Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cybercrimes. Show all posts

Automatic Burn-In Technology by Sinon Elevates Windows Deception Hosts

 


As an open-source, modular tool, Autre enables the automatic burn-in of deception hosts based on Windows system types. By using generative capabilities, this framework intends to reduce the complexity involved in orchestrating deception hosts on a large scale while at the same time enabling diversity and randomness in the process. 

In Autre, several actions are performed to automate the setup of deception hosts by simulating the real-time activity of the users. Creating a realistic environment is the goal here, to deceive potential intruders into believing that they are being watched. Sinon's modular, adaptable nature enables a variety of changes and randomizations to be made, which gives each deployment something special. 

To ensure that this research fits within the overall narrative presented by the defenders, part of the research examined the MITRE Engage framework, which describes technical capabilities around the setting up of a decoy host so that it would fit within the narrative presented by the defenders since influencing, persuading, and motivating an adversary is the key to selecting and collecting the appropriate data to close the identified intelligence gaps. 

As described in MITRE Engage, it is not uncommon for organizations to develop deception decoys in a method that is almost completely manual, similar to the approach used by other organizations. To automate decoy interaction and burn-in via the application of LLMs, we can create and interact with decoy systems in a manner that generates highly realistic environments with minimal effort, thereby providing the opportunity for diverse environments to be created as required. 

As a result, instead of being reliant on the same basic image repeatedly, Sinon looks at automating the parts of MITRE Engage, such as application diversity, artefact diversity, burn-in, email manipulation, information manipulation, network diversity, peripheral management, pocket litter, introduced vulnerabilities, personas, and lures. Brine concluded that Sinon would help automate the elements of MITRE Engage.

Unlocking the Future: How Multimodal AI is Revolutionizing Technology

 


In order to create more accurate predictions, draw insightful conclusions and draw more precise conclusions about real-world problems, multimodal AI combines multiple types or modes of data to create more reliable determinations, conclusions or predictions based on real-world data. 

There is a wide range of data types used in multimodal AI systems, including audio, video, speech, images, and text, as well as a range of more traditional numerical data sets. In the case of multimodal AI, a wide variety of data types are used at once to aid artificial intelligence in establishing content and better understanding context, something which was lacking in earlier versions of the technology. 

As an alternative to defining Multimodal AI as a type of artificial intelligence (AI) which is capable of processing, understanding, and/or generating outputs for more than one type of data, Multimodal AI can be described as follows. Modality is defined as the way something manifests itself, is perceived, or is expressed. It can also be said to mean the way it exists. 

Specifically speaking, modality is a type of data that is used by machine learning (ML) and AI systems in order to perform machine learning functions. Text, images, audio, and video are a few examples of the types of data modalities that may be used. 

Embracing Multimodal Capabilities


A New Race The operator of the ChatGPT application, OpenAI, recently announced that the models GPT-3.5 and GPT-4, have been enhanced to understand images and can describe them using words. They have also developed mobile apps that feature speech synthesis, allowing them to have dynamic conversations with artificial intelligence using mobile apps. 

After Google's Gemini, an upcoming multimodal language model, was reported to be coming soon, OpenAI has begun speeding up its implementation of multimodality with the GPT-4 release. Using multimodal artificial intelligence, which combines various sensory modalities through seamless integration to provide a multitude of ways for computers to manipulate and interpret information, has revolutionized the way AI systems are able to do so.

Multimodal AI systems are able to comprehend and utilize data from a wide variety of sources at the same time, unlike conventional AI models that focus on a single type of data. Multimodal AI can handle text, images, audio, and video all at the same time. Multimodal AI is distinguished by its capacity to combine the power of various sensory inputs to mimic the way humans perceive and interact with the world around them, which is a hallmark of multimodal AI. 

Unimodal vs. Multimodal


Nowadays, most artificial intelligence systems are unimodal. They have been designed and built to work with a particular type of data exclusively, and their algorithms have been tailor-made specifically for that specific type of data. 

Using natural language processing (NLP) algorithms, ChatGPT, for example, is able to comprehend and extract meaning from text content and is the only kind of AI system that can produce text as output. Nevertheless, multimodal architectures are capable of integrating and processing multiple forms of information simultaneously, which in turn enables them to produce multiple types of output at the same time. 

In the event future iterations of ChatGPT are multimodal, for instance, marketers could prompt the bot to create images that accompany the text that is generated by the generative AI bot, for example, if the bot uses the generative AI bot for creating text-based web content. 

A great deal has been written about unimodal or monomodal models, which process just one modality. They have provided extraordinary results in fields like computer vision and natural language processing that have advanced significantly in recent decades. In spite of this, the capabilities of unimodal deep learning are limited, making multimodal models necessary. 

What Are The Applications of Multimodal AI?


It may be possible to ensure better communication between doctors and patients by employing the use of healthcare, especially if the patient has limited mobility or does not speak the language natively. A recent report suggests that the healthcare industry will be the largest user of multimodal AI technology in the years to come, with a CAGR of 40.5% from 2020 to 2027 as a result of the use of multimodal AI technology. 

A more personalized and interactive learning experience that allows students to adapt their learning style to the needs of their individual learning style can improve the learning outcomes for students. The older models of machine learning used to be unimodal, which meant that they were only capable of processing inputs of one type. 

As an example, models that are based exclusively on textual data, such as the Transformer architecture, focus only on output from textual sources. As a result, the Convolutional Neural Networks (CNNs) are designed to be used with visual data such as pictures or videos. 

OpenAI's ChatGPT offers users the opportunity to try out a multimodal AI technology based on multimodal communication. In addition to reading text and files, the software can also read images and interpret them. Google's multimodal search engine is another example of a multimodal search engine.

Basically, multimodal artificial intelligence (AI) systems are specifically designed for understanding, interpreting, and integrating multiple different types of data, be it text, images, audio, or even video, in their core functions.

With such a versatile approach, the AI is better able to understand local and global contexts, thus improving the accuracy of its outputs. While multimodal AI may be more challenging than unimodal AI in terms of user interface, there is also evidence to suggest that it could be more user-friendly than unimodal AI in terms of providing consumers with a better understanding of complex real-world data.

Researchers and researchers are working on addressing these challenges in areas like multimodal representation, fusion techniques, large-scale multimodal dataset management, and multimodal data fusion to push the boundaries of current unimodal AI capability which is still at the beginning stages of development. 

In the coming years, as the cost-effectiveness of foundation models equipped with extensive multimodal datasets improves, experts anticipate a surge in creative applications and services that harness the capabilities of multimodal data processing.

Cybersecurity Concerns: When Mental Health Queries Become Malware Magnets

 


'Beyond Identity' recently published a study that showed that certain mental health search terms can open users up to the possibility of meeting malware as a result of their search. Using searches related to mental health that were high in volume, the study found that many of them were linked to programs that could steal data from devices or harm networks as well as cause damage to equipment.

In the report by "Beyond Identity", it was determined that the term "meditation music" is considered to carry a high level of critical risk. Therefore, users should be cautious when searching for this particular term in order to download music when using it as part of their meditation practice. 

Beyond Identity has also identified a number of terms that are considered medium or high risk. There are numerous ways of finding psychiatrists around us. This includes using search terms such as "psychiatrist near me," "virtual therapy," "mental health services," "ADHD treatment," "breathing exercises," "mindfulness meditation," "anxiety treatment," "depression treatment," and "how to meditate." 

As part of their research, it was also found that mental health terms rank second as the most dangerous malware terms of all, behind training and courses related to work. According to the data, this shows just how many bad actors are targeting people who are looking for online content and resources relating to their well-being in order to get their stuff. 

Beyond Identity conducted a research study on popular terms that received more than 6,000 searches in the U.S. during the last month. After this, it used a malware detector tool to analyze the first 50 non-sponsored links that Google Chrome returned in the results section as well as their origins. If a search is conducted in this manner, according to the algorithm used by the user, the top links may depend on that algorithm. 

There were links that were flagged as malicious if they blocked the malware detection tool, used outdated software, or contained software that was clearly malignant. There is a danger of malicious code being included in a website if the software is outdated or it is not equipped with a malware detection tool. 

There are a number of ways in which your device can get infected by malware, beginning with visiting a site that has malware, clicking on an ad that contains malware, interacting with pop-up ads, and downloading infected media files, software, or documents. In the process of searching for mental health information, users never want to end up infected with malicious software that can incite panic in users. There is nothing wrong with trusting only reputable websites and hospitals if the user is suspicious of their search results in search engines.

Security Breach: Clearweb Sites Attacked by MOVEit, Data Exposed

 


A cybercrime syndicate used by the Clop ransomware gang is substantially more prevalent than any other cybercrime syndicate in exploiting the MOVEit vulnerability than any other. As an additional complication, the ransomware gang's data stolen through the MOVEit vulnerability is now leaked onto the Clearweb domain.

It was reported in May of this year that a ransomware gang known as the Clop ransomware group exploited a vulnerability in the MOVEit file transfer software. This vulnerability exposed the data of hundreds and thousands of companies and organizations, including Boots, British Airways, the BBC, and many others.  

As a result of the ransomware gang's efforts to leak data stolen through MOVEit, publicly accessible websites have been set up. In general, ransomware leak sites are commonly hosted on open-source privacy networks that allow web users to surf anonymously, so law enforcement has trouble accessing the infrastructure. As opposed to this, this type of website is hosted on a public server. This allows the site to be indexed by search engines and amplified through these means.  

A report published by Bitdefender reports that many of those who made payments handed out substantially more than the global average ransomware amount, just $740,144 (£577.34), an increase of 126% from the first quarter of 2023, which is a record level. Coveware estimates that it earned approximately $75-100 million from victims hit with extremely high ransoms for a small number of victims. 

Based on the data provided by Coveware, the approximate earnings of the attackers range from $75-100 million (£58.7-78 million), from just a small number of victims who paid extremely high ransoms. 

It has been reported by security researcher Dominic Alvieri that the hacking group created and released its first public access website to leak data stolen from PWC, which is a business consulting firm, for the past two years during his research on the clop operation. In the last couple of years, the website has been taken down from the internet. 

A Clop ransomware gang exploits an ALPHV version of its extortion tactic to spread ransomware. It takes advantage of the Internet by creating websites that target specific victims to leak their data and further pressurise them into paying ransoms. 

Data is stolen from corporate networks when a ransomware gang attacks a target. As a result of the ransomware, this data is encrypted. When victims do not pay the ransom, they will receive a notification that their data will be leaked if payment is not made. This is the most common part of double-extortion attacks. 

There are usually sites on the Tor network that are responsible for leaking ransomware data in the form of leaks. The more secure the website is, the more difficult it is for law enforcement to seize the web infrastructure or take down the website if they want to take down the website. Despite this, running a ransomware operation is associated with many unique problems due to its hosting method.

There are several barriers to accessing leaked sites, including a specialised Tor browser. In addition, there is a lack of indexation of leaked data by search engines and very slow download speeds. 

ALPHV, also known as BlackCat, a ransomware operation from China, introduced an innovative extortion tactic last year by creating clear websites to leak stolen data. This was so that employees could check if their data was compromised and was designed to prevent it from being leaked in the future. 

As the name suggests, a clear website is hosted directly on the Internet. It does not need any special software to be accessed, like an anonymous network like Tor. Using this new method, we will be able to access and access the leaked data more easily and it will likely cause the data to be indexed by search engines in the future, thus causing the leak to spread increasingly.

Security researcher Dominic Alvieri has discovered that the Cl0p ransomware gang has just publicly posted the data that they have stolen from the MOVEit Transfer platform in May in the public domain. Due to a zero-day vulnerability found in the secure file transfer platform, the gang exploited a vulnerability in that platform to compromise hundreds of businesses and government institutions across the globe and lead to hundreds of data breaches.  

There are several differences between Clop's dumps and those of some previous infiltrations. The most noticeable is that the data has been released in large files rather than organized into specific searchable items. In addition, the site has not been hosted on the Tor network. 

Dark Web vs Clear Web 


A Clear Web is one of the portions of the internet that is easy to use and can be indexed by search engines like Google. It is also known as the Surface Web or Visible Web because it makes up a part of the web that is easily accessible. Generally speaking, it describes websites and web pages that are accessible through standard web browsers and do not require any special configuration to be used. 

Alternatively, the Dark Web is one of the areas of the internet that is intentionally hidden from traditional search engines and hence is not indexed by them. To access the Dark Web, you will need specialized software, such as the Tor browser, which allows you to perform anonymous and secure operations while browsing the Dark Web. 

In addition to anonymity, this domain name allows users to access hidden websites using the ".onion" extension. On the Dark Web, there are many illicit activities, illegal markets, and anonymous forums where users can communicate anonymously with one another without revealing their identities. These activities are often associated with illicit activities. 

Cybercrime has recently developed clearnet websites hosted on the surface web. These websites extort stolen data to blackmail their victims. As part of its blackmail campaign, Clop has recently developed this tactic. As to their first attempt to leak data, they had to upload four spanned ZIP archives, which they had stolen from the PWC business consulting firm. TD Ameritrade, Aon, Kirkland, Ernest & Young, and TD Ameritrade later used claims of leaks by Cl0p to leak data from their systems to the public. 

They aim to create panic among employees, executives, and business partners affected by stolen data. This is so that they will exert additional pressure on the company to pay the ransom to lower their security. 

Even though there may be some benefits to leaking data in this way, they also have their own set of problems. This is because they are much easier to take down when put on the internet rather than Tor. 

Currently, all known Clop Clearweb extortion sites have been taken offline, meaning they cannot be accessed. This is unclear whether these sites are being shut down because of law enforcement seizures, DDoS attacks carried out by cybersecurity firms, or because hosting companies and registrars are shutting them down until further notice. It's questionable whether this extortion tactic is worth the effort since it can easily be shut down, and that they can be shut down at any time.

Researchers Discover Landmark Ransomware Extortion: Automated SaaS Ransomware

 


A company's SharePoint Online environment has been successfully targeted by the Omega ransomware group to extort money from it. This is instead of using compromised endpoints, the most common method of launching such attacks. The threat group appears to have infiltrated the unnamed company's network using an administrator account with weak security and elevated permissions. It eventually snatched sensitive data from the victim's SharePoint libraries with the help of a weak administrator account. As a result of the theft of data, a ransom was demanded from the victim as a means of extortion. 

Probably the first attack of its kind 

According to Glenn Chisholm, cofounder of the security firm Obsidian, which discovered the attack, most enterprise efforts to counter ransomware focus on endpoint protection mechanisms which is a means of protecting systems from ransomware infections. 

Chisholm explained that the only way companies have mitigated or prevented attacks by malicious ransomware groups is through investments in endpoint security. It is clear from this attack that endpoint security is not sufficient, as many companies now store and access their data via SaaS applications, something that was not the case previously. 

One of the victim organizations whose Microsoft Global administrators were attacked by the Omega group began with a poorly secured credential associated with one of the services accounts belonging to one of the hackers. There was not only a vulnerability in the breached account, but it was also missing multi-factor authentication (MFA) – something that most security experts agree is an essential security measure, particularly for accounts with privileged access to information. 

Threat actors targeted an Active Directory account compromised by the threat actor and created  somewhat brazenly  a new user named "0mega" with all the permissions that were necessary for the new account to wreak havoc in the environment by performing all kinds of malicious activities. As part of these permissions, administrators were granted access to be Global Admins, SharePoint Admins, Exchange Admins, or Teams Administrators. As an additional measure, the threat actor used compromised admin credentials within the organization's SharePoint Online environment. This was done to grant the Omega account the ability to manage site collections. In addition, the threat actor removed any other administrators within the environment. 

The SharePoint term 'site collection' describes a set of websites within a single Web application that is administrated by the same person and that have similar settings and share a common owner. Organizations with large data sets or those with a large number of different business functions have a higher incidence of site collections, while those with large data sets tend to have fewer site collections. 

The attackers behind this attack used some 200 administrator accounts within two hours to remove the compromised admin credentials used in the attack that Obsidian analyzed. A threat actor who possessed the self-assigned privileges in the organization's SharePoint Online libraries then proceeded to take hundreds of files from the libraries and sent them off to a virtual private server (VPS) hosts that are associated with a Russian domain hosting provider. To facilitate the exfiltration of the data, the threat actor implemented a Node.js module called "pull" which can perform HTTP requests on SharePoint resources, to facilitate the exfiltration of the data. The attackers then used another node.js module called "got" to upload thousands of text files to the victim's SharePoint environment as a result of data exfiltration. These text files provided an overview of the situation to the organization, basically telling them what had just occurred. 

Endpoints are not compromised 


It is most common for ransomware groups to attack SaaS applications by compromising an endpoint, encrypting or exfiltrating files, and then leveraging lateral movement as required to further spread their infection, Chisholm explains. A compromised credential was used by the attackers to log into SharePoint Online with administrative privileges, which they granted to a newly created account. The attackers then executed an automated data exfiltration attack on a rented host provided by VDSinra.ru using scripts. In the end, the threat actor did not compromise an endpoint or use any ransomware executables to perform the attack. 

Chislom said that this is the first time an automated SaaS ransomware extortion has been publicly recorded. They believe that it is also the first known instance. 

According to Chisholm, Obsidian has observed more attacks targeting enterprise SaaS environments than in the previous two years combined in the last six months, and the trend is expected to continue. There is an increasing number of attacks linked to the fact that organizations are increasingly putting sensitive, confidential, and regulated information into SaaS applications without assessing how well they protect it, he says. He contends that organizations are not doing the same with endpoint technology as they do with SaaS applications. 

An organization should ensure its SaaS environment has the right proactive risk management tools in place to avoid incidents within the SaaS environment.  Similar trends have been reported by others who have observed the same thing. 

The AppOmni security firm reports that SaaS attacks on Salesforce Community Sites and other SaaS applications have increased by 300% since March 1, 2023, and they have been observed to be on the rise since then. Among the most common attack vectors identified in the past are excessive permissions granted to guests, excessive permissions granted to objects and fields, and privileged access to sensitive data. 

According to an Odaseva report published last year, 48% of respondents said that over the past year, their organization had been hit by a ransomware attack. SaaS data has been the target of more than half of those attacks (51%).

"Securing Your Digital Assets: Uncovering the Untraceable Data Theft Bug in Google Workspace's Drive Files"

 


Security consultants say hackers can steal information from Google Drive accounts through a method known as password mining. It is all done to conceal the fact that they have taken away a lot of information without leaving any trace behind. 

Google Workspace has been found vulnerable to a critical security flaw revealed in the past few days. Thousands of files on people's drives are at risk of silent theft by hackers due to this vulnerability. Due to the current trend of increased remote working and digital collaboration, and as a result of this alarming vulnerability, immediate attention must be given to ensuring the security and privacy of sensitive information. 

Mitiga Security researchers discovered a security vulnerability in Google Workspace that was previously unknown. The attacker could use this technique to exfiltrate data from Google Drive without leaving a trace. Due to a forensic vulnerability, this vulnerability allows a user to exfiltrate data from an application. This is without leaving a trail for anyone to see what they did. 

There is a security issue pertaining specifically to actions taken by users without a Google Workspace enterprise license. This makes it a particularly serious issue. There will be no documentation for the actions carried out on private drive-by users without a paid Google Workspace license. 

When hackers cancel their paid license and switch to a free "Cloud Identity Free" license, they can disable logging and recording on their computers. 

A great collaboration tool that Google offers is Google Workspace. There are, however, several security holes that exist in its security system. There is no such thing as an untouchable threat when it comes to data. When there is a lot of connectivity between things, cloud services can be extremely risky. An entire department's work can be overturned by one wrong link in a chain of documents that are all dependent on one another. 

There is a "Cloud Identity Free" license available by default to all Google Drive users. There are no logs kept in the system regarding actions performed by a user on their private drive. This is unless an administrator assigns a paid license to the user. In this environment, due to the lack of visibility, threat actors can manipulate or steal data without being detected. Two different methods can be used to exploit security vulnerabilities in a computer system. 

As a first method, a threat actor compromises a user's account, manipulates the license of that user, and allows the threat actor access to and download private files through the user's account. The only thing that is preserved during license revocation and reassignment is the logs that accompany the process. During the revoking of a paid license, the second method targets employees who are involved in the process. Despite being revoked, a license can still be useful for downloading sensitive files from a private drive if the account is not disabled before the license is revoked. 

A threat actor could easily revoke a cloud storage account's paid license by following a few simple steps, thereby reverting an account to the free "Cloud Identity Free" license if the account is compromised by a threat actor.

There is no record-keeping or logging functionality in the system, so this would turn it off. Once that was done, they could exfiltrate any files they wanted, without leaving any trace of what they did behind. As far as an administrator is concerned, all they may notice later is the fact that someone has revoked a paid license. 

A company called Mitiga says it notified Google that it had found the information, but the company has not responded. An important step of any post-mortem or hacking forensics process is to identify which files have been taken during a data breach so you can conduct your investigation accordingly. It can assist victims in determining what types of information were taken and, as a consequence, if there is a need to worry about identity theft, wire fraud, or something similar, help them establish if they are in danger. 

In addition to logging, one of the standard methods by which IT teams keep track of potential intrusions before causing severe damage is to ensure that all activity is logged appropriately. Google Drive accounts, on the other hand, are often left without adequate controls by hackers, which makes it easier for them to steal data undetected.

It is also imperative that cloud storage providers take more robust steps to protect user data to prevent vulnerabilities like this from occurring in the future. Even though Google has yet to reply to Mitiga's findings, the company will likely address this problem shortly. It will result in an enhanced level of security for its platform as a result. 

The users should remain vigilant while they are awaiting the emergence of the attacks and make sure they are protecting their data. It is also recommended that they regularly monitor their Google Drive accounts to make sure that there are no suspicious activities or unauthorized access. Further, it must be noted that strong passwords must be used and two-factor authentication must be used to prevent unauthorized access from happening. 

Many documents and files can be stolen, including confidential business documents, proprietary information, financial records, intellectual property, and personal documentation. Regulatory violations, as well as financial fraud, corporate espionage, reputation damage, and other potential economic repercussions, can result from data breaches on a large scale. This is far beyond a mere failure to recover data. 

Due to the alarming nature of this discovery, you must take immediate action to protect your sensitive data and protect yourself against potentially harmful hacks. 

To improve your organization's security posture, it is recommended you take the following steps: 

Make sure two-factor authentication is enabled in your account. Two-factor authentication on your Google Workspace account adds extra security. As a result, even if your login credentials are compromised, this will apply an additional security layer. This will ensure you cannot access your account until you pass an additional verification step. 

Stay Educated: Make the most of Google Workspace security alerts and advisories and keep up to date on the latest security threats. It is imperative to keep an eye on official sources, including Google's security bulletins and blogs, for more information regarding security threats. 

You need to educate your employees about the risks of phishing attacks. You need to give them the tools to act when interacting with suspicious emails and websites. Educate them about phishing risks and the importance of action when providing login credentials. Reporting suspicious activity promptly should be encouraged as part of organizational culture.

A US Cyber Team's Perspective on US Military Cyber Defense of Ukraine

 


Despite analysts' numerous predictions, Russia could not destroy Ukraine's computer systems in this year's invasion with a massive cyber-attack. This may be because an unknown US military branch hunts down rivals online to enforce their interests. To cover these global missions, the BBC was granted exclusive access to the cyber-operators who carried them out. 

The US military landed in Ukraine in December last year on a recon mission led by a young major who led a small team. There were plans to deploy more troops ahead of this deployment. 

On Thursday, the Ukrainian government's premier counterintelligence and law enforcement agency revealed the real identities of five individuals allegedly involved in cyber-espionage activities attributed to the Gamaredon cyber-espionage group. According to the agency, these members are connected to the Russian Federal Security Service (FSB). 

It has been apparent in recent months that Gamaredon is very active in the threat actor community. When you open Twitter and type in #Gamaredon, you'll find several tweets a week with updated information on the IOC and samples it has created. 

Gamaredon Group is another advanced persistent threat (APT) group targeting the Ukrainian government today. It is also known as Shuckworm, Iron Tilden, Primitive Bear, Winter Flounder, and Accinium. 

A common attack tool is phishing emails with attachments of Microsoft Office documents. These emails can be used to gain access to the victim's system through initial attacks using phishing emails. 

In recent months, there have been reports of Russian troops amassing along the Ukrainian border, raising fears of war breaking out. As much as Russia denies any plans to invade, it demands sweeping security guarantees, including a guarantee that NATO will never admit the Ukrainians to NATO. 

The Ukrainian security services, who believed that the act of terrorism had been committed by officers of the Russian Federal Security Service from Crimea, publicly attributed the act of terrorism to Gamaredon in November. An online comment request was sent to the Russian Embassy in Washington regarding Gameredon; however, there was no immediate response from the Russian Embassy. 

A spokesperson for Ukraine's Security Service (SSU) said in a statement today that the hacker group had been depicted as "an FSB special project that specifically targeted Ukraine," at the same time confirming that many of the perpetrators of the hack were "Crimean FSB officers and traitors who defected to the enemy during the occupation of the peninsula in 2014." 

According to the country's authorities, over 1,500 government entities, public entities, and private enterprises have been targeted by actors in the past seven years in Ukraine. This group aims to gather intelligence, disrupt operations, and take control of critical infrastructure facilities to collect critical data. 

Between 2020 and the present, Malwarebytes has identified five operations that have taken place. They were victims of armed clashes between Russian-aligned individuals and Ukrainian citizens who had taken part in the discredited referendums called for by Moscow on September 2022. These referendums were called for in the Ukrainian territories of Luhansk, Donetsk, Zaporizhzhia, and Kherson. In the Dnepropetrovsk, Lugansk, and Crimea regions, there has been a massive outbreak of infections in state, agricultural, and transportation ministries. 

Ukrainian intelligence agencies track Armageddon, a threat group that launched the attacks, as responsible for the attacks. While it is known by the names Gamaredon, Primitive Bear, Winterflounder, BlueAlpha, Blue Otso, Iron Tilden, and Sector C08 in the cybersecurity community, it operates by many other names as well. 

Several campaigns in eastern Ukraine involved Malwarebyte attackers exfiltrating snapshots, USB flash drives, keyboard strokes, and microphone recordings, depending on the campaign. 

On Wednesday, Anne Neuberger, a White House cyber official, said Russia could destabilize and invade Ukraine using cyberattacks. 

In early 2013, it appeared that Russia had sponsored the Gamaredon Group, which is a misspelled anagram of the word "armageddon" and has been sporadically perpetrating cyberattacks on Ukrainian military, government, and non-profit organizations since then. 

Threat actors leverage legitimate Microsoft® Office documents to inject remote templates into legitimate Microsoft® Office documents. The technique works even when Microsoft® Word security features have been turned on. There is a way to bypass Microsoft Word macro protections, which are designed to prevent attackers from compromising sensitive systems with malware, infecting them with the infection, accessing the data, and then spreading the infection to other systems.

Attackers Can Hide Malicious Apps Using the Ghost Token Flaw

 


The Google Cloud Platform (GCP) has recently been patched against a zero-day vulnerability called GhostToken, which allowed attackers to infect the platform to create an invisible and irrecoverable backdoor. A malicious attacker could exploit this flaw and gain access to a victim's account. 

By exploiting this flaw, he could also manipulate their data and documents within Gmail or Google Docs. As a result, the victim is completely unaware that this is taking place. By the name GhostToken, the issue has been identified by Israeli cybersecurity startup Astrix Security. The issue affects all Google accounts, including enterprise accounts. From June 19 through June 20, 2022, this issue was discovered and reported to Google. More than nine months after the global patch was released on April 7, 2023, the company deployed a global update. 

According to a recent post by Astrix Security, the GhostToken zero-day vulnerability could allow malicious apps to be installed in the target Google Cloud via the GhostToken zero-day vulnerability. 

The flaw allows attackers to hide their malicious apps from the victim's "Application Management" page in their Google Account to hide them from view by a user logged in to their Google Account. A user is unable to revoke access by doing this. This prevents them from doing so. By doing this, it is ensured that the GCP project associated with the OAuth application that they have been authorized to use remains in a state that says "pending deletion" by deleting it. A threat actor equipped with this capability could restore the project. After restoring it, the rogue app is visible again. As well as gaining access to the victim's data, he could make it invisible again by using the access token to obtain it himself. 

An adversary or attacker could exploit the GhostToken vulnerability to access sensitive information in the target account's Google Drive, Calendar, Photos, Google Docs, Google Maps (location data), and other Google Cloud Platform services provided by the target account. The technical team discovered the vulnerability in June 2022, reported it to Google, and asked them to fix it. Despite acknowledging this problem in August 2022, Google did not release a patch until April 2023. This is despite acknowledging the flaw in August 2022. 

The bug was patched before it was exploited by an active user, enabling Google to release the fix before it was exploited. In the users’ app management option, there is an option to show OAuth application tokens for apps scheduled for deletion as part of the patch. 

Despite the tech giant's fix, Google users must also check their accounts to determine whether there are any unrecognized apps. Additionally, to prevent any risk of damage to their devices, users should ensure that third-party apps have minimal access permissions.

A patch released by Google has been rolled out to address this issue, and it now displays apps in a pending deletion state within the third-party access section of the website. As a result, users can uninstall such apps by revoking their permissions.

There was a vulnerability in Google Cloud's Cloud Asset Inventory API that led to privilege escalation, known as Asset Key Thief, which has now been fixed. Using this vulnerability, users can steal private keys for use in Service Accounts, allowing them to access valuable data they manage. The software giant patched the issue discovered by SADA earlier this month, on March 14, 2023, two months after discovery.

The DEA Portal Hack was Perpetrated by Two Cybercriminals Last Year


During the investigation into the hacking of the DEA portal in 2022, one of the young American men was accused of breaking in and stealing data from the site. The portal breach provided criminals with access to sensitive information because it was connected to 16 data repositories of federal law enforcement organizations.  

In addition to Nicholas Ceraolo, 25, also known as "Convict" or "Ominus," the suspects are Sagar Steven Singh, 19, commonly known as "Weep." According to the Justice Department, Singh and Ceraolo pretended to be police officers to gain access to Bangladeshi police officials' email accounts. 

Ceraolo is also accused of accessing Bangladeshi police officials' emails. As a result, he got his fake identity used to contact various US-based social networking platforms, claiming members were either in danger or committing crimes to get their personal information. 

In a press release issued by the Justice Department, it was noted that Ceraolo and Singh face five years in prison for conspiring to infiltrate computers. Moreover, they could be sentenced to up to 20 years in prison for conspiring to commit wire fraud, which would represent a significant punishment. 

Because the complaint only contains allegations, the defendants will always be considered innocent until proven guilty. “ViLE,” a notorious cybercrime organization, was occupying the apartment, where doxing experts kept gathering and using personal information for intimidation, harassment, or extortion. The group is infamous for providing shelter to doxing experts who specialize in gathering personal information for illegal purposes and collecting personal information from people. Currently, at large, Ceraolo could be sentenced to up to 20 years in prison for wire fraud and computer crimes for which he is facing multiple charges. He faces up to five years in prison if convicted of the charges against him, which he was charged with in Rhode Island this week. 

In this case, Singh was taken into custody due to an error by an official, which allowed authorities to connect him to the incident, wherein the suspect accessed a social media account using the same email address as the login to access the portal. According to reports, an investigator from Homeland Security verified that Singh had utilized the portal through a raid at his home. 

There is a report that the compromised DEA portal granted access to 16 different law enforcement databases which contain sensitive information on Ceraolo, Singh and their cybercriminal group called "ViLE" which they were a part of.  

Singh in one case claimed to have access to a victim's Social Security number, home address, and driver's license information by utilizing data gathered from the hack. In response, the victim complained that he had been scammed. When they refused to comply with Singh's demands, Singh told them if they did not comply he would "harm" their families. 

A Bangladeshi police officer's email account was used by Ceraolo to gain an official account on social media platforms for his social media operations. In this case, personal information was requested about one of its subscribers. A company employee claimed Ceraolo had allegedly received threats from Bangladeshi officials and had accused them of "child extortion" and blackmailing the subscriber. 

Earlier today, United States Attorney Breon Peace announced the charges against Singh and Ceraolo. The prosecutor noted that Singh and Ceraolo belonged to a group called 'Vile' because of their crime or conduct. As alleged in the complaint, the defendants shamed, intimidated, and extorted others online as a form of harassment. To protect citizens,  the  Office said that it will not tolerate those who misappropriate the public safety infrastructure by impersonating law enforcement officers.

Furthermore, Ivan J. Arvelo, a Homeland Security Investigations official, stated: “These charges highlight how serious these offenses are, and criminals who perpetrate these schemes will be held accountable for their crimes,” in response to the allegations of unauthorized access to and impersonation of a US federal law enforcement system.

Qakbot Distributes Malware Through OneNote

 


There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot. 

Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information. 

It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets. 

In-Depth Discussion of the Subject

  • As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email. 
  • Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.  
  • Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers. 
What Are The Key Players?

  • Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
  • Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns. 
A OneNote-Qakbot Campaign is Not New

According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.

  • This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email.  · 
  • Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
  • After downloading and installing Qbot through these attachments, it is now ready to use.  
Here are the Main Points

Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well. 

TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.   

Why Must You Secure Your Bank Accounts With 2FA Verification?


Technological advancement and the internet have made a revolutionary transformation in helping users conveniently handle their personal finances. One can do anything sitting on a couch, as long as he has a phone or laptop handy. However, along with the positive aspects, bank accounts are the most vulnerable to cybercrimes, marking a major drawback of this change. 

Two-factor authentication (2FA) is one of the most robust solutions to this problem. While the finest smart home security systems are excellent for ensuring household security, 2FA (Two-Factor Authentication) is what you need for online security. 

Although many people are aware of 2FA, a considerable number of them are still oblivious to its utility. The few minutes required to set up this cyber shield are totally worth it. 

What is Two-Factor Authentication? 

2FA is a security tool that acts as an additional layer of verification, along with the username and password. You can consider it a more reliable login. Even though 2FA is more secure than a standard login, once it is set up, it does not take much longer. 

One can categorize 2FA verification into three main types - something you are, something you have, or something you know. 

A 2FA login might as well use a user’s fingerprint or retinal scan in order to verify him. An instance of the “something you have” 2FA would be a user receiving a code on his phone. To fulfill the "something you know" requirement of 2FA, you might be asked a few short security questions that you have already confirmed previously. All forms of 2FA increase the security of your login. 

Why must we use 2FA? 

The most legitimate and prominent reason to use 2FA on all your financial accounts is to protect your finances. Cybercrimes in modern days revolve around acquiring access to accounts via username and password information. A hacker gaining unauthorized access to your bank account is worse than someone stealing your credit or debit card since there are more techniques already in place for the stolen card. 

For the same reasons, most banks have now started offering 2FA or making it mandatory for users for any online banking procedures. Since not all banks possess 2FA, it is better if a user checks if their banks offer 2FA for logging in to their bank accounts. 

Keep Your Financial Accounts Secure 

The added security that 2FA creates is worth the short setup time and extra login step, for cybercrime is particularly likely to attack bank accounts. This security measure is a potent deterrent against intruders and must not be overlooked.  

Hackers Could Find a Heaven on Elon Musk's Twitter

 


The ransomware group Yanluowang appears to be on Twitter now, using its newly created account to announce that they have breached the systems of the messaging platform Matrix, a service that has compromised high-profile companies. 

Yanluowang is one of several cybercrime groups that have been active on Twitter in recent months, and the platform's takeover by Elon Musk, who has promised a more laissez-faire approach to content moderation, could make it an even more attractive environment for cybercriminals to operate in.

It was recently reported that Yanluowang, the cyber security firm known for targeting financial services companies with its malware, had started tweeting. As far as we understand from the account, it appears that it has been used to display data that it steals from its victims. The first of these is Matrix, an open messaging protocol used by 60 million people worldwide. It was breached last week by the gang, which is claiming responsibility for the theft. 

On Twitter's page, several links appear to provide access to leaked data from the Matrix messaging platform as well, including "chief coder and saint thread" and "master stealer task." 

There are six links on Twitter's page, which appear to provide access to leaked data from the Matrix messaging platform. A member of the Tech Monitor team has reached out to Matrix for comment. Tweets are a favorite of ransomware gangs Ransomware gangs are not the first group of criminals to use Twitter as an outlet to promote the theft of data using ransomware. 

Several groups, including Karakurt and BlackByte, have created Twitter profiles for themselves to make their illicit merchandise more widely known to the world. In terms of Yanluowang's page, it appears to be still up, though both appear to be suspended, at least for the time being. A website set up by Karakurt on the open web was also used to sell their data to the highest bidder at the time of the hack. 

This method of data extortion is so common, even though it may prove to be short-lived and risky because cybercrime gangs experimenting with it need somewhere public and with a large reach that they can advertise their stolen data, according to Allen Liska, an intelligence analyst at Recorded Future. 

Liska told Tech Monitor in August that "Not everyone has a Tor browser, and Karakurt needs to be able to earn money as much as it can whether or not it can make any money from where it's getting its data," if it wants to succeed. Essentially, if you are trying to extort someone, you cannot make it difficult for them to obtain the data if your aim is extortion." A hacker could be attracted to Elon Musk's Twitter account in the wake of Elon Musk's acquisition of Twitter for $44 billion, Twitter is currently experiencing a period of upheaval that might last for years to come. 

It has been confirmed that Tesla CEO Elon Musk is now working for Twitter as their "Chief Twit" after completing the takeover of the company on Friday, which occurred after several months of legal proceedings. Musk expressed his intention to make Twitter into an environment where freedom of speech is a flourishing characteristic in the very public wranglings that preceded the deal, referring to himself as a "free speech absolutist" during the public debate that preceded the deal. The site is believed to change its approach to the way it moderates content shortly as a result of this change in approach. Before Musk's takeover, there was reportedly an increase in hate speech on the platform in the days leading up to his takeover. 

In this respect, hackers could reap the benefits of this, as they would be able to maintain accounts to advertise their illegal activities on the internet. CISO at cybersecurity vendor Recorded Future, Jason Steer, says that this is a possibility that can be just as easily nailed down. In his opinion, "hackers will continue to exploit other platforms like Telegram to promote their work and sell stolen data for decades to come, but he does believe that [Twitter's current issues] could be an opportunity for them."

How to Prevent Malware on Your Android Device

Malware is a term that describes any malicious program or code that is harmful to systems. It seeks to invade, damage, or disable computers, networks, tablets, computer systems, and mobile devices, often by taking command of a device’s operations. 

According to recent happenings, studies show that all devices including smartwatches are all at risk. However, many organizations are working towards the prevention of such events by spreading correct information to the public domain. There are some steps you can follow to prevent your devices from falling into a malicious trap. 

Before learning the mitigating steps, learn how to identify if your devices are trapped by malware.  You will notice that your devices start working slowly, the screen is inundated with annoying ads, system crashes, you will also notice a mysterious loss of disk space, an increase in your system’s internet activity, browser settings will change, antivirus product stops working properly and you will lose the access to your files or your entire computer. 

Now learn how you can prevent such activities from happening on your devices. 

First Step is to Use a Secure Search Engine on Your Devices 

Now people are more aware that major search platforms are tracking them and collecting their private data. That’s why using a secure search engine is very important which can assure users that the engine is not storing IP addresses or personal information, no tracking data related to search queries, and encrypting and applying time-sensitive limits on active searches. 

Second Step is to Keep Your Phone Updated 

Most Android phones now stay updated automatically. However, one should keep checking. It also provides some critical security updates that help keep you safe. 

Third Step is to Clear Your Browser Cookies 

There are many ways that cookies can put your system at risk. Threat actors can store information from your cookies and use data against your devices. To stay safe, users are recommended to clear cookies from the system from time to time. 

Fourth is to Use Multiple Phone Accounts 

To save your data from threat actors and from crashing you can create multiple user accounts on your Android phone. You can keep your important data and apps safer by accessing certain content on separate accounts. 

Users are Recommended to Install Apps From Official Sources 

Internet users should install apps from official sources, like the Play Store or the Galaxy Store. Also, if something goes wrong or the apps get hacked one can hold an official source responsible for the same. 

Furthermore, internet users should avoid using cracked apps and games, meanwhile, it is strongly recommended that they do not click on random links in text messages.

Upgraded Security Deal Among Japan and Australia Against Chinese Cybercrimes

 


On Saturday, a new defense cooperation pact was signed between Japan and Australia to recognize the deteriorating security situation in the region as a consequence of China's growing assertiveness.

Fumio Kishida, the prime minister of Japan, praised the advancement of relations between the two countries after meeting with his Australian colleague Anthony Albanese in Perth, Western Australia. The two nations are committed to conducting cooperative military games and exchanging more sensitive intelligence.

It expands upon a reciprocal access pact that Kishida signed with Scott Morrison, Australia's prime minister at the time, in January, which lifts restrictions on conducting joint military drills in either nation.

It is the first time Japan has reached such a deal with a nation other than the US. Japan's Self-Defense Forces will train and participate in operations with the Australian defense in northern Australia for the first time as per the agreement, as revealed on Saturday.

According to Albanese, "this major proclamation sends a powerful signal to the area of our strategic alignment" in relation to that deal. In an "increasingly hostile strategic environment," according to Kishida, a new structure for collaboration in operations, intelligence, information, and logistical support was devised.

Since the Australian leader's administration was elected in May, Kishida has met with Albanese four times. This visit is for an annual bilateral summit. Two days after the election, they first met in Tokyo at the Quadrilateral Security Dialogue meeting, also known as the Quad, which also included U.S. Vice President Joe Biden and Indian Prime Minister Narendra Modi.

It was emblematic of the close economic links between the two countries that the meeting was decided to be held in Perth, the state capital of Western Australia, which supplies much of Japan's liquid natural gas and the wheat used to make udon noodles.

According to a website maintained by the Australian government, Australia has some of the world's top five resources for vital minerals such as antimony, cobalt, lithium, manganese ore, niobium, tungsten, and vanadium.

Australia is the world's top producer of lithium, rutile, zircon, and rare earth elements, as well as the second-largest producer overall.

Since 2007, when Australia and Japan signed their first military statement, China's defense expenditure has more than doubled. Japanese jets were called into action 22 times in 2006 to stop Chinese military aircraft from entering Japanese airspace. 722 times in response to Chinese aircraft last year, Japanese warplanes had to scramble.



US Government Seizes Cryptocurrency Worth $30 Million From Lazarus Hackers

The U.S. government in collaboration with blockchain analysts and FBI agents successfully seized $30 million worth of cryptocurrency stolen by the North Korean-linked hacker group 'Lazarus' from the popular token-based 'play-to-earn' game Axie Infinity earlier in the year. 

The government reported this news during the AxieCon event today, where the officials highlighted it as a big achievement. The officials further appreciated and encouraged large-scale collaboration between multiple law enforcement authorities and private entities against growing cyber threats. 

As per the statements made by blockchain analysts on Thursday, it's a momentous event for law enforcement agencies as it is the first time when the agencies have successfully seized crypto tokens from the infamous Lazarus Group. 

“I am proud to say that the Chainalysis Crypto Incident Response team played a role in these seizures, utilizing advanced tracing techniques to follow stolen funds to cash out points and liaising with law enforcement and industry players to quickly freeze funds”, the blog reads. 

Chainalysis talked about the laundering process of the group which involves the following five stages:  

• Stolen Ether sent to intermediary wallets 
• Ether mixed in batches using Tornado Cash 
• Ether swapped for bitcoin 
• Bitcoin mixed in batches 
• Bitcoin deposited to crypto-to-fiat services for cashout,  

However, following the incident, the US Office of Foreign Assets Control - Sanctions Programs and Information has sanctioned tornado cash for its role in the cryptocurrency laundering case. 

The total financial damage caused by Lazarus' Axie Infinity hack is around $620 million, thus, the amount that has been recovered represents only 5% of that value and 10% of the cryptocurrency amount. 

The analysts further stated they “have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers. There is still work to be done, but this is a milestone in our efforts to make the cryptocurrency ecosystem safer.” 

Hence, the US government and New York-based blockchain analysis firm are confident that in the future they will recover more damages from the past.

Crypto Scam to be Investigated by British Army

 

On Sunday, the UK Ministry of Defence confirmed that the British Army’s YouTube and Twitter accounts were hacked. The hackers were using both handles for their cryptocurrency promotion scams. However, at present Ministry department has not confirmed the exact dates of the takeover, and both accounts appear to be back to normal now. 

“We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until the investigation is complete it would be inappropriate to comment further,” The Ministry of Defence Press Office said on Twitter. 

Malicious actors took control of the British Army’s Twitter page, swapping out the organization’s profile picture, bio, and cover photo to make it appear genuine like it was associated with The Possessed NFT collection, and promote crypto giveaway schemes. Meanwhile, its YouTube handle aired livestreams with clips of Elon Musk, Jack Dorsey, and Ark CEO Katie Wood discussing cryptocurrency-directed users to crypto scam websites. 

The clips feature the promotion of “double your money” Bitcoin and Ethereum scams. According to Web3 is Going Great, a similar scheme took place in May. However, it is unclear which group is behind this campaign. 

The malicious actors changed the army’s verified Twitter account name to The Possessed, a project involving a collection of 10,000 animated NFTs with a price floor of 0.58 Ethereum (approximately $1,063). 

According to the Department of Ministry, it is possible that the hack is part of a broader campaign to leverage the recent popularity of The Possessed. On Saturday, the project’s official Twitter handle notified its followers of another verified account that was also hacked to promote an NFT scam using The Possessed brand. 

“The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway. The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further,” the UK Ministry of Defence Press Office tweeted later.

External Attackers Can Penetrate Most Local Company Networks

 

Positive Technologies in a recently published research claimed that external attackers can breach 93% of organizations’ network perimeters and obtain access to their resources. The study showed that in 93% of cases it only takes an average of two days to penetrate the company’s internal network. 

In addition, another concerning finding was that in 100% of cases companies examined that an insider can have full control over the infrastructure. According to the company’s researchers, this figure has remained high for many years, confirming that cybercriminals are able to breach almost any corporate infrastructure. The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors. 

The most common way of penetrating a corporate network was found to be credential theft. This mainly resulted from weak passwords, no patches, and they were running services they didn't need, all of which were unprotected. The researchers further added that organizations do not have network segmentation by business processes and this enables cybercriminals to develop various attack vectors at once. 

“In 20% of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger...,” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies. 

“...In total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.