Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberfrauds. Show all posts
Vulnerabilities and Exploits
CyberCrime Cyberfrauds Cybersecurity Cyberthreats Darkweb Databreach Hackers Vulnerabilities and Exploits

FortiGate Vulnerability Exposes 15,000 Devices to Risks

 



Fortinet Firewall Data Breach: 15,000 Devices Compromised by Belsen Group

On January 14, 2025, it was reported that the configuration data of over 15,000 Fortinet FortiGate firewalls was leaked on the dark web. The hacker group, identified as Belsen, shared this data for free on its newly created TOR website. The leaked information includes full firewall configurations, plaintext VPN credentials organized by IP address and country, serial numbers, management certificates, and other sensitive data. This breach poses a significant security risk to affected organizations, as it enables attackers to compromise internal networks with ease.

Exploitation of Critical Vulnerabilities

According to cybersecurity analysts, the Belsen Group exploited a zero-day vulnerability, identified as CVE-2022-40684, to obtain the leaked data. This vulnerability, published in 2022, allowed attackers to bypass administrative authentication through specially crafted HTTP/HTTPS requests. By leveraging this flaw, the attackers exfiltrated configuration files containing sensitive details such as passwords, firewall rules, and advanced settings. These files, though obtained in 2022, remained undisclosed until January 2025, significantly increasing the risk exposure for affected organizations.

In response to this ongoing threat, Fortinet released patches for CVE-2022-40684 and announced a new critical authentication bypass vulnerability, CVE-2024-55591, on the same day the leak was disclosed. This new vulnerability is being actively exploited in campaigns targeting FortiGate firewalls, particularly those with public-facing administrative interfaces. Devices running outdated FortiOS versions are especially at risk.

Impact and Recommendations

The leaked configuration files provide a comprehensive map of victim networks, including firewall rules and administrator credentials. Threat actors can exploit this information to:

  • Bypass perimeter defenses and gain unauthorized access to internal networks.
  • Deploy ransomware, perform lateral movement, and exfiltrate sensitive data.
  • Identify additional vulnerabilities within the network architecture to maximize attack impact.

Organizations affected by this breach must take immediate action to mitigate risks. This includes:

  • Updating credentials for all compromised devices.
  • Applying the latest security patches, including fixes for CVE-2022-40684 and CVE-2024-55591.
  • Conducting thorough security audits to identify and address additional vulnerabilities.

Cybersecurity expert Kevin Beaumont has announced plans to release an IP list from the leak to help FortiGate administrators determine if their devices were affected. Meanwhile, security firms like CloudSEK and Arctic Wolf have emphasized the importance of prioritizing updates and vigilance against future exploitation campaigns.

Fortinet devices' history of vulnerabilities has made them frequent targets for cybercriminals and nation-state actors. Addressing these security gaps is crucial to preventing further breaches and protecting sensitive organizational data.

Read more »
Vulnerabilities and Exploits
Cyberfrauds CyberThreat Cyercrime Cyersecurity Email Phishing Vulnerabilities and Exploits

Millions of Email Servers Found Vulnerable in Encryption Analysis

 


In a new study published by ShadowServer, it was revealed that 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) servers are currently at risk of network sniffing attacks because they are not encrypting their data using TLS. 

Using IMAP, users can access their emails from different devices, while keeping messages on the server. With POP3, however, the messages are downloaded to one specific device, which restricts access to that particular device, resulting in IMAP and POP3 being used to access email. Mail servers can be accessed through two different methods: POP3 and IMAP. POP3 is a way to access email through a server. 

A good reason to use IMAP is that it stores users' emails on the server and synchronizes them across all their devices. This allows them to check their inbox across multiple devices, such as laptops and phones. However, POP3 works by downloading emails from the server and making them only accessible from the device from which they were downloaded. Additionally, there is no denying that many hosting companies configure POP3 and IMAP services by default, even though most users do not use them. 

It is important to note that it is very common to have those services configured by default. To ensure that TLS is enabled, and all email users use the latest version of the protocol, the organization advised them to check with their email provider. With the latest versions of Apple, Google, Microsoft, and Mozilla email platforms, users can rest assured that their information is already protected thanks to the TLS encryption protocol. 

To securely exchange and access emails across the Internet using client/server applications, the TLS secure communication protocol helps secure users' information while exchanging and accessing. In the absence of TLS encryption, the messages' content and credentials are sent in clear text, making them susceptible to network sniffing attacks that could eavesdrop on them. In the sense of a security protocol, TLS, or Transport Layer Security, is an Internet-based security protocol used for secure web browsing as well as encrypting emails, file transfers, and messaging messages. It is used to provide end-to-end security between applications over the Internet. 

It is the role of TLS to keep hackers away from sniffing the network, encrypting users' email credentials and message contents instead of sending them as plain text, which helps to prevent hackers from sniffing the network. As an alternative to TLS encryption, it is also possible for anyone to sniff out that information without encryption. To find out 3.3 million hosts that do not support TLS, ShadowServer scanned the internet for POP3 services running on ports 110 and 995. 

As of 2006, there has been widespread use of TLS 1.1 as an improvement over TLS 1.0, which had been introduced to the market in 1999, and TLS 1.0 remained in use until this very day. Having discussed and developed 28 protocol drafts, the Internet Engineering Task Force (IETF) approved TLS 1.3, the next major version of the TLS protocol, in March of 2018, after extensive discussions and development of 28 drafts. 

Without TLS, passwords for mail access could be intercepted, and exposed services could allow a password-guessing attack on the server, and without TLS, passwords could be intercepted, and the server could suffer from password-guessing attacks. Hosts can be eavesdropping on network sniffer attacks if credentials and message content are sent in clear text without encryption. 

It is estimated that about 900,000 of these sites reside in the United States with over 500,000 being in Germany and Poland with 380,000 being in Germany. However according to the researchers, no matter whether TLS is enabled or not, service exposure could result in a password-guessing attack against the server. As part of the coordinated announcement made by Microsoft, Google, Apple, and Mozilla in October 2018 informing the public that insecure TLS 1.0 and TLS 1.1 protocols would be retired in 2020, Microsoft, Google, Apple, and Mozilla announced their intentions. As of August 2020, the latest Windows 10 Insider builds have begun using TLS 1.3 by default. 

The National Security Agency also released a guide in January 2021 detailing how outdated versions of the TLS protocol, configurations, and versions can be identified and replaced with current, secure solutions. As a ShadowServer foundation spokesperson pointed out, “regardless of whether TLS is enabled or not, service exposure may enable password guessing attacks against the server regardless of whether TLS is enabled.” 

Email users are urged to make sure that their email service provider indeed enables TLS and that their email service provider is using the current version of the protocol. Regardless of whether they are using Apple, Google, Microsoft, or Mozilla email platforms, users need not be worried since they all support TLS and use the latest versions of it.
Read more »
Online Store Security
Cyberattacks CyberCrime Cyberfrauds Cyberhackers Cybersecurity CyberThreat JavaScript malware Online Store Security

Cyberattack Compromises European Space Agency Online Store Security

 


A malware attack on the European Space Agency's official web shop revealed that the application was hacked by loading a JavaScript script that generated a fake Stripe payment page at checkout. With an annual budget of more than 10 billion euros, the European Space Agency (ESA) is dedicated to extending the boundaries of space activity through the training of astronauts and the development of rockets and satellites for exploring our universe's mysteries. 

Thousands of people were put at risk of wire fraud after the European Space Agency (ESA) website was compromised due to the recent exploitation of a credit card skimmer, which was found to be malicious on ESA's webshop. According to researchers from Sansec, the script creates a fake Stripe payment page when the customer is at checkout, which collects information from the customer. 

As a result of the fake payment page being served directly from ESA's web shop, which mimicked an authentic Stripe interface, it appeared authentic to unsuspecting users, who were unaware of the fraudulent payment process. According to Source Defense Research, screenshots of the malicious payment page were provided alongside the real one in the post, but this attack took advantage of domain spoofing with a different top-level domain to exploit domain spoofing, using a nearly identical domain name for the attack. 

The official shop of the European Space Agency is located under the domain "esaspaceshop.com," but the attackers used the domain "esaspaceshop.pics" to deceive visitors. Sansec, who flagged the incident, emphasized that the integration of the webshop with ESA's internal systems could significantly increase the risks for both employees and customers of the agency. 

An examination of the malicious script revealed that its HTML code was obscured, which facilitated detection as well as the theft of sensitive payment information, as it contained obfuscated HTML code derived from the legitimate Stripe SDK. The malicious code was created to create a convincing fake Stripe payment interface that looked legitimate because it was hosted by the official ESA web store domain. 

Although the fake payment page was removed, researchers discovered that the malicious script remained in the source code of the site. As of today, the ESA website has been taken offline, displaying a message indicating it has been taken out of orbit for an extended period. The agency clarified that this store is not hosted by its infrastructure, and they do not manage its associated data. 

As confirmed by whois lookup records indicating different ownership between the main domain of ESA (esa.int) and the compromised web store, it is not known exactly how many customers were affected by the breach, nor what financial impact it had. According to ESA's website, the company is well known for its role in astronaut training and satellite launches. However, it has not yet provided details as to how it intends to strengthen its online security measures after the incident occurred. 

A recent cyberattack on well-respected institutions shows just how vulnerable they can be to cyber attacks, especially when their e-commerce systems are integrated into a broader organization's network. According to cybersecurity experts, e-commerce platforms are urged to prioritize robust security protocols to prevent similar incidents from occurring in the future. This can erode customer trust and result in significant financial consequences. 

The past few months have seen an increase in cyberattacks targeting e-commerce platforms, with criminals using digital skimming methods to steal payment information. Earlier in August 2024, Malwarebytes reported that it had infiltrated Magento-based e-commerce platforms with skimmer code, exposing sensitive customer information, such as credit card numbers, by November 2024, as described by Malwarebytes. 

Sucuri discovered several PHP-based skimmers, such as Smilodon, harvesting payment data covertly. Although these skimmers were highly obfuscated, their detection was significantly hindered. Finland's Cybersecurity Centre reported in December 2024 that skimming attacks were on the rise, where malicious code embedded on payment pages was used to steal credit card information. Those developments highlight the crucial need for e-commerce platforms to implement robust security measures to ensure their customers' data is protected from unauthorized access. 

It is still unclear who was responsible for these attacks, but Magecart, one of the most infamous threat groups around, has been previously linked to similar activities, including installing credit card skimmers on prominent websites, which are typical of such attacks. During March 2023, Malwarebytes speculated that this group was involved in an extensive series of attacks targeting multiple online retailers, but this was not the first mention of the group. 

The majority of victims of credit card fraud that results from such breaches can receive refunds from their banks. Cybercriminals, however, use the stolen funds to finance malicious campaigns, including malware distribution. Likely, significant damage has already been done by the time the affected cards are locked and the funds are returned, even though the stolen funds can be used to finance fraudulent campaigns.
Read more »
Lawsuits
Anti Malwares Cyber Security Cyberfrauds DOJ Georgia Georgian Cyber Security IT department Lawsuits

Georgia Tech Faces DOJ Lawsuit Over Alleged Lapses in Cybersecurity for Defense Contracts

 

Researchers at the Georgia Institute of Technology, who have received over $1 billion in Defense Department contracts, are facing scrutiny for allegedly failing to secure their computers and servers, citing that doing so was too “burdensome.” Since 2013, the Department of Defense has mandated that any contractor handling sensitive data provide “adequate security” on their systems. 

However, at Georgia Tech, laboratory directors reportedly resisted developing a security plan and opposed IT department efforts to implement basic antivirus and anti-malware software. Two IT department employees filed a whistleblower lawsuit, leading the Department of Justice (DOJ) to join the case against the university and the Georgia Tech Research Corporation (GTRC), the nonprofit entity managing government contracts. The lawsuit claims that the Astrolavos Lab at Georgia Tech delayed creating and implementing a security plan, as required by the government contracts. 

When a plan was finally created in 2020, it did not cover all relevant devices, according to the DOJ. Furthermore, the lab, whose mission is to address the security of emerging technologies critical to national security, did not install or update antivirus or anti-malware tools until December 2021. The lab allegedly fabricated compliance reports sent to the Defense Department. The reasons behind these alleged security lapses reportedly stem from campus politics. The DOJ complaint suggests that researchers bringing in substantial government funding were viewed as “star quarterbacks,” using their influence to resist compliance with federal cybersecurity mandates. 

Between 2019 and 2022, GTRC secured more than $1.6 billion in government contracts, with over $423 million in 2022 alone. The whistleblowers, Christopher Craig and Kyle Koza, filed the suit under the False Claims Act, allowing them to receive a portion of any recovered funds. Georgia Tech and GTRC face nine counts, including fraud, breach of contract, negligence, and unjust enrichment, with the DOJ seeking damages to be determined at trial. The DOJ stressed the importance of cybersecurity compliance by government contractors to safeguard U.S. information against threats from malicious actors. 

Meanwhile, Georgia Tech expressed disappointment at the DOJ’s filing, arguing it misrepresents the university’s culture and integrity, claiming that the government itself had indicated that the research did not require cybersecurity restrictions. Georgia Tech has vowed to dispute the case in court, maintaining that there was no data breach or leak and reaffirming its commitment to cybersecurity and collaboration with federal agencies.  

This case is notable given recent cybersecurity threats faced by major universities, such as the University of Utah and Howard University, where ransomware attacks have resulted in significant financial losses.
Read more »
Vulnerabilities and Exploits
Cryoptographic Cyberattacks CyberCrime Cyberfrauds Cybersecurity DMARC Emails Google Locker Vulnerabilities and Exploits

Guarding Against DMARC Evasion: The Google Looker Studio Vulnerability

 


As a free online tool, Google Looker Studio allows users to create reports that can be customized with charts, graphs, and other data points. Once users have prepared their report, they can share it with anyone they desire. 

It appears that based on our observations, threat actors are using Google Looker Studio to create fake cryptographic pages which are sent to the intended victims in email attachments that are sent from the legitimate tool itself, as part of the observed attacks. 

Using a Web-based tool, Google Looker Studio can convert documents - such as slideshows, spreadsheets, etc. - into information. It can be done in several different ways, including charting and graphing data into usable visuals. 

Researchers at Check Point have discovered a botnet campaign known as the business email compromise (BEC) campaign that has been operating over the past several weeks. The campaign uses this tool to build crypto-themed pages in an attack that is socially engineered to look like the actual cryptocurrency.

It has been discovered that attackers send emails that appear to come directly from Google, containing links to unverified reports purporting to be useful for cryptocurrency investors, and encouraging them to click on a link to sign in to their accounts to obtain further information about the reports. 

There is a link in the message that leads to the fake report which purports to provide all the information the victim needs on investment strategies that can yield significant returns. This scam solicits the recipient to click on a link provided to them and be taken to a legitimate Google Looker page which displays a Google slideshow which contains instructions on how to receive more cryptocurrencies from the sender. 

A message is displayed to the victim as the user is taken to a login page where a warning has been displayed warning them that unless they log into their account immediately they may lose access to it. Nonetheless, this page has been designed with the intent of stealing the credentials users supply. It is common for cybercriminals to embed the URLs of these websites in their phishing emails, as Looker Studio's reputation for being a legitimate and trustworthy company makes them a good target for email security checks. 

Using Google's letterhead, the phishing emails appear to originate from Google and claim to have been sent by the tech giant itself. They inform the recipient that they have won approximately 0.75 Bitcoins ($19,200) by joining the firm's cryptocurrency insights and trading strategies program, as part of which they had the opportunity to participate. 

Gmail users are encouraged to follow the embedded link to collect their earnings in the e-mail, which otherwise appears to be well-written. It has been found in Check Point's analysis that because the sender's IP address is listed as authorized for a subdomain located at google.com, the attack can pass email authentication checks that prevent spoofing. 

Using Google's authority to bypass email security scans, the attackers were able to bypass the security scans for emails. They employ several techniques such as fooling Sender Policy Frameworks (SPFs), DomainKeys Identified Mail (DKIMs), and the Domain-based Message Authentication, Reporting, and Conformance (DMARC) frameworks to achieve their end. 

With these tactics, phishing emails can go undetected since they are associated with the legitimate domain "google.com", giving them the appearance of being legitimate. Using cryptographic signatures, DomainKeys Identified Mail (DKIM) verifies the integrity and origin of emails with the use of cryptographic signatures. 

In the domain-based Message Authentication, Reporting, and Conformance (DMARC), domain owners can specify specific actions that should be taken when an email message fails an SPF authentication check or a DKIM authentication check. 

A BEC attack has been a popular phishing method for many years due to its simplicity and effectiveness. Threat actors continuously adjust their strategies and incorporate new technologies into their attacks to make them more convincing. 

Check Point researchers recommend that users adopt AI-driven security technologies capable of analysing various phishing indicators to take a proactive approach to combat sophisticated BEC attacks. Cyberattacks such as Business Email Compromise (BEC) are a form of cybercrime whereby threat actors impersonate employees or business partners, so they can steal money, and sensitive data, or gain unauthorised access to corporate networks by impersonating employees or business partners. 

An email sender is verified as authorized by the Sender Policy Framework (SPF), which is a protocol for authenticating emails. Despite the growing number of attacks, attackers are continually growing their skill set and leveraging new technology to create more convincing and creative attacks that will pique the interest of users and incite them to follow along and give up their credentials to attack lures. 

Google Looker Studio is an example of such technology. The researchers of the Check Point company advise that businesses adopt increasingly common artificial intelligence (AI)-powered security technologies to protect themselves against complex BEC attacks by analyzing and identifying numerous phishing indicators that can be used by hackers to conceal their malicious intent. 

The campaign used a legitimate Google app and domain to disguise its malicious intent. A comprehensive security solution must be implemented for organizations to increase their level of security, Fuchs advised, including document- and file-scanning capabilities as well as URL protection systems that conduct thorough scans of websites and emulate webpages for a higher level of protection.
Read more »
Vulnerability
Cyber Attacks Cyberfrauds Cybersecurity Hacking Linux Encryptor Ransomwares VMware Vulnerability

ESXi Servers are Targeted by Linux-Based Akira Ransomware

 


As part of a ransomware operation called Akira, VMware ESXi virtual machines have been encrypted using a Linux encryption tool. This is to block access to the virtual machines. The attack comes after the company targeted Windows systems for a couple of months. 

To encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide, the Akira ransomware operations use a Linux encryptor to encrypt VMware ESXi virtual machines controlled by VMware. 

There has been a recent expansion of the Akira ransomware and it now targets VMware ESXi virtual machines using a Linux encryptor. It is because of this adaptation that Akira can now attack companies across the globe. 

This ransomware virus, Akira, was found in March 2023. As the most recent addition to the ransomware landscape, it is relatively less well-known. 

In the short time that Akira ransomware has been in operation, it has been confirmed that 45 organizations have been affected. Most of the targets are based in the U.S. Organizations affected range from childcare centers to large financial institutions but all have been affected. 

The threat actors are engaged in double extortion attacks against their victims, demanding several million dollars and stealing data from breached networks, encrypting files, and encrypting the data until they reach the point of demanding payouts.

In addition to asset managers, the gang's blog lists several victims of the gang's crimes. Akira will encrypt the files of an organization after an attack has been launched, appending the name of the encrypted files to the file names. The desktop screen will display a ransom note, explaining in a condescending tone that it is the quickest way back to the state where the company functions normally if you pay the ransom. 

The Development Bank of Southern Africa and London Capital Group are completely aware of the damage they have caused. There are many US-based companies on the gang's black web blog. 

This computer virus, known as Akira, uses double extortion techniques to pressure its victims into paying a ransom. This means that Akira copies the data before encrypting it to make sure the information can not be released, as well as selling the description key, and using these techniques to force a company into paying the ransom. 

In some cases, the ransoms amount to more than a million dollars, while in others it is less. It has focused on professional services, education, manufacturing, and research and development so far.

In sectors as diverse as education and finance, the threat of ransomware has disrupted corporate networks and encrypted stolen data from breached networks. These compromised files are marked with the extension .akira, which signifies compromise. 

It is important to note that, after the Akira ransomware has been activated, many different file extensions and names will become encrypted, as well as renamed files with the .akira extension. There will also be a ransom note titled akira_readme.txt left in each folder on the encrypted device. 

It is possible to customize how Akira works on Linux, which includes specifying the percentage of data that will be encrypted on each file, which allows threat actors to better customize their attacks. The propensity of this version of Akira to skip folders and files that are usually associated with Windows seems to indicate that it has been ported from the Windows version of the game.

Despite Akira's increasing scope, the fact that the threat now faces organizations around the world illustrates the urgency of action. Sadly, ransomware groups are increasingly expanding their operations to include Linux platforms as well. Many of them are leveraging readily available tools to do so due to the trend toward expanding their operations. To maximize their profits, they have turned this strategy into a simple and lucrative one. 

Among the most notable ransomware operations, some of which predominantly target VMware ESXi servers with their ransomware encryptors, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX, and Hive. These operations use Linux-based encryption methods. 

Spreads Rapidly, is Widely Popular, and is Unsecured 

During a ransomware attack, servers are popular due to their ability to spread ransomware rapidly. Hackers need only one run to launch the ransomware attack, which means the ransomware attack becomes extremely fast for the first time in history. ESXi servers have gained popularity in the enterprise world, as they are among the most widely used hypervisors on the planet. Lastly, the devices do not have any security solutions installed on them, which leads to a lack of security. CrowdStrike published a report previously that focused on the fact that antivirus software simply isn't supported by the manufacturer. 

During the weekend of February 2-6, ESXi servers were targeted by thousands of attacks taking place simultaneously. The attackers were able to exploit an outdated vulnerability that had existed two years ago. As a result, good cyber security for servers is very important because research can take a long time and is not always easy. A problem that had not yet been exploited massively had been discovered by Mandiant in 2022, but the problem was still unknown.
Read more »
ransomware attacks
Babuk Cisco Talos Cyberattacks CyberCriminal Cyberfrauds Cybersecurity malware RA Ransomware ransomware attacks

Babuk is Customized by RA Ransomware Group


 

It has recently been discovered that an actor called the RA Group uses leaked Babuk source code in its attacks. The wrath of the same jas been faced by the companies in the United States and South Korea. Manufacturing, wealth management, insurance providers, and pharmaceuticals are among the compromised industries. 

Cybercriminal gang Babuk continues to cause havoc with the leaked source code it uses to launch cyberattacks against its targets. 

RA Group has been expanding its operations at the rate of 200 stores per month since April 22 as a result of an evaluation conducted by Cisco Talos this week. Several companies have been targeted in the US and South Korea by this threat, particularly in manufacturing, wealth management, insurance coverage, and pharmaceuticals. There have already been a few RA victims since it became prevalent in April. 

Four Companies Have Been Attacked by RA Ransomware

As per Cisco Talos’s research, “RA Group started leaking data on April 22, 2023, and we observed the first batch of victims on April 27, followed by the second batch on April 28, and we noticed more victims on April 29, 2023."

It is imperative to draw your attention to the fact that Babuk ransomware's complete source code was leaked online in September 2021. As a result of its success, several new threat actors have created ransomware by leveraging it to do business with them. Over the past year, 10 different ransomware families have gone down that route - a particular example would be a group of individuals who used it for developing lockers that were designed to work with VMware ESXi hypervisors. 

In addition, there have been others who have modified the code in other ways, using the fact that it is designed to exploit several known vulnerabilities to do so. As an example of this, there are vulnerabilities in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and other popular web applications. 

In light of the news, it is important to remember that the report from SentinelLabs published last week revealed that there was growing evidence of ransomware groups still targeting ESXi hypervisors and that the disclosure of Babuk source code in September 2021 offered a unique insight into the development operations of a ransomware group that had previously been unavailable to threat actors. 

As part of the monitoring system, victims are also reported on a dark web blog to encourage data leakage on their behalf.

A ransom note published in the report indicates that the gang is ruthless and sells the data after three days, and in that letter, they state that "Your data is encrypted when you read this letter." In addition to copying your data onto our server, you should feel comfortable knowing that no information about you is going to be compromised or made public unless you want it to be, the note stated. Most criminals give victims weeks or months to pay up. 

The Cisco Talos team of security experts on May 15 compiled a timeline of attacks using ransomware families that were derived from the leaked Babuk source code, conducted by different actors. 

Several custom malicious code families have evolved out of the ransomware, discovered in the Babuk data breach. This is according to Timothy Morris, Chief Security Advisor at Tanium. Several software vulnerabilities are exploited by the attacker, including Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, and Liferay, as well as interfering with backups and deleting volume shadow copies. Morris claims this exploit was discovered last year. 

According to RA Group’s ransom note, victims have only three days left to settle the debt; accordingly, it is using a standard double-extortion model that threatens to leak exfiltrated data if they do not pay up; however, according to the ransom note, victims have just three days remaining to settle their debt. 

Several details in the leak site divulge the identity of the victim, the name of the organization from which the data was obtained, the total size of the data downloaded, and even the official URL of the victim. As Cisco Talos has explained in its analysis of the ransomware group, this is a typical leak site among other ransomware groups of the same type. Nevertheless, RA Group is actively selling the victims' exfiltrated data through their leak site which is hosted on a secured Tor site used for selling the victims' leaked data.   

Several details are disclosed at the leak site, such as the identity of the victim, the name of the organization that provided the data, the size of the data downloaded, and even the official URL of the victim, all of which reveal the identity of the victim. Cisco Talos has explained in its analysis of this ransomware group that this is essentially a typical leak site. This is similar to those used by other ransomware groups. Despite this, the RA Group is currently selling the exfiltrated data of the victims through a leak site. This is hosted on a secure Tor site and has been used to sell the exfiltrated data of the victims.
Read more »
Meta
Cyberattacks Cyberfrauds Cybersecurity Data Breach Data Mining FTC Met-Profits Meta

A New FTC Rule Prohibits Data Mining by Minors for Meta-Profits

 


As a result of an investigation by the Federal Trade Commission, Meta's Facebook (NASDAQ: META) was accused of misleading parents about their kids' protection, and the commission proposed tightening existing privacy agreements and preventing profit from minors' personal information. 

A “blanket prohibition” has been proposed by the Federal Trade Commission to prevent Meta’s monetization of children’s data. A report by the Federal Trade Commission (FTC) concluded that Facebook's Meta company – previously known as Facebook – failed to comply with a privacy order that had been in place since 2020 by misrepresenting the control that Facebook Messenger gives to users' parents, as well as how their data could be accessed by outside developers. 

The FTC makes several claims, including a failure to comply with the order, a misrepresentation regarding the ability of parents to control who their children communicate with through Messenger Kids, and a misrepresentation regarding the access it provides to certain app developers to private user data. 

It has been 20 years since the FTC began enforcing privacy measures. The most recent order was issued to Meta (then known as Facebook) after the agency reached a $5 billion settlement regarding the Cambridge Analytica scandal in which Meta (then known as Facebook) was involved. As a result of this investigation, the FTC determined that Meta violated a 2012 order concerning user data privacy. According to the FTC, Meta violated COPPA, along with not complying with the 2020 order.

According to the findings of an independent assessor, Facebook's users were at risk as a result of the security gaps. According to the FTC, the company has been asked to address allegations that their Messenger Kids product misled parents into believing that their children could choose who would communicate with them through it.

Several gaps and weaknesses in Facebook's privacy program have been identified by an independent assessor, who based on the FTC report, has identified several gaps and weaknesses. It is also alleged that Facebook's Messenger Kids' parental controls do not ensure that underage users can communicate with only those contacts approved by their adult guardians or parents. In some circumstances, children could communicate in groups through text chats or video calls with unapproved contacts. 

It was specifically said that the FTC found Facebook misled parents about how much control they had over who, and when, their children made contact with in the Messenger Kids application. Furthermore, it was very deceptive about how much access app developers had to users' private information. It breached a privacy agreement signed in 2019. 

There are many changes proposed by the FTC, including prohibiting Facebook from making money from the data it collects on children under 18 years old, including with its virtual reality businesses. In addition, the use of facial recognition technology would be subject to expanded restrictions as well. 

Despite the large drop in Meta shares on Wednesday, they recovered most of their losses and closed at $238.50, down 0.3% from their previous close. More than 98% of the revenue generated by Meta, a company that also owns Instagram, comes from digital ads sponsored by its users by being targeted with their personal information. 

Although Facebook owns some of the biggest social networks in the world, it is at a disadvantage in the battle to capture young people's attention after the video-sharing app TikTok soared in popularity among American teenagers a few years ago. After the FTC confronted Facebook about its alleged failure to protect users' privacy, it issued a couple of orders in 2012 and 2020, resulting in the FTC taking action once more against the social network.

In 2012, it was the first time it had happened. On January 30, 2019, Facebook finally settled allegations that it violated a consent order it signed in 2012 by misrepresenting the amount of control users had over their data. This culminated in the company paying a record $5 billion fine for its violation. It was finalized in 2020 when the order was finalized. 

As part of a separate lawsuit, the FTC was trying to stop Meta from acquiring Within Unlimited, which produces virtual reality content, but it lost the case. Moreover, the agency has petitioned a federal court for an order to mandate Facebook to sell Instagram, which it purchased for $1 billion in 2012, and WhatsApp, which it acquired for $19 billion in 2014. There is a legal case being fought at the moment.
Read more »
Subscribe to: Posts (Atom)