C2). According to the researchers, UNC4466 used BITS transfers to download SOCKS5 tunneling tools before deploying the ransomware payload by adding immediate tasks to the default domain policy, disabling the security software, and executing  encryptors.

UNC4466 uses Mimikatz, LaZagne, and Nanodump to steal valid user credentials in order to escalate privileges. Finally, the threat actor avoids discovery by erasing event logs and turning off Microsoft Defender's real-time monitoring capability.

Mandiant's report gives recommendations for defenders to take in order to detect and prevent UNC4466 assaults before the ALPHV payload is executed on their systems.

To Safeguard Children from Exploitation, Parents Should Reconsider Approach to Online Behaviour

 

Raising children in the digital age is becoming particularly complex. Many young people are growingly reliant on screens for social interaction. They experiment with new media sharing platforms such as TikTok, Snapchat, and BeReal, but without necessarily considering long-term consequences. 

This is normal because children's prefrontal cortex, the part of the brain responsible for reasoning, decision-making, and impulse control, is still underdeveloped. Parents who are responsible for anticipating the outcomes of digital interactions are overwhelmed. Many parents may lack the digital literacy to guide their children through today's plethora of social media platforms, messaging apps, and other online platforms. This situation may expose children to online sexual exploitation. 

They collected data from a diverse group of experts in the United States and the United Kingdom for our study. Interviews were conducted with internet safety non-profits, safeguarding teams, cybercrime police officers, digital forensics staff, and intelligence directors. The ability to share explicit content online is a major reason for the rapid escalation of online child sexual exploitation. The research unveiled four distinct stages used by perpetrators.

In Stage 1, perpetrators use various technological tools and networks to initiate contact with potential victims, such as social media, messaging apps, games, and online forums. They frequently create false identities by using fake images to create convincing digital personas through which they approach children, such as posing as a "new kid on the block" looking for new friends.

In Stage 2, perpetrators use tactics such as impersonating a similar-aged child to gain the trust of potential victims. This can occur over a long period of time. In one case we investigated, a 12-year-old boy in Lee County, North Carolina, received 1,200 messages from the same perpetrator over the course of two years. Offenders may send their own explicit images during this stage to reduce a victim's suspicion.

In Stage 3, the perpetrators resort to online extortion. They modify innocent photos or use photographs provided by victims to make them appear sexual or pornographic. Perpetrators then send these images to their victims in order to keep them in a state of humiliation. When perpetrators threaten to share these humiliating images with the victim's friends, teachers, or family unless their victims send more explicit photos or videos, the situation escalates.

At this point, many extortion techniques and direct threats are being used. It's difficult to imagine the psychological strain this can put on children. Before seeking help, a 12-year-old girl uploaded 660 sexually explicit images of herself to a cloud-based storage account controlled by a 25-year-old perpetrator.

In Stage 4, perpetrators begin selling these images on peer-to-peer networks, the dark web, and even child pornographic websites.

Defending against online exploitation

Parents can help prevent exploitation by avoiding common mistakes. By sharing these, parents, policymakers, school boards, and even children will reconsider their approach to online behavior.
 
1. "That will never happen to us!" Many victims and their families are victims of optimism bias, believing that bad things will never happen to them. Online crimes, on the other hand, can affect anyone. Unfortunately, these occurrences are more common than most people realise. No family is immune to the dangers of the online world.

2. "Everyone's doing it!" It is now common for parents to overshare pictures of their children on social media. Many parents find it difficult to resist the pressure or temptation to post photos of their children on social media. These photographs are frequently edited and distorted to appear pornographic. Everyone in the family must resist the urge to overshare photos on social media.

3. "It doesn't bother my kids!" Many children today have a digital presence that their parents initiated and maintain without their consent. This disregard for children's privacy not only undermines their autonomy, but it can also have long-term consequences for their self-esteem, personal and professional future, and parent-child relationship.

4. "We are unable to keep up with their technology!" When they can't keep up with their children, many parents feel overwhelmed and intimidated. As technology continues to play an important role in children's lives, parents' digital literacy must be improved through online resources and schools. Parents must seek and receive assistance in understanding the technology that their children use.

5. "They're just online chatting with friends!" Parents may be very involved and interested in who their children talk to on the way home from school or at friends' houses, but they may not be as aware of who their children talk to online. Just as they are interested in their child's real-world interactions, the benefits and risks of online behavior must be an important and frequent topic of discussion.

Online child sexual exploitation is a serious and multifaceted problem that requires our undivided attention. We can only hope to prevent children from becoming victims of these crimes if we carefully consider these critical concerns.

McAfee Invoice Fraud Email Pretending to be a Subscription Renewal Receipt

 

Readers should beware of clicking links in a McAfee invoice scam email that claims to be a "confirmation receipt" for the subscription renewal of the company's products. This email does not come from McAfee Corp. Email scams that use the names of antivirus and security companies are probably as old as the internet, but this particular one for McAfee apparently tried to combine two different threats into one: malware and phishing. 

Snopes reviewed one of the McAfee invoice scam emails. The subject line read, "Confirmation Receipt ID.6030955553." The following message came from an email address associated with uilsducoach.com, not the official company website mcafee.com:
  • Reassure your McAfee is up to date.
  • Check now as it may have ended.
  • Your subscription of McAfee for your computer may ended soon.
  • After the ending date has passed your computer will become susceptible to many different virus and threats.
  • Your PC might be unprotected, it can be exposed to viruses and other malware...
  • You are eligible for discount: -70%*
A malicious URL scanner scan of the links revealed that the email was "hosting malware" and contained a "phishing link."

The link started on an Amazon Web Services page. Vestingsupper.com was one of the redirects. More information was not available at the time this story was published. McAfee has previously published several articles about these types of scams, including details on what to do if you believe you've been a victim of one.

It's recommended, "if you accidentally enter data in a webpage linked to a suspicious email, perform a full malware scan on your device. Once the scan is complete, backup all of your files and change your passwords. Even if you only provided a phishing scammer with the data from one account, you may have also opened the door to other personal data, so it's important to change all the passwords you use online in the wake of a suspected phishing attack."

Malwarebytes and Norton are two other companies that are recommended for malware scans. If readers provided financial information to scammers, such as a credit card number, we recommend contacting that financial institution right away to notify them of the problem. To ensure that scammers do not use the compromised card in the future, a new credit card with a new number may need to be mailed to you in some cases.

The United States has Released its National Cybersecurity Strategy: Here's What you Need to Know

 


The US government is taking steps to enhance the country's cybersecurity capabilities and improve its overall technology governance strategy. President Joe Biden recently unveiled a new National Cybersecurity Strategy aimed at securing cyberspace and building a resilient digital ecosystem that is easier to defend than to attack. 

"When we pick up our smartphones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Biden wrote in the framework's preface.

The strategy is part of a broader effort by the Biden administration to reinforce cyber and technology governance, which includes increasing accountability for tech firms, strengthening privacy protections, and ensuring fair competition online.

Why does the United States require a National Cybersecurity Strategy?

The world is becoming more complex, and cyber threats are becoming more sophisticated, with ransomware attacks causing millions of dollars in economic losses in the United States. According to IBM, the average cost of a ransomware attack in 2022 will be more than $4.5 million. The greatest threats we face are interconnected, raising the prospect of a "polycrisis," in which the overall combined impact of these events exceeds their individual impact.

This is also true of technological risks, where attacks on critical information infrastructure, for example, could have disastrous consequences for public infrastructure and health, or where rising geopolitical tensions increase the risk of cyberattacks.

Cybercrime and cyber insecurity were ranked eighth in terms of severity of impact by risk experts polled for the World Economic Forum's Global Risks Report, both in the short term (the next two years) and over the next decade. According to Google data, state-sponsored cyberattacks targeting NATO users increased by 300% in 2022 compared to 2020. With cyberattacks on the rise, experts at the World Economic Forum's Annual Meeting at Davos predicted that 2023 would be a "busy year" for cyberspace with a "gathering cyber storm".

“This is a global threat, and it calls for a global response and enhanced and coordinated action,” Jürgen Stock, Secretary-General of the International Criminal Police Organization (INTERPOL), said at Davos.

According to the Forum's Global Cybersecurity Outlook 2023, 93% of cybersecurity experts and 86% of business leaders believe global instability will have a negative impact on their ability to ensure cybersecurity in the future.

As Biden notes, "Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.

"We must ensure the internet remains open, free, global, interoperable, reliable, and secure – anchored in universal values that respect human rights and fundamental freedoms."

What are the National Security Strategy's five pillars?

Because the COVID-19 pandemic has accelerated the world's digital transformation, we rely on connected devices and digital technology to do more than ever before, putting our lives and livelihoods at greater risk from cyber threats.

The US National Security Strategy recognizes the need to rebalance the burden of responsibility for cybersecurity away from small businesses and individuals and onto the public and private organizations best placed to defend cyberspace through "robust collaboration".

It also aims to strengthen cyberspace resilience by balancing the need to address immediate threats with incentivizing investment in the digital ecosystem's secure, long-term future. Each of the five pillars it establishes is divided into strategic objectives, but here's a quick rundown of what they entail:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals


The LockBit Ransomware Takes Responsibility for the Royal Mail Cyberattack

 

The LockBit ransomware operation has asserted responsibility for the cyberattack on Royal Mail, the UK's leading mail delivery service, which forced the company to stop its international shipping services due to "severe service disruption." 

This emerges after LockBitSupport, the public-facing representative of the ransomware group, earlier told BleepingComputer that the LockBit cybercrime group did not target Royal Mail. They instead blamed the attack on other threat actors who used the LockBit 3.0 ransomware builder, which was leaked on Twitter in September 2022. LockBitSupp did not clarify why printed Royal Mail ransom notes seen by BleepingComputer included links to LockBit's Tor negotiation and data leak sites rather than those operated by a different threat actor.

However, LockBitSupp validated LockBit's involvement in the attack in a post on a Russian-language hacking forum after discovering that one of their affiliates deployed the gang's ransomware payloads on Royal Mail's systems.

The representative of the ransomware gang also stated that they would only provide a decryptor and delete data stolen from Royal Mail's network after a ransom was paid. The entry for the Royal Mail attack on LockBit's data leak site currently states that stolen data will be published online on Thursday, February 9, at 03:42 AM UTC.

The attack was termed a "cyber incident"

On January 10, Royal Mail discovered the attack and hired outside forensic experts to assist with the investigation.

A Royal Mail spokesperson told BleepingComputer on January 11 when we reached out for more details, "Incident was detected yesterday, UK/ domestic mail remains unaffected."

"We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations. Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may cause," the company tweeted.

The incident was also reported to UK security agencies, and the company is investigating it alongside the National Crime Agency and the UK National Cyber Security Centre (NCSC).

However, Royal Mail has yet to acknowledge that it is the victim of a ransomware attack, which could result in a data breach because LockBit ransomware operators are known for stealing data and leaking it online if their ransom demands are not met.

For the time being, the company is still referring to the attack as a "cyber incident" and claims to have restored some of the services that were impacted by the attack. The incident last month follows a November 2022 outage that caused the Royal Mail's tracking services to be unavailable for more than 24 hours.

The Royal Mail's recurring IT problems come at a time when its mailing services are already under strain due to planned national strikes and ongoing talks with the Communication Workers Union.     

Trojanized Windows 10 Installer Utilized in Cyberattacks Against Ukrainian Government Entities

 

Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities. The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166. 

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor. According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.

The main objective of the operation appears to have been data gathering, with additional implants deployed to the machines only after an initial reconnaissance of the vulnerable environment to determine if it contained valuable intelligence.

Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor written in C that enables the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the data to a remote server, were among them.

The malicious actor attempted to download the TOR anonymity browser onto the victim's device in some cases. While the precise reason for this action is unknown, it is suspected that it served as an alternative exfiltration route.

SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.

The findings come as Check Point and Positive Technologies revealed attacks on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an espionage group known as Cloud Atlas as part of a persistent campaign.

The hacking group, which has been active since 2014, has a history of targeting entities in Eastern Europe and Central Asia. However, the outbreak of the Russo-Ukrainian war earlier this month has shifted its focus to organisations in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

The adversary's attack chains typically utilise phishing emails with bait attachments as the initial intrusion vector, leading to the delivery of a malicious payload via an intricate multi-stage sequence. The malware then contacts an actor-controlled C2 server to obtain additional backdoors capable of stealing files with specific extensions from the compromised endpoints.

Check Point's observations, on the other hand, culminate in a PowerShell-based backdoor known as PowerShower, which was first discovered by Palo Alto Networks Unit 42 in November 2018. Some of these intrusions in June 2022 were also successful, allowing the threat actor to achieve full network access and use tools such as Chocolatey, AnyDesk, and PuTTY.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is still unidentified, joining the ranks of other APTs such as TajMahal, DarkUniverse, and Metador. The group's name derives from its reliance on cloud services such as CloudMe and OpenDrive to host malware.