Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity. Show all posts
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Four-Fait Routers VulnCheck Vulnerabilities and Exploits

Critical Security Issue Hits Four-Faith Routers

 


According to VulnCheck, a critical vulnerability identified as CVE-2024-12856 has been discovered in Four-Faith industrial routers, specifically affecting the F3x24 and F3x36 models, as well as users’ machines. Evidence suggests active exploitation of this vulnerability in the wild, raising significant security concerns for industrial and enterprise users. The flaw resides in the router’s system time adjustment function, where a post-authentication vulnerability allows attackers to execute remote commands on compromised devices.

Technical Details of the Vulnerability

The routers, running firmware version 2.0, are susceptible to an authenticated remote command execution flaw via the HTTP endpoint apply.cgi. Attackers can manipulate the system time parameter using POST requests, enabling arbitrary command execution. Additionally, the firmware is configured with default credentials that, if left unchanged, can escalate the vulnerability to allow unauthenticated remote OS command injection.

Data provided by VulnCheck indicates that approximately 15,000 internet-facing routers may be affected by this issue. Exploitation campaigns have been observed since at least November 2024, with attackers altering system parameters remotely. The attacks appear to originate from multiple IP addresses and utilize Mirai-like payloads to compromise the devices. VulnCheck notes that some payloads share similarities with those used to exploit a prior vulnerability (CVE-2019-12168), although the underlying components differ.

Security researchers have identified attack patterns involving two primary IP addresses, including 178.215.238.91, as sources of active exploitation campaigns. User-Agent strings from these attacks match earlier campaigns documented in November 2024, with new payload variations targeting the identified flaw. While the attacks remain low-scale, they demonstrate a high level of persistence.

Censys data corroborates VulnCheck’s findings, suggesting that the vulnerability has been exploited consistently since its initial observation. Despite this, an official from Bains, speaking to The Hacker News, emphasized that the attacks are not widespread and appear to involve a small number of attackers using spamming techniques at a low frequency.

Mitigation Recommendations

As of now, there is no confirmation regarding the availability of security patches for the affected firmware. VulnCheck disclosed the vulnerability to Four-Faith on December 20, 2024, and awaits a response. In the interim, researchers strongly advise users to take the following measures to mitigate potential risks:

  • Immediately change default credentials on affected devices.
  • Restrict network exposure by placing routers behind firewalls or VPNs.
  • Monitor device activity for unusual or unauthorized behavior.
  • Implement detection rules, such as the Suricata rule provided by VulnCheck, to identify suspicious HTTP POST requests indicative of the attack.

Impact and Implications

By exploiting this vulnerability, attackers can gain full control over affected devices, including executing reverse shell commands to maintain persistent access while concealing their identities. Such control poses a severe threat to organizations reliant on Four-Faith routers for critical operations.

The absence of immediate patches has prompted security researchers to highlight the importance of adopting proactive measures. Organizations are advised to strengthen their defenses against suspicious activity while awaiting updates from Four-Faith. VulnCheck, adhering to responsible disclosure policies, has withheld additional technical details and information about patches until a response from the manufacturer is received.

This incident underscores the critical need for robust firmware security practices, including eliminating default credentials and ensuring timely patch management, to protect against emerging threats in industrial environments.

Read more »
Online Store Security
Cyberattacks CyberCrime Cyberfrauds Cyberhackers Cybersecurity CyberThreat JavaScript malware Online Store Security

Cyberattack Compromises European Space Agency Online Store Security

 


A malware attack on the European Space Agency's official web shop revealed that the application was hacked by loading a JavaScript script that generated a fake Stripe payment page at checkout. With an annual budget of more than 10 billion euros, the European Space Agency (ESA) is dedicated to extending the boundaries of space activity through the training of astronauts and the development of rockets and satellites for exploring our universe's mysteries. 

Thousands of people were put at risk of wire fraud after the European Space Agency (ESA) website was compromised due to the recent exploitation of a credit card skimmer, which was found to be malicious on ESA's webshop. According to researchers from Sansec, the script creates a fake Stripe payment page when the customer is at checkout, which collects information from the customer. 

As a result of the fake payment page being served directly from ESA's web shop, which mimicked an authentic Stripe interface, it appeared authentic to unsuspecting users, who were unaware of the fraudulent payment process. According to Source Defense Research, screenshots of the malicious payment page were provided alongside the real one in the post, but this attack took advantage of domain spoofing with a different top-level domain to exploit domain spoofing, using a nearly identical domain name for the attack. 

The official shop of the European Space Agency is located under the domain "esaspaceshop.com," but the attackers used the domain "esaspaceshop.pics" to deceive visitors. Sansec, who flagged the incident, emphasized that the integration of the webshop with ESA's internal systems could significantly increase the risks for both employees and customers of the agency. 

An examination of the malicious script revealed that its HTML code was obscured, which facilitated detection as well as the theft of sensitive payment information, as it contained obfuscated HTML code derived from the legitimate Stripe SDK. The malicious code was created to create a convincing fake Stripe payment interface that looked legitimate because it was hosted by the official ESA web store domain. 

Although the fake payment page was removed, researchers discovered that the malicious script remained in the source code of the site. As of today, the ESA website has been taken offline, displaying a message indicating it has been taken out of orbit for an extended period. The agency clarified that this store is not hosted by its infrastructure, and they do not manage its associated data. 

As confirmed by whois lookup records indicating different ownership between the main domain of ESA (esa.int) and the compromised web store, it is not known exactly how many customers were affected by the breach, nor what financial impact it had. According to ESA's website, the company is well known for its role in astronaut training and satellite launches. However, it has not yet provided details as to how it intends to strengthen its online security measures after the incident occurred. 

A recent cyberattack on well-respected institutions shows just how vulnerable they can be to cyber attacks, especially when their e-commerce systems are integrated into a broader organization's network. According to cybersecurity experts, e-commerce platforms are urged to prioritize robust security protocols to prevent similar incidents from occurring in the future. This can erode customer trust and result in significant financial consequences. 

The past few months have seen an increase in cyberattacks targeting e-commerce platforms, with criminals using digital skimming methods to steal payment information. Earlier in August 2024, Malwarebytes reported that it had infiltrated Magento-based e-commerce platforms with skimmer code, exposing sensitive customer information, such as credit card numbers, by November 2024, as described by Malwarebytes. 

Sucuri discovered several PHP-based skimmers, such as Smilodon, harvesting payment data covertly. Although these skimmers were highly obfuscated, their detection was significantly hindered. Finland's Cybersecurity Centre reported in December 2024 that skimming attacks were on the rise, where malicious code embedded on payment pages was used to steal credit card information. Those developments highlight the crucial need for e-commerce platforms to implement robust security measures to ensure their customers' data is protected from unauthorized access. 

It is still unclear who was responsible for these attacks, but Magecart, one of the most infamous threat groups around, has been previously linked to similar activities, including installing credit card skimmers on prominent websites, which are typical of such attacks. During March 2023, Malwarebytes speculated that this group was involved in an extensive series of attacks targeting multiple online retailers, but this was not the first mention of the group. 

The majority of victims of credit card fraud that results from such breaches can receive refunds from their banks. Cybercriminals, however, use the stolen funds to finance malicious campaigns, including malware distribution. Likely, significant damage has already been done by the time the affected cards are locked and the funds are returned, even though the stolen funds can be used to finance fraudulent campaigns.
Read more »
Unfrastructure
Cyber Attacks CyberCrime Cybersecurity CyberThreat Interlock Ransomware attack Unfrastructure

Critical Infrastructure Faces Rising Ransomware Risks

 


In October 2024, Interlock claimed to have attacked several organizations, including Wayne County, Michigan, which is known for its cyberattacks. Ransomware is characterized by the fact that the encrypted data is encrypted by an encryptor specifically designed for the FreeBSD operating system, an operating system widely used in critical infrastructure. 

In late September 2024, a unique approach was used to launch the operation, which uses an encryptor specifically designed for FreeBSD. Interlock has already attacked several organizations, including Wayne County in Michigan, which was attacked in October 2024 by a cybercriminal organization called Interlock.

During the Interlock attack, the attacker breaches corporate networks, steals data from them, spreads to other devices laterally, and encrypts their files. In addition to using double-extortion tactics, they threaten to leak stolen data unless ransom demands of hundreds of thousands to millions of dollars are met. A particular feature of Interlock is its focus on FreeBSD encryptors, which makes it uniquely different from other ransomware groups that target Linux-based VMware ESXi servers. 

FreeBSD is a widely used operating system and a prime target of malicious hackers who want to disrupt critical infrastructure and extort victims for a large sum of money. This FreeBSD encryptor was developed specifically for FreeBSD 10.4, and it is a 64-bit ELF executable that is designed specifically for FreeBSD. 

Although the sample was tested on both Linux and FreeBSD virtual machines, the execution of the code was problematic since it failed to work in controlled environments. A ransomware attack is a sophisticated type of malware that seeks to seize control of data, effectively denying access to files and systems. 

In this malicious software, advanced encryption techniques are employed to render data inaccessible without a unique decryption key exclusive to the attackers. There is usually a ransom payment, usually in cryptocurrency, which victims are required to make to restore access and secure the attackers' privacy. Security experts Simo and MalwareHunterTeam, who analyzed ransomware samples, revealed the attack's initial details and the attackers' anonymity. 

As with most ransomware attacks, Interlock follows a typical pattern: the attackers breach corporate networks, steal sensitive information, copy the data and spread to other devices, encrypting files as they are copied. In addition to using double-extortion tactics, they also threaten to leak stolen data unless the victim pays a ransom of thousands to millions of dollars, depending on the size of the ransom. It is also the focus on FreeBSD that makes Interlock particularly unique, which illustrates why this operating system has a vital role to play in critical systems. 

A major characteristic of Interlock's ransomware is its direct targeting of FreeBSD servers, which are common in web hosting, mail servers, and storage systems. Unlike other ransomware groups that usually target Linux-based VMware ESXi servers, Interlock targets FreeBSD servers. Besides being integral to critical operations, these systems serve as lucrative targets for attackers. 

In spite of FreeBSD's popularity and essential services, its focus can also pose a challenge to cybersecurity professionals. In the initial testing phase of FreeBSD's encryptor, which was explicitly compiled for the FreeBSD 10.4 operating system, it did not prove easy to execute both the FreeBSD and Linux encryptors in controlled environments, since the encryptor is written as a 64-bit ELF executable. However, despite these hurdles, Trend Micro researchers discovered further samples of the encryption, confirming its functionality, strategic focus and capabilities. 

As a reminder of the vulnerabilities within critical infrastructure, Interlock has launched its attacks to increase awareness. The fact that it uses FreeBSD's own encryptor is a troubling development in ransomware tactics. This emphasizes the importance of strong security measures to safeguard against this increasing threat. To minimize the risk and impact of such cyberattacks, organizations should prioritize improving their security strategies.

It is recommended by Ilia Sotnikov, Security Strategist at Netwrix, that organizations use multi-layered security measures to prevent initial breaches, including firewalls and intrusion detection systems, as well as phishing defences. Interlock, a ransomware group that has been attacking organizations worldwide lately, has used an unusual approach of creating an encryptor to attack FreeBSD servers as a means of stealing data. 

Generally, FreeBSD is considered to be one of the most reliable operating systems available, so it is commonly used for critical functions. For example, the web host, mail server and storage systems are all potential targets for attackers, all of which can pose a lucrative threat. According to Sotnikov, depending on their configuration, a server may or may not be directly connected to the Internet, depending on their function. 

The security team should invest in defence-in-depth so that a potential attack is disrupted as early as possible so that every subsequent step for the attacker will be more difficult, and so that potentially harmful activity can be identified as fast as possible with the help of monitoring tools. Considering that the adversary is likely to access the FreeBSD server from inside the network, it might be a good idea to minimize standing privileges by implementing the zero trust principle, which means that a user should only have access to the permissions needed to achieve their tasks, sotnikov suggested.
Read more »
SVG attachments
cyber fraud prevention Cyber Security Cybersecurity email security Microsoft visio Phishing Attacks Ransomware threats SVG attachments

Cybercriminals Exploit Two-Step Phishing Tactics and SVG Attachments in Sophisticated Cyber Attacks

 

Layered defense strategies are a cornerstone of cybersecurity, but attackers are employing similar methods to launch sophisticated attacks. Two-step phishing (2SP) tactics are becoming increasingly prevalent, leveraging trusted platforms to deliver malicious content in layers and evade detection, according to researchers at Perception Point.

These researchers have identified a new wave of 2SP attacks weaponising Microsoft Visio (.vsdx) files. Peleg Cabra, product marketing manager at Perception Point, shared that Ariel Davidpur, a security researcher at the firm, uncovered an alarming trend: attackers are embedding malicious URLs within Visio files to bypass security systems.

Visio, widely used in workplaces for data visualization, plays into the attackers' strategy of exploiting familiarity. The files are being used in phishing emails containing urgent business-related requests. Once the recipient engages with these emails and accesses the Visio file, they encounter another embedded URL disguised as a clickable button, like “view document.”

Perception Point’s analysis highlights how attackers ask victims to hold the Ctrl key while clicking the URL, bypassing automated detection tools. This redirects users to a fake Microsoft 365 login page designed to steal credentials. Robust two-factor authentication is recommended to mitigate the risks of such attacks.

Additionally, a report by Lawrence Abrams from Bleeping Computer reveals another alarming technique: attackers are leveraging scalable vector graphics (SVG) files. These files, capable of displaying HTML and executing JavaScript, are being used to deliver phishing forms and malware. Security researcher MalwareHunterTeam demonstrated how SVG attachments could mimic an Excel spreadsheet with an embedded login form to harvest credentials.

To counter these threats, cybersecurity experts recommend treating SVG attachments with suspicion and implementing stringent email security measures.

International Fraud Awareness Week, held from November 17 to 23, 2024, aims to raise awareness of evolving cyber fraud. Muhammad Yahya Patel, lead security engineer at Check Point Software, warns that technological advancements empower both legitimate industries and cyber criminals.

Patel categorizes the major fraud types businesses should watch out for:
  • Cyber Fraud: Using phishing, malware, and ransomware to steal sensitive data.
  • Internal Fraud: Involving employee-driven actions like embezzlement and theft.
  • Invoice Fraud: Sending fake invoices to businesses for payment.
  • CEO Fraud: Impersonating executives to extract sensitive information.
  • Return Fraud: Exploiting return policies in retail for financial gain.
  • Payroll Fraud: Manipulating payroll systems to benefit employees fraudulently.
Ransomware has also evolved from untargeted attacks to highly strategic campaigns, employing reconnaissance and double-extortion tactics. As cyber threats grow more sophisticated, businesses must remain vigilant, adopt robust security practices, and foster awareness to combat evolving fraud.
Read more »
TraderTraitor
Bitcoin Cyber Attacks CyberCrime Cybersecurity CyberThreat DMM FBI Ginco lazarus TraderTraitor

Bitcoin Heist in Japan Attributed to North Korean Cybercriminals

 


A joint alert from the FBI, the Department of Defense (D.O.D.) Cyber Crime Center and the National Police Agency of Japan reveal that a North Korean threat group carried out a significant cryptocurrency theft from Japan's crypto firm DMM in May 2024. The group, referred to as TraderTraitor—also known as Jade Sleet, UNC4899, and Slow Pisces — is believed to be linked to the Lazarus Group, a notorious hacking collective with ties to Pyongyang authorities.

The Lazarus Group, infamous for high-profile cyberattacks, gained notoriety for hacking Sony Pictures in retaliation for the 2009 film The Interview, which mocked North Korean leader Kim Jong Un. Their recent activities, however, focus on cryptocurrency theft, leveraging advanced social engineering techniques and malicious code.

Social Engineering and the Ginco Incident

In late March 2024, a TraderTraitor operative posing as a recruiter contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, via LinkedIn. Disguised as part of a pre-employment process, the operative sent a malicious Python script under the guise of a coding test. The employee unknowingly uploaded the script to their GitHub account, granting the attackers access to session cookie information and Ginco’s wallet management system.

The attackers intercepted legitimate transaction requests from DMM employees by maintaining this access. This led to the theft of over 4,500 bitcoins, valued at $308 million. The funds were traced to accounts managed by the TraderTraitor group, which utilized mixing and bridging services to obfuscate the stolen assets.

North Korea's Financial Strategy and Cryptocurrency Exploitation

With international sanctions severely restricting North Korea's access to global financial systems, the regime increasingly relies on cybercrime and cryptocurrency theft for revenue generation. Due to their decentralized and pseudonymous nature, cryptocurrency presents a lucrative target for laundering stolen funds and bypassing traditional banking systems.

Chainalysis Findings

Blockchain intelligence firm Chainalysis attributed the DMM Bitcoin hack to North Korean actors. The attackers exploited weaknesses in the platform's infrastructure to perform unauthorized withdrawals. The stolen cryptocurrency was routed through multiple intermediary addresses and processed via the Bitcoin CoinJoin mixing service to conceal its origins. Portions of the funds were further transferred through various bridge services before being channelled to HuiOne Guarantee, a website linked to the Cambodian conglomerate HuiOne Group, a known facilitator of cybercrime.

Additional Findings by AhnLab Security Intelligence Center

The AhnLab Security Intelligence Center (ASEC) has reported another North Korean threat actor, Andariel — part of the Lazarus Group — deploying a backdoor known as SmallTiger. This tool has been used in campaigns parallel to those executed by TraderTraitor, highlighting the group's continued evolution in cybercrime tactics.

The coordinated alert from international agencies underscores the urgent need for enhanced cybersecurity measures within the cryptocurrency industry to counter sophisticated threats like those posed by the Lazarus Group and its affiliates.


Read more »
Tech Industry
Cyberattacks CyberCriminal Cybersecurity CyberThreat Data Data Minimizations GDPR Privacy Tech Industry

Tech's Move Toward Simplified Data Handling

 


The ethos of the tech industry for a long time has always been that there is no shortage of data, and that is a good thing. Recent patents from IBM and Intel demonstrate that the concept of data minimization is becoming more and more prevalent, with an increase in efforts toward balancing the collection of information from users, their storage, and their use as effectively as possible. 

It is no secret that every online action, whether it is an individual's social media activity or the operation of a global corporation, generates data that can potentially be collected, shared, and analyzed. Big data and the recognition of data as a valuable resource have led to an increase in data storage. Although this proliferation of data has raised serious concerns about privacy, security, and regulatory compliance, it also raises serious security concerns. 

There is no doubt that the volume and speed of data flowing within an organization is constantly increasing and that this influx brings both opportunities and risks, because, while the abundance of data can be advantageous for business growth and decision-making, it also creates new vulnerabilities. 

There are several practices users should follow to minimize the risk of data loss and ensure an environment that is safer, and one of these practices is to closely monitor and manage the amount of digital data that users company retains and processes beyond its necessary lifespan. This is commonly referred to as data minimization. 

According to the principle of data minimization, it means limiting the amount of data collected and retained to what is necessary to accomplish a given task. This is a principle that is a cornerstone of privacy law and regulation, such as the EU General Data Protection Regulation (GDPR). In addition to reducing data breaches, data minimization also promotes good data governance and enhances consumer trust by minimizing risks. 

Several months ago IBM filed a patent application for a system that would enable the efficient deletion of data from dispersed storage environments. In this method, the data is stored across a variety of cloud sites, which makes managing outdated or unnecessary data extremely challenging, to achieve IBM's objective of enhancing data security, reducing operational costs, and optimizing the performance of cloud-based ecosystems, this technology has been introduced by IBM. 

By introducing the proposed system, Intel hopes to streamline the process of removing redundant data from a system, addressing critical concerns in managing modern data storage, while simultaneously, Intel has submitted a patent proposal for a system that aims to verify data erasure. Using this technology, programmable circuits, which are custom-built pieces of hardware that perform specific computational tasks, can be securely erased.

To ensure the integrity of the erasure process, the system utilizes a digital signature and a private key. This is a very important innovation in safeguarding data security in hardware applications, especially for training environments, where the secure handling of sensitive information is of great importance, such as artificial intelligence training. A growing emphasis is being placed on robust data management and security within the technology sector, reflected in both advancements. 

The importance of data minimization serves as a basis for the development of a more secure, ethical, and privacy-conscious digital ecosystem, as a result of which this practice stands at the core of responsible data management, offering several compelling benefits that include security, ethics, legal compliance, and cost-effectiveness. 

Among the major benefits of data minimization is that it helps reduce privacy risks by limiting the amount of data that is collected only to the extent that is strictly necessary or by immediately removing obsolete or redundant information that is no longer required. To reduce the potential impact of data breaches, protect customer privacy, and reduce reputational damage, organizations can reduce the exposure of sensitive data to the highest level, allowing them to effectively mitigate the potential impact of data breaches. 

Additionally, data minimization highlights the importance of ethical data usage. A company can build trust and credibility with its stakeholders by ensuring that individual privacy is protected and that transparent data-handling practices are adhered to. It is the commitment to integrity that enhances customers', partners', and regulators' confidence, reinforcing the organization's reputation as a responsible steward of data. 

Data minimization is an important proactive measure that an organization can take to minimize liability from the perspective of reducing liability. By keeping less data, an organization is less likely to be liable for breaches or privacy violations, which in turn minimizes the possibility of a regulatory penalty or legal action. A data retention policy that aligns with the principles of minimization is also more likely to ensure compliance with privacy laws and regulations. 

Additionally, organizations can save significant amounts of money by minimizing their data expenditures, because storing and processing large datasets requires a lot of infrastructure, resources, and maintenance efforts to maintain. It is possible to streamline an organization's operation, reduce overhead expenditures, and improve the efficiency of its data management systems by gathering and retaining only essential data. 

Responsible data practices emphasize the importance of data minimization, which provides many benefits that are beyond security, including ethical, legal, and financial benefits. Organizations looking to navigate the complexities of the digital age responsibly and sustainably are critical to adopting this approach. There are numerous benefits that businesses across industries can receive from data minimization, including improving operational efficiency, privacy, and compliance with regulatory requirements. 

Using data anonymization, organizations can create a data-democratizing environment by ensuring safe, secure, collaborative access to information without compromising individual privacy, for example. A retail organization may be able to use anonymized customer data to facilitate a variety of decision-making processes that facilitate agility and responsiveness to market demands by teams across departments, for example. 

Additionally, it simplifies business operations by ensuring that only relevant information is gathered and managed to simplify the management of business data. The use of this approach allows organizations to streamline their workflows, optimize their resource allocations, and increase the efficiency of functions such as customer service, order fulfillment, and analytics. 

Another important benefit of this approach is strengthening data privacy, which allows organizations to reduce the risk of data breaches and unauthorized access, safeguard sensitive customer data, and strengthen the trust that they have in their commitment to security by collecting only essential information. Last but not least, in the event of a data breach, it is significantly less impactful if only critical data is retained. 

By doing this, users' organization and its stakeholders are protected from extensive reputational and financial damage, as well as extensive financial loss. To achieve effective, ethical, and sustainable data management, data minimization has to be a cornerstone.
Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
Privacy
Camera Security Breach. Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Theft Privacy

Thousands of Users Exposed by Flawed Camera Streaming App

 


A Cybernews research team discovered a huge exposed data server on June 25th. The server contained 3GB of personal information and telemetry from iPhones equipped with an app known as "Home V." According to the log samples, the data is related to the Home V app, which is used to manage Virtavo security cameras. Elasticsearch, a data analytics and search engine, was exposed by an unsecured server that provided logs containing phone numbers, device identifiers, IP addresses, and firmware versions, among other details about the devices, the network, and the users. 

It has been suspected that these logs were diagnostic reports, which were updated in real-time and appear to have been used for performance monitoring or troubleshooting. As a result of the server's malfunction, more than 8.7 million records were left on the server. Several snapshots were duplicates and for some unique identifiers, there was an appearance of up to 50 snapshots at the same time. In a study, researchers estimated that over 100,000 unique users could be affected, while cybersecurity researchers were able to find an exposed data server that contained 3GB of personal information and was capable of receiving telemetry from iOS devices. 

During the summer of 2023, all the information in the world had one thing in common: it was generated by an app called Home V, which managed Virtavo security cameras. These cameras were capable of streaming videos, playing back videos, communicating with each other, receiving motion alerts, etc. However, indoor surveillance cameras are vulnerable to hacking techniques, which can pose significant security risks due to their vulnerability. Many wireless cameras are pre-configured with usernames such as "admin" and passwords which are easily guessable, such as "admin," "888888," or "123456", which is a common vulnerability. 

When cyber attackers try to gain unauthorized access to online cameras by scanning their cameras and attempting to use these standard login details, they exploit these weak credentials. This can be addressed by implementing a password manager, which will generate and store strong, unique passwords to prevent these attacks. Password security is a significant concern for many people, especially when transmitting unencrypted data. 

Even though users can update a camera's password, some devices still transmit this information unencrypted over the internet. Consequently, they may be able to be intercepted by attackers and then used to access the camera if they have the stolen information. It is also possible that the Wi-Fi password is transmitted unencrypted in some cases, further undermining your network's security. In particular, one of the most severe threats is the possibility of a full camera takeover, in which attackers gain access to the device at the root level. 

ith this level of access, attackers can fully control the camera. As a result of such an attack, the surveillance camera can be turned into a tool for further malicious activities if it is tampered with, its settings are altered, and it can even be installed with malware. To minimize these risks, users must make sure that they take steps to ensure that their security systems are protected by strong passwords, encrypting their data and staying abreast of potential vulnerabilities. 

The exposed logs contained a wide range of critical information regarding the user and the device, raising concerns about data security and privacy. Among other things, the information also contained information regarding the device and software, such as the version of the app, the device model (e.g., iPhone12,5, which corresponds to the iPhone 11 Pro Max), the operating system, the firmware version, as well as details regarding video decoding, including the use of video decoding software such as "VideoTool Box" to decode H.264 files. 

 As part of the project, information related to the user’s network was collected, including their country code (e.g., CN for China), their IP address which identified the server's physical location, their connection type, such as “cellular,” and information about the network operator and settings. It was also revealed that the data contained unique user identifiers, such as user accounts linked to phone numbers or email addresses, as well as unique user identifiers (User IDs and UUIDs), and numeric device identifiers, which were all part of the exposed data. 

It is also possible to measure performance metrics, such as how fast the video frame is decoded at the beginning of the video stream, which reflects video playback speed, as well as how strong the WiFi signal is, even if the connection type is cellular. The log entries were also accompanied by timestamps which indicated when they were created, server codes that could identify servers that handled the requests (e.g., "sh" might indicate Shanghai for example), and the time zone offset of the device or server. 

As a result of the comprehensive nature of this data, it becomes increasingly evident that users are exposed to a large amount of sensitive information, and robust security measures are essential to protect it. In general, various data protection laws require businesses to limit data collection through data minimization and purpose limitation – in other words, they must collect only the amount of data necessary to achieve a specific objective. 

Additionally, organizations are required to obtain express consent from individuals and to provide transparency on how the data is utilized, otherwise, the exposure of user information could result in non-compliance and legal penalties. It appears the application collects a considerable amount of information beyond what is actually required to perform the application's basic functions, raising questions about whether data minimization is following data protection laws," the researchers wrote in their report.
Read more »
Cybersecurity
Crypto Hacks cryptocurrency Cryptocurrency Breach Cyber Fraud CyberCrime Cyberhackers Cybersecurity

Global Crypto Hacks Escalate to $2.2 Billion in 2024

 


Chainalysis, a blockchain analytics company that provides data analysis on the blockchain ecosystem, has reported that the volume of compromised crypto funds and the number of hacking incidents are set to rise in 2024. The report states that the total amount of stolen crypto funds rose by approximately 21.07% year-over-year (YoY), reaching $2.2 billion over the period. It also reports that the number of individual cyber-attacks increased from 282 in 2023 to 303 incidents in 2024, an increase of 34 per cent. 

During its report this year, Chainalysis noted that hackers also increasingly target centralized services such as cryptocurrency exchanges. In addition to Bitcoin's 140% increase in value this year surpassing $100,000, the rise in crypto heists also coincides with the institutional support of U.S. President-elect Donald Trump. There have been 303 hacking incidents so far in 2023, compared to 282 in 2023 and 1.8 billion dollars, but that’s only about Rs. 15,302 crores, which means hackers stole 1.8 billion dollars (roughly Rs. 15,302 crores) in 2023, according to the report. 

There has been an increase in crypto heists as the value of Bitcoin reached $100,000 (roughly Rs. 85 lakh) this year, and it has drawn institutional support and backing from US President-elect Donald Trump, who has become one of the biggest supporters of the digital currency. It is noted that DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, but centralized services were more likely to be hacked during the second and third quarters. 

According to Chainalysis' report, several notable hacks of centralized services occurred, such as the hack of DMM Bitcoin in May 2024, which cost $305 million, and WazirX in July 2024, which cost $234.9 million. The WazirX hack in July of this year resulted in huge losses for the Indian cryptocurrency exchange, which has responded by stopping users from withdrawing their remaining cryptocurrency and is currently requesting a reorganization in Singapore. 

In addition, the Chainalysis report noted that North Korean hackers continue to try to steal cryptocurrency, particularly to avoid sanctions, as well as that the North Korean hackers are continuing to conduct cyber-attacks. As the industry faces an increasingly challenging environment in the new year, the industry has a lot of work to do to fight the proliferation of such crimes, especially fraud, that will undoubtedly pose a key challenge. 

Several reports concluded that the majority of the stolen crypto this year resulted from compromised private keys that control access to users' assets. A majority of the attacks targeted centralized platforms. There were several notable hacks during the past year. The most significant ones were the theft of $305 million from Japan's DMM Bitcoin in May, and the loss of $235 million from India's WazirX in July. According to Chainalysis, North Korea-related crypto hacking increased by more than double from a year ago to 1.3 billion dollars in 2024, which is a record.
Read more »
ransomware prevention
Cyber Security Cyber Threats Cybersecurity cybersecurity tips extortion scams fake hacking Phishing Scams ransomware prevention

Understanding the Threat of Fake Hacking: How to Stay Protected

  •  

In the dynamic and high-stakes field of cybersecurity, the word “hacking” often evokes thoughts of complex cyberattacks and data breaches. However, a lesser-known but equally concerning issue is the emergence of “fake hacking,” where individuals or groups falsely claim to have infiltrated computer systems.

Fake hacking occurs when attackers pretend to breach a network or device without actually doing so. While these actions may not always cause long-term technical damage, they can lead to serious consequences such as extortion and reputational harm. “Fake hacking is particularly insidious because it leverages people’s fear and uncertainty about cybersecurity,” explains William Petherbridge, Manager of Systems Engineering at the cybersecurity firm Fortinet. “Attackers are essentially tricking victims into believing their systems have been compromised in order to extract money or other concessions.”

A common tool used in fake hacking is the “hacker typer,” a website that mimics the look of a system being hacked, displaying lines of code scrolling rapidly across the screen. Other deceptive tactics include emails falsely claiming ransomware infections or pop-ups warning of non-existent malware.

“The goal of the fake hacker is to create a sense of panic and urgency in order to pressure the victim into paying a ‘ransom’ or purchasing some kind of ‘protection’ service,” says Petherbridge. “And unfortunately, if the target isn’t vigilant, they can fall for these tricks quite easily.”

To differentiate between legitimate and fake hacking threats, Petherbridge highlights key warning signs:
  • Money Demands: Requests for relatively small amounts of money, often in cryptocurrency, are a strong indication of fake hacking.
  • Unchanged Systems: Genuine breaches usually involve noticeable changes, such as altered files, new accounts, or unusual network activity. If everything appears normal, the hack is likely fabricated.
  • Disorganized Communication: Fake hackers often lack the sophistication of genuine attackers, with poorly structured emails, inconsistent demands, and an absence of technical details.
To combat fake hacking, Petherbridge advises verifying any claims before taking action and consulting cybersecurity professionals, including former hackers, who can identify fabricated threats. Employee training to recognize these red flags is also crucial.

“The most important step is to never panic or rush into a decision when faced with a purported hacking incident,” Petherbridge emphasizes. “Take the time to carefully assess the situation, double-check the facts, and respond accordingly. Falling for a fake hack can be just as damaging as a real one.”

The rise of fake hacking highlights the complexity and evolving nature of cybersecurity. While these attacks lack the technical sophistication of genuine breaches, they can cause significant harm through financial loss, reputational damage, and eroded trust.

By recognizing the signs of fake hacking and implementing strong security protocols, individuals and organizations can safeguard themselves from these deceptive threats. Vigilance, education, and a calm, calculated response remain the best defenses.
Read more »
Technology
Cyberattacks CyberCrime Cyberhackers Cybersecurity Google Google Docs Microsoft Word Proton Docs Technology

Proton Docs vs Google Docs in the Productivity Space

 


For those who are concerned about privacy, Proton has announced an end-to-end encrypted document editor intended to be a viable alternative to Microsoft Word and Google Docs. This application, released on Wednesday by the Swiss software vendor best known for its encrypted email app, provides office workers with many document creation features they might use in their daily work.

Swiss-based and privacy-conscious Proton is now focusing on cloud-based document editing as it has built up its email, VPN, cloud storage, password manager, and cloud storage offerings. Proton Docs, a newly launched service that offers an array of features and privacy protections, might be just what users need to make it work for them.

With regards to its user interface and user experience, Proton Docs draws inspiration from Google Docs while also introducing its distinctive twists. In addition to its clean, minimalist design, Proton Docs has a central focus on the document, and users can find familiar functions with icons at the top representing the common formatting options (such as bold, italics, headings, and lists).

However, the top of the screen does not have a dedicated menu bar, and all options can be found in the default toolbar. Proton Docs keeps a very similar layout to Google Docs and, therefore, if someone is transitioning from Google Docs to Proton Docs, they should not have any problems getting started with their drafts right away. The work that was done by Proton was excellent.

A lot of the basic features of Proton Docs are similar to those of Google Docs, and the first thing users will notice is that the application looks very much like Google Docs: white pages with a formatting toolbar up top, and a cursor at the top that displays who is in the document as well as a cursor to clear the document at the top. The fact is that this isn’t particularly surprising for a couple of reasons.

First of all, Google Docs is extremely popular, and the options for styling a document editor are not that many. In other words, Proton Docs has been created in large part to offer all the benefits of Google Docs, just without Google. Docs are launching inside Proton Drive today, and as part of the privacy-focused suite of work tools offered by Proton, it will be the latest addition.

It has become clear that Proton has expanded its offering from email to include a calendar, a file storage system, a password manager, and more since it began as an email client. Adding Docs to the company's ecosystem seems like a wise move since it aims to compete against Microsoft Office and Google Workspace, and it was coming soon after Proton acquired Standard Notes in April.

According to Proton PR manager Will Moore, Notes would not disappear — Docs is borrowing some of its features instead. Proton Docs is a full-featured, end-to-end encrypted word processor with the ability to store files and even its users' keys (keystrokes and cursor movements) end-to-end encrypted, so that no one, including Proton staff, will be able to access any of the users' files (not even the users). This makes it much more difficult for hackers and data breaches to access the files, thereby making them more secure. There has been a lack of improvement in this area in Proton Docs.

However, even though it is part of the growing portfolio of the company, it does not fully integrate with its existing platform. There is no ability to access calendars and contacts from the sidebar like Google Docs, and it does not have the same functionality as Google Pages. Additionally, there is no easy way for users to import existing documents, files, or media from a Proton Drive account directly into the application.

In contrast, Google Docs provides the convenience of typing an "@" followed by the name of a file from users' Google Drive account and inserting the document from there as soon as they click the hyperlink. A feature such as this is particularly useful when a document needs to include multiple files in addition to the document itself. A second advantage of Proton Docs is the use of Swiss cloud servers, which provide storage of users' data on Proton Docs' servers in Switzerland.

It is thanks to the strict Swiss laws that protect the information stored on these servers that they cannot be accessed by regulatory authorities in regions like the European Union and the United States. A new feature known as Proton Docs is scheduled to be rolled out to Proton Drive customers starting today, with the ability to access the feature expected to be available to everyone within the next few days, as per Proton.

Powered by the Proton Drive platform, Proton Drive operates on a freemium model with individual subscriptions to the platform costing as little as €10 per month (approximately $10.80 when billed annually). The monthly subscription fee for Proton for Business is €7 per user per month and can be purchased in any amount.

Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
WInnti Hackers
Chinese Cyber Threat Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Glutton PHP Backdoors WInnti Hackers

Rising Tactics of Winnti Hackers Include Deploying Glutton PHP Backdoors

 


In the past few months, researchers at a Chinese cybersecurity firm have been responsible for the discovery of an advanced PHP backdoor that supports Winnti, a group linked to Chinese cybercrime that is launching increasingly sophisticated attacks. Research has been conducted into the use of a PHP-based backdoor called Glutton, which has been used by cyber criminals to target China, Japan, the Republic of Korea, Cambodia, Pakistan, and South Africa through cyber attacks. 

As early as late April 2024, the Chinese nation-state group set up by Winnti (aka APT41), which has roots in North Korea, discovered malicious activity in a network from the Chinese nation-state group Chongqing Henchmen. The company also disclosed that its investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market with their tools to create malware. They poisoned operations intending to turn cybercriminals' tools against them, similar to the classic scenario from the movie.

The Winnti hacking group, sometimes referred to as APT41 is a notorious state-sponsored group known for conducting cyber espionage and financial fraud campaigns on behalf of the Chinese government. When the group appeared on the scene in 2012, it focused mostly on organizations involved in gaming, pharmaceuticals, and telecommunications, though it also attacked political organizations and government agencies. A modular backdoor made up of ELF modules, Glotto provides flexibility to craft tailored attacks to meet the attacker's specific needs. Several key components make up this malware: task_loader, which assesses the environment; init_task, which installs the backdoor; client_loader, which obfuscates the application; and client_task, which manages PHP backdoor operations and communicates with the command-and-control (C2) server. 

Through fileless execution, the malware runs entirely within PHP or PHP-FPM processes and injects malicious code into PHP files within popular frameworks such as ThinkPHP, Yii, Laravel, and Dedecms, thereby achieving stealth. Glutton maintains persistence in the system by modifying system files including those in the init[.]d network section and those in the Baota panel, allowing it to steal credentials and maintain a foothold on the system. 

By using a modular approach to code, Glutton can function without leaving traditional digital footprints behind, because all code execution is carried out within PHP, and there is a feature called PHP-FPM (FastCGI) that is used to optimize PHP process handling on web servers, which ensures that no files are left behind and that the backdoor remains undetected until it is discovered.  There are several PHP frameworks that Glutton can exploit to extract data or inject malicious code into widely used PHP frameworks, including Baota, ThinkPHP, Yii, and Laravel, when deployed with Glutton. 

It was in December 2023, when researchers traced the unusual activity to an IP address that was distributing a backdoor which targeted Unix-like operating systems, also commonly known as ELF-based malware, that researchers first discovered that Glutton was a backdoor. Further research revealed that the ELF-based malware also contained a malicious PHP file. Researchers uncovered a network of malicious PHP payloads connected to a network of malicious PHP payloads, revealing a complex attack infrastructure.

Researchers have indicated that the malware has a connection with Winnti’s historical activities, but they point out that there are several shortcomings when it comes to stealth and execution, which are uncharacteristically underwhelming for an APT group. Even though Winnti's behaviour normally does not include plaintext PHP samples and simplistic C2 communication protocols, the researchers believe that Winnti is the one responsible for the malware with some degree of confidence. The researchers also pointed out that Winnti "deliberately targeted systems within the cybercrime market" to spread the malware to as many targets as possible.

According to XLab researchers, Winnti "deliberately targeted systems within the cybercrime market" to help spread its virus as far as possible, but that was not the case.  Recent research has consistently shown that threat actors piggyback on each other’s infrastructure to exploit their vulnerabilities. In a report published by Microsoft, it was found that Turla, an APT group linked to the Russian government, has been running its operations using infrastructure previously set up by other APT groups or cybercriminals. 

In addition to being a fully functional backdoor, the PHP backdoor is also able to execute 22 unique commands, including switching C2 connections to UDP from TCP, launching a shell, downloading and uploading files, performing file and directory operations, and running arbitrary PHP code. Additionally, this framework provides the ability to periodically poll the C2 server for more PHP payloads, allowing for the retrieval and execution of more PHP payloads. According to XLab, these payloads are highly modular, capable of being executed independently by the payload module or sequentially by the task_loader module, providing a comprehensive framework to execute attacks, independently. 

There is no file payload left behind, ensuring no files or data are left behind after code execution, which ensures a completely stealthy footprint since all the code is executed within PHP or PHP-FPM (FastCGI) processes. In addition to this, HackBrowserData is also being used by cybercrime operators to steal sensitive information to inform future phishing or social engineering campaigns in the future. This tool can be used on any system used by a cybercriminal to steal sensitive information.
Read more »
Privacy
Android App Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Google iOS Malicious Network Privacy

Google Warns Users About Privacy Risks Posed by Certain Android Apps

 


It has recently been reported by a leading media outlet that more than 11 million Android devices have been infected with malicious software known as the Necro Trojan, which has crept into phones and tablets through unofficially modified applications, games, and game modifications. Google is making an effort to narrow the gap between Android 15 and iPhone on the front of security and privacy. 

The new Android OS brings several welcome changes that will protect its users, their devices, and their data better over time. These include live threat detection that can identify malware and abuse of permissions as soon as they are detected, mobile network defence, and tighter controls over what apps are performing behind the scenes. There is still a lot of room on Android for permission abuse since it relates to that shadowy area between apps that behave properly and outright spyware—of which there are still a lot of examples available.

There is no doubt that Apple led the charge in limiting location tracking, and use of sensitive phone functionality like a camera, messaging, and contacts, as well as restricting access to location data. Google has released Android 15 on millions of Pixel devices, and it is now available for download. Although this update emphasizes security and privacy over anything else, two of its most important and headline-grabbing features were left out of the new upgrade. 

Two things are coming shortly, but the first one is not coming until the end of the year, and the second one is imminent. Google's new mobile network security, which prevents users from having their identities tracked and intercepted via the network, is maybe the most significant long-term security feature that is missing. It has been leaked that Android 15 will include an improved Privacy Dashboard as a part of the updates brought by the new version. 

9to5Google reports that, in the next few weeks after Android 16 Developer Preview 1 was released last month, Google will release a 7-day history for the privacy dashboard in Android 15, the first time that a 7-day history has been added. This is expected to be released via the Google Play system update in November 2024." It has been announced in the past month that Google will soon launch a 7-day history for the Privacy dashboard in Android 16, following the introduction of Android 16 Developer Preview 1 last month. There is a new system update to Google Play in November 2024 that will bring this update to the public. 

When the app is installed, go to the Settings app > Privacy & Security > Privacy dashboard to access the privacy information. There is now an option "Show 7 days" in the overflow menu located in the upper-right corner of the screen, joining the existing "Show system" option at the top.  Throughout the following tables, users will notice that the stats will change from "Past 24 hours" to "Past 7 days" as a longer timeframe for the usage of Location, Camera, and Microphone gets introduced.  This is the most sensitive spyware function on users' phones, and they need to pay special attention to how it is being used. 

The best advice for users would be to stop stopping permissions from being granted in the first place and not monitor afterwards, but rather to stop granting them in the first place. Even though an app might have no dangerous permissions, it can still pose a risk. There is no such thing as a safe number of permissions for an app, according to Cybernews researchers. By just installing the app on a device, the app has access to many more permissions that are considered harmless and non-dangerous. 

The apps used in these scenarios can still perform tasks such as starting up, staying in the background, accessing confidential information, etc. Taking this into consideration, it is critical to regularly remove unnecessary apps, revoke excessive permissions that infringe on privacy, and consider visiting the same services through the web browser rather than using the device's app store. This is a new Android Remote Access Trojan (RAT), and it combines both the classic VNC and overlay capabilities, as well as features often associated with spyware, to produce a powerful and sophisticated Android Trojan. 

There are keyloggers embedded in this program, as well as monitoring routines that provide the ability to capture user data and intercept user interactions, which makes it a powerful tool for spying on users and stealing credentials. Accessibility Services is also a permission that is never granted to any app without its requirement. Accessibility Services are also a system tool, which malware is capable of abusing to take control of devices and their key system functions if given regardless of their necessity. 

Additionally, a new feature that detects scam calls is being rolled out starting with Pixel devices. Specifically, it's available to U.S. phones by Google users with the Pixel 6 or newer device in English. This new update might be making some Samsung Galaxy owners jealous as they watch on with a sense of envy. As the headlines speculate on when the Android 15 beta will debut, the speculation continues again this week, with no sign of an imminent stable release until next year, and the release of Samsung's Galaxy S25 smartphone series only a year away. 

A certain degree of risk is inherent in every mobile application, which makes it imperative for the user to maintain a high level of precaution when it comes to ensuring the security of their data and privacy. Security experts insist that it is crucial to carefully review app permissions before granting them access to users' devices. Users should always disable location services whenever possible—concerned, however, that some applications may not be able to operate properly without them should turn off geotagging for photographs when not required. 

There can be many sensitive information contained in location and geotagging information. It is likely that marketers, and potentially malign actors, will analyze this information to develop a comprehensive profile of each individual's movements and habits based on the information they gathered. To protect the phone's privacy, users must not underestimate the implications of such access. There is expert advice that users should revoke permissions for apps that appear too restrictive on the app's functionality for their utility. 

The best course of action is to uninstall an application if it is unable to customize permissions and poses privacy concerns to users without having the ability to customize them. Research on highly secure messaging applications designed for both iPhone and Android platforms could benefit those looking to enhance the level of security in their communication. As the world of communication becomes increasingly interconnected, these apps cater to users' needs in terms of privacy and data encryption.
Read more »
Pumakit Rootkit
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Linux LKM malware PT Pumakit Rootkit

Pumakit Rootkit Challenges Linux Security Systems

 


According to the researchers from the Elastic Security Lab, a new rootkit called PUMAKIT can perform various advanced evasion mechanisms. When Elastic Security researchers discovered PUMAKIT while routinely hunting for threats on VirusTotal, they described it as PUMAKIT. Many stages are involved in deploying this multi-stage malware, including a dropper, two memory-resident executables, an LKM rootkit module, and a shared object rootkit, all of which are used in the userland. 

To manipulate core system behaviours, the rootkit component can hook into 18 different syscalls and several kernel functions using an internal Linux function tracer (ftrace), which enables it to control the behaviour of core system components. The rootkit is an advanced persistent threat (APT) that tends to target critical organizations with specific programs designed to establish persistence within compromised systems.

The rootkit is often used by APT groups in their attempts to target critical organizations with specific programs. As a result of the discovery of this Linux rootkit malware called Pumakit, it can evade detection and compromise systems through advanced stealth and privilege escalation techniques. Several components make up this sophisticated malware, including a dropper, a memory-resident executable, kernel module rootkits, and userland rootkits. 

The Pumakit malware family was discovered by Elastic Security in a suspicious binary 'cron' uploaded to VirusTotal on September 4, 2024. The details surrounding its identity and target remain vague. There are a variety of rootkits like this that are commonly used by advanced threat actors to undermine critical infrastructure, steal money, disrupt operations, and infiltrate enterprise systems to conduct espionage. As a sophisticated piece of malware, PUMAKIT was discovered via routine threat detection on VirusTotal as part of routine threat hunting. 

Its binary contains strings embedded by the developer that can be easily identified and accessed by developers. There is an internal structure to the malware that is based on a multi-stage architecture, which comprises a dropper component named "cron", two memory-resident executables called TGT and WPN, an LKM rootkit called Pumba and a shared object rootkit called Kitsune that is bundled in with the malware. This payload allows for loading the LKM rootkit ('puma.ko') into the kernel as well as the userland rootkit ('Kitsune SO') to intercept system calls via the userland.  

A kernel function, such as "prepare_creds" and "commit_creds," can also be used to alter core system behaviour and achieve its objectives. It includes the use of the internal Linux function tracer (trace) to hook into as many as 18 different system calls and various kernel functions, such as "prepare_creds." and "commit_creds." In addition, Elastic noted that every step of the infection chain is designed to conceal the malware's presence, leveraging memory-resident files, and doing specific checks before unleashing the rootkit, which will make it difficult for the user to detect it before it is launched. 

As of right now, the company has not linked PUMAKIT to any known threat actor or group and believes that the software most likely originated from unknown sources. As you may know, PUMAKIT is a sophisticated and stealthy threat, which utilizes advanced techniques like syscall hooks, memory-resident execution, and unique methods for escalating privileges. According to the researchers, it is a multi-architectural malware that demonstrates the increasing sophistication of malware aimed at Linux. For IForthe LKM rootkit to be able to manipulate the behaviour of a system, it must use the syscall table, as well as kallsyms_lookup_name() to find symbol names. 

Rootkits targeting kernel versions 5.7 and above tend to use probes, which means they are designed for older kernels which makes them more difficult to detect than modern rootkits. There has been a debate within the kernel development team about the unsporting of the kallsyms_lookup_name() code to prevent unauthorized or malicious modules from misusing it. As part of this tactic, modules are often added with fake MODULE_LICENSE("GPL") declarations that circumvent license checks, thereby allowing them to access non-exported kernel functions, which is not permitted under the GPL.

A Linux rootkit known as PUMAKIT, or Pumakkit for short, has been discovered that underscores the sophistication with which Linux systems are being targeted by targeted threats. This malware is one of the most dangerous adversaries because it can evade detection and execute advanced attacks. In any case, proactive measures can reduce the harm caused by these threats by recommending regular updates and by increasing monitoring capabilities, among other measures. 

To defend against attacks like PUMAKIT being carried out by hackers like Kumak, it is crucial to remain informed and vigilant in the face of evolving cybersecurity threats. Users must take every precaution to ensure that their Linux systems are protected from this and other advanced malware threats.
Read more »
Subscribe to: Posts (Atom)