Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyberthreats. Show all posts

Wi-Fi Exploit Enables Russian Hackers to Breach US Business

 


A sophisticated cyberattack was carried out by a Russian state-sponsored group, which is believed to be APT28 (Fancy Bear), which exploited a large U.S. enterprise's Wi-Fi network remotely. This breach was first detected by cybersecurity firm Volexity on February 4, 2022, while it targeted a Washington, DC-based organization whose projects related to Ukraine were being carried out. 

A group of Russian hackers, reportedly linked to Russia's GRU military intelligence, managed to gain access to the wireless network through a password-spraying attack on another service, which allowed them to obtain the credentials needed to connect. The Russian state-sponsored hackers known as "APT28" have exploited a novel attack technique called 'nearest neighbour attack' to penetrate a U.S. company's enterprise WiFi network to spy on employees' activity. 

Although the hackers were thousands of miles away, they could compromise an organization nearby within WiFi range, providing a pivot from where they could reach their destination. Security firm Volexity was able to detect the attacks on February 4, 2022, as it had been monitoring the hackers, codenamed 'GruesomeLarch', as they had been monitoring the attack for many weeks beforehand. 

APT28, which is associated with the General Staff's Main Intelligence Directorate (GRU) and is part of the Russian military's 26165 unit, has been conducting cyber operations since at least 2004 in conjunction with a Russian military unit. Using a hijacked device in a neighbouring building across the street, Russian state-sponsored hackers were able to log into a Wi-Fi network in the United States without ever leaving their country of residence. 

Volexity, a security vendor, documented a rare hacking technique that they call the "Nearest Neighbor Attack." The company discovered the incident in January 2022, when an unnamed customer, calling itself Organization A, suffered a system hack. Initially, the attackers, whom Volexity tracks as GruesomeLarch, gained access to the target's enterprise WiFi network by accessing that service through a password-spraying attack that targeted the victim's public-facing services, as the passwords were flooded. 

Nonetheless, the presence of one-time password (OTP) protection meant that the credentials could not be used to access public web-based services. As far as connecting to the enterprise's WiFi network was concerned, MFA was not required, however, being "thousands of miles away from the victim and behind an ocean" posed a significant inconvenience. It was through this creative use of the hacker's brain that they began looking into buildings nearby that could be potential pivots to the target wireless network, in fact they started to do so. 

APT28 compromised multiple organizations as part of this attack and was able to daisy-chain their connection between these organizations by using legitimate access credentials to connect with them. At the end of the investigation, they discovered a device within a certain range that was capable of connecting to three wireless access points near the windows of a victim's conference room to retrieve their data. 

An unprivileged account used for the remote desktop connection (RDP) allowed the threat actor to move around the target network from one point to another searching for systems of interest and exfiltrating sensitive information from them. Three Windows registry hives were dumped by the hackers: SAM, Security, and System. This hive was compressed into a ZIP archive and then exfiltrated by the hackers using a script named 'servtask.bat'. 

The most common way they collected data while minimizing their footprint was to use native Windows tools. As a result of Volexity's analysis, it was also identified that GruesomeLarch was actively targeting Organization A so that data would be collected from individuals and projects active in Ukraine who have expertise in and experience with those projects. Despite Volexity's initial inability to confirm an association between the attacker and any known threat actors, a subsequent report by Microsoft pointed to certain indicators of compromise (IoCs) that matched the information Volexity had observed, indicating that the Russian threat group was responsible. 

Microsoft's cybersecurity report indicates that it is highly likely that APT28 was able to escalate privileges before launching critical payloads within a victim's network by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim's network. This is a zero-day vulnerability in Windows. 

APT28, a group that executes targeted attacks using the nearest neighbour technique, successfully demonstrated that close-access operations, which are usually performed at close range, can be executed from a distance, eliminating the risk of identifying or capturing the target physically. Even though internet-facing devices have benefited from increasing security over the past year, thanks to services such as multi-factor authentication and other types of protections that have been added, WiFi corporate networks have largely remained unprotected over the same period.

Improving GPS Technology with Insights from Android Phones

 


The effect of navigation apps drifting off course may be caused by a region 50-200 miles overhead called the ionosphere, which is a region of the Earth’s atmosphere that is responsible for such drifts. There are various levels of free electrons in this layer that, under certain conditions, can be extremely concentrated, thereby slowing down the processing of GPS signals when they are travelling between satellites and devices. 

A delay, like a delay that would occur from navigating through a crowded city street without being able to get to your place of work on time, is a major contributor to navigation system errors. As reported in Nature this week, a team of Google researchers demonstrated they had been able to use GPS signal measurements collected from millions of anonymous Android mobile devices to map the ionosphere by using GPS data from those devices. 

There are several reasons why a single mobile device signal cannot tell researchers so much about the ionosphere with only one device, but this problem is minimized when there are many other devices to compare with. Finally, the researchers have been able to use the vast network of Android phones to map out the ionosphere in an extremely precise way, matching or exceeding the accuracy of monitoring stations, using the huge network of Android phones. This technique was far more accurate in areas like India and Central Africa, compared to the accuracy of listening stations alone, where the Android technique was used. 

The total electron content (TEC) referred to as ionospheric traffic is a measure of the number of electrons in the ionosphere used within a cellular telephone network. Satellites and ground stations are used to measure this amount of electrons in the ionosphere. These detection tools are indeed effective, but they are also relatively expensive and difficult to build and maintain, which means that they are not used as commonly in developing regions of the world. 

The fact that monitoring stations are not accessible equally leads to disparities in the accuracy of the global ionospheric maps. However, Google researchers did not address one issue. They chose to use something that more than half of the world's population already possessed: mobile phones. In an interview with Popular Science, Google researcher Brian Williams discussed how changes in the ionosphere have been hindering GPS capabilities when working on Android products.

If the ionosphere were to change shortly, this may undermine GPS capabilities. Aside from contributing to scientific advances, he sees this project as an opportunity to improve accuracy and provide a more useful service to mobile device users regularly.  Rather than considering ionosphere interference with GPS positioning as an obstacle, the right thing to do is to flip the idea and imagine that GPS receiver is an instrument to measure the ionosphere, not as an obstacle," Williams commented.

The ionosphere can be seen in a completely different light by combining the measurements made by millions of phones, as compared to what would otherwise be possible." Thousands of Android phones, already known as 'distributed sensor networks', have become a part of the internet. GPS receivers are integrated into most smartphones to measure radio signals beamed from satellites orbiting approximately 1,200 miles above us in medium Earth orbit (MEO).

A receiver determines your location by calculating the distance from yourself to the satellite and then using the distance to locate you, with an accuracy of approximately 15 feet. The ionosphere acts as a barrier that prevents these signals from travelling normally through space until they reach the Earth. In terms of GPS accuracy errors, many factors contribute to the GPS measurement error, including variables like the season, time of day, and distance from the equator, all of which can affect the quality of the GPS measurement. 

There is usually a correctional model built into most phone receivers that can be used to reduce the estimated error by around half, usually because these receivers provide a correctional model.  Google researchers wanted to see if measurements taken from receivers that are built into Android smartphones could replicate the ionosphere mapping process that takes place in more advanced monitoring stations by combining measurements taken directly from the phone. 

There is no doubt that monitoring stations have a clear advantage over mobile phones in terms of value per pound. The first difference between mobile phones and cellular phones is that cellular phones have much larger antennas. Also, the fact that they sit under clear open skies makes them a much better choice than mobile phones, which are often obscured by urban buildings or the pockets of the user's jeans.

In addition, every single phone has a customized measurement bias that can be off by several microseconds depending on the phone. Even so, there is no denying the fact that the sheer number of phones makes up for what they are lacking in individual complexity.  As well as these very immediate benefits, the Android ionosphere maps are also able to provide other less immediate benefits. According to the researchers, analyzing Android receiving measurements revealed that they could detect a signal of electromagnetic activity that matched a pair of powerful solar storms that had occurred earlier this year. 

According to the researchers, one storm occurred in North America between May 10 and 11, 2024. During the time of the peak activity, the ionosphere of that area was measured by smartphones and it showed a clear spike in activity followed by a quick depletion once again. The study highlights that while monitoring stations detected the storm, phone-based measurements of the ionosphere in regions lacking such stations could provide critical insights into solar storms and geomagnetic activity that might otherwise go unnoticed. This additional data offers a valuable opportunity for scientists to enhance their understanding of these atmospheric phenomena and improve preparation and response strategies for potentially hazardous events.

According to Williams, the ionosphere maps generated using phone-based measurements reveal dynamics in certain locations with a level of detail previously unattainable. This advanced perspective could significantly aid scientific efforts to understand the impact of geomagnetic storms on the ionosphere. By integrating data from mobile devices, researchers can bridge gaps left by traditional monitoring methods, offering a more comprehensive understanding of the ionosphere’s behaviour. This approach not only paves the way for advancements in atmospheric science but also strengthens humanity’s ability to anticipate and mitigate the effects of geomagnetic disturbances, fostering greater resilience against these natural occurrences.

CISA Issues Alert on Ongoing Exploitation of Palo Alto Networks Bugs

 


A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday. These attacks followed last week's attacks that exploited flaws in similar software. Attackers can exploit the unauthenticated command injection vulnerability (CVE-2024-9463) and the SQL injection vulnerability (CVE-2024-9465) to gain access to unpatched systems running the company's Expedition migration tool. 

This tool allows users to migrate configurations from Checkpoint, Cisco, and other supported vendors to new systems. CVE-2024-9463 is a vulnerability that allows attackers to run arbitrary commands as root on a PAN-OS firewall system, revealing usernames, cleartext passwords, device configurations, and device API keys. Secondly, a second vulnerability can be exploited to gain access to Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems by exploiting this vulnerability. 

There is important information in CVE-2024-9474 that could lend itself to a chained attack scenario, potentially resulting in a high level of security breach. It should be noted that Palo Alto Networks has publicly acknowledged the CVE, but has not yet provided detailed technical information on the vulnerability's mechanics. This leaves room for speculation regarding what is causing the vulnerability.

A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion. It was reported to CISA that CVE-2024-5910 had been added to the KEV catalog on Nov. 7 but the software vendor had originally disclosed the bug back in July. 

To exploit this vulnerability, there needs to be authentication within the firewall deployment and management software. Without authentication, an administrator account can be taken over by getting access to the network. There is a CVSS score of 9.3 for the vulnerability, and it is also reported to Palo Alto Networks as PAN-SA-2024-0015, as well. As a result, Palo Alto Networks has continuously monitored and worked with customers to identify and minimize the very few PAN-OS devices that have management web interfaces that are exposed to the Internet or other untrusted networks," the company stated in a separate report describing indicators of compromise for attacks that are targeting the vulnerability. 

Although the company claims these zero-days are only impacting a "very small number" of firewalls, threat monitoring platform Shadowserver reported on Friday that it monitors more than 8,700 outside management interfaces for the PAN-OS operating system. A Palo Alto Networks security advisory from early October states, "Several vulnerabilities have been identified in Palo Alto Networks Expedition that allow unauthorized access to the Expedition database and the arbitrary files on the system, as well as the ability to write arbitrary files to temporary storage locations." 

In addition, the advisory stated that the firewall, Panorama, Prisma Access, and Cloud NGFW products are not affected by these vulnerabilities. Even though the two vulnerabilities have been added to CISA's Known Exploited Vulnerabilities Catalog, a binding operational directive (BOD 22-01) has compelled federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, to comply with the binding directive. 

Earlier this week, CISA issued a warning about yet another Expedition security hole that is capable of allowing threat actors to reselect and reset the credentials for application administrators. The security flaw (CVE-2024-5910) was patched in July and has been actively exploited in attacks. In a proof-of-concept exploit released by Horizon3.ai researcher Zach Hanley last month, he demonstrated that CVE-2024-5910 can be chained with an additional command injection vulnerability (CVE-2024-9464), that was patched in October, to allow an attacker to execute arbitrary commands on vulnerable Expedition servers that are exposed to the Internet. 

It has been noted that CVE-2024-9464 is linked to other Expedition security vulnerabilities that were also addressed last month. This may allow firewall admins to take over unpatched PAN-OS firewalls if they have not yet been patched. As of now, there seems to be a hotfix available for those who are concerned about being exploited, and those who are concerned should upgrade their Expedition tool to version 1.2.96, or higher. 

It has been recommended by Palo Alto Networks that, those users who are unable to install the Expedition patch immediately, should restrict access to the Expedition network to approved hosts and networks. It is crucial to note that when a vulnerability is added to KEV, not only does it introduce the possibility of an attack that exploits that vulnerability, but also that federal agencies have a deadline to either patch it or stop utilizing the flawed solution entirely. 

There is usually a deadline for that, which is 21 days from the time the bug is added to the bug-tracking system. There has recently been an addition to KEV of CVE-2024-5910, a bug that is described as being missing for crooks who have access to networks. This is Palo Alto Networks Expedition, a tool designed to simplify and automate the complexity of using Palo Alto Networks' next-generation firewalls by optimizing security policies that apply to them. In addition to making it easier for users to migrate from legacy firewall configurations to Palo Alto Networks' security platforms, users can also minimize errors and manual efforts. 

The Palo Alto Networks (PAN) management interface has recently been redesigned to provide a more secure experience for users. A report claiming an unverified remote code execution vulnerability via the PAN-OS management interface prompted the company to release an information bulletin. Those interested in knowing more about hardening network devices are urged to review PCA's recommendations for hardening network devices, and PCA's instructions for gaining access to scan results for the Organization's internet-facing management interfaces are discouraged from following them.

Cyberattack Impacts Georgia Hospital, Colorado Pathology Services

 


The number of hospitals that have been affected by ransomware, business email compromise, and other cyber threats is increasing across all sectors, from small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, to those with a large number of beds.  In his opening keynote address at the HIMSS Healthcare Cybersecurity Forum last week in Washington, D.C., Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, indicated that there is now an average of two data breaches conducted every day within the American health care system. 

People who work in hospitals and health systems are often targeted by cyber threat actors exploiting the basic vulnerabilities of their systems and taking advantage of the vulnerabilities. To illustrate these types of breaches, Kaiser Permanente, one of the country's largest health systems, said it had sent a notice Sunday to those in Southern California whose personal health data had been compromised as a result of unauthorized access to two email accounts of employees. 

The bad guys can also be skilled at exploiting their victim's vulnerability, with sophisticated social engineering techniques coupled with phishing attacks that focus on bots. As part of a cyber exploit, originally discovered earlier this month, Summit Pathology, an independent pathology service provider based in Colorado, had patient data associated with more than 1.8 million people exfiltrated from its system. 

In a report issued by Kaiser Permanente, it was reported that an unauthorised third party gained access to the email accounts of two employees and was able to view the health information of patients. As the U.S. grows and grows, ransomware, business email compromise, and other cyber threats are causing disruptions to care for millions of people across the nation, including small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, as well as the largest providers. 

A recent study conducted by the Health Sector Coordinating Council Cybersecurity Working Group found that the United States amounted to two data breaches per day on average, Greg Garcia, executive director of the ASHC Cybersecurity Working Group, said in his opening address at the HIMSS Healthcare Cybersecurity Forum, held in Washington, DC, last week. In many cases, cybercriminals target people who work in hospitals and health systems to exploit weaknesses in the system. A health system in Southern California posted a notice informing its members on Friday there was an issue about the security of health information that was discovered on September 3. 

A notice on the company's website advised that two of its employees' email accounts had been accessed by an unauthorized party, according to the notice. "Immediately following the discovery of this incident, Kaiser Permanente terminated the unauthorized access and immediately began investigating to determine the scope of the access." this statement was made by Kaiser Permanente. It was found that some protected health information about some patients were included in the email's contents after we validated them." 

According to the health system, although Social Security numbers and financial information were not involved, protected health information, such as first and last names, dates of birth, medical records numbers, and medical information, had the potential to be accessed and/or viewed by third parties. As part of Kaiser Permanente's maintenance of health system operations, affected individuals were contacted directly by the company, Kaiser Permanente said. There is evidence out there that on October 18, Summit Pathology of Loveland, Colorado, reported to the Department of HHS that there are 1,813,538, whose data had been breached in a hacking incident, in which their data has been compromised. 

 As outlined in the pathology services company's notice on its website, the impacted systems contained data such as names, addresses, medical billing and insurance information, certain medical information such as diagnosis, demographic information such as dates of birth, social security numbers, and financial information. There was an incident that occurred on or around April 18 when Summit announced it had noticed suspicious activity on its computer network and that it had taken the necessary steps to secure it, including contacting third parties to assist in the investigation. 

The affected healthcare entities have reported that they successfully identified files that unauthorized individuals may have accessed or acquired during the ransomware attack. In response to the incident, Summit conducted a thorough review of its internal policies and procedures. Following this review, they implemented additional administrative and technical safeguards to strengthen security and mitigate the risk of future attacks. 

On October 31, the Murphy Law Firm, based in Oklahoma City, stated its involvement in the case. The firm announced that it is pursuing a class action lawsuit and actively investigating claims related to the breach. According to Murphy Law Firm, Summit’s forensic investigation revealed that cybercriminals were able to infiltrate the organization's inadequately secured network, leading to unauthorized access to sensitive data files. The law firm is now seeking to hold Summit accountable for the potential data security lapses that may have enabled the breach.

Cambodia-Based Cybercriminals Exploit Digital Arrest Scam on Indian Victims

 


Human traffickers, according to a report by India Today, are luring Indian citizens to Cambodia, offering them job opportunities, and then coercing them into committing thousands of dollars worth of online financial fraud and cyber crimes. A growing number of digital arrest frauds are being experienced in India, and the Home Ministry's Cyber Wing is identifying Singapore as one of the hotbeds of these scams, along with Cambodia, Myanmar, Vietnam, Laos, and Thailand, as other geographic locations where these scams can take place. 

The IPDRs (Internet Protocol Detail Records) of the digital arrest fraudsters, which India Today discovered through an investigation of their IPDRs, have revealed that their location is Cambodia, Myanmar, and Vietnam. Upon collecting the money from such scams, the money is then withdrawn from ATMs in Dubai and Vietnam, where it is then spent. A cybercriminal sitting in Cambodia, Myanmar, and Vietnam orders Indian SIM cards for their agents, who are located within those countries. 

It has been revealed that approximately 45,000 SIM cards have been sent to Cambodia and Myanmar as a result of the investigation. There was a few days delay before Indian agencies managed to deactivate the SIM cards. According to government data, approximately Rs 120.3 crore was lost by Indians to 'digital arrest fraud schemes' during the first quarter of 2024. 

Prime Minister Narendra Modi highlighted this fraud during his monthly radio address ‘Mann Ki Baat’ on Sunday (October 27), along with other scams that he claims to be dealing with. In the period from January 1 to April 30, this year, the National Cybercrime Reporting Portal registered 0.74 million complaints. This is an increase from 1.5 million complaints recorded in 2023 when there were 1.5 million complaints logged. 

A report by the Indian Express reported that 0.96 million complaints were filed in 2022, a significant increase over the 0.45 million filed in 2021, a statistic that indicates a trend of continued growth. An article published in May by the Chief Executive of the Indian Cybercrime Coordination Center (I4C), Rajesh Kumar, detailed the losses caused by cybercrime during this period. Mr. Kumar was able to provide a lot of information. The speaker stated that Indian citizens have lost Rs 120.3 crore to digital arrest scams, Rs 1,420.48 crore to trading scams, Rs 222.58 crore to investment scams, and Rs 13.23 crore to romance scams over last four years. 

The scam usually starts with fraudsters notifying potential victims that their package contains items that have been alleged to be illegal. It is also possible that the victims may be contacted via video call by individuals impersonating law enforcement officials who will demand payments to resolve the matter. As soon as the victim answers the phone, they will have to stay connected visually in what fraudsters call a 'digital arrest' until they comply with all the demands that are made on them.  

According to the I4C's analysis of data for the period from January to April 2024, nearly 46 percent of cyber frauds reported in India are likely to originate from Myanmar, Laos, and Cambodia, which is an estimated Rs 1,776 crore together for all types of frauds reported. A company founded by Akshat Khetan, the founder of AU Corporate Advisory & Legal Services, recently spoke about digital arrest frauds via the following quote: "These scams use fear tactics to intimidate individuals into compliance. Typically, they will pose as representatives from law enforcement or other government agencies to intimidate citizens into complying with their demands. 

The first step to protecting yourself against these deceptive practices is to make sure you have a thorough understanding of your basic legal rights: in the first place, no legitimate authority must demand immediate payments or personal information if your safety is threatened. A right to verify the identity of any official and to request properly documented information is a basic human right, not merely a formality.

As soon as the victims answer an unsolicited call, they hear that the caller has sent or will send packages that contain illegal goods, drugs, fake passports, or a combination of them. As an alternative, scammers may have called victims' friends and family and told them that the victim was involved in a crime that needs to be investigated. As soon as they monitored their victim's voicemail, they would go on to target them through a video call wearing uniforms, and pretending to be police officers, before demanding money to close their case. 

Indian authorities have uncovered extensive cybercriminal operations based in Cambodia, Myanmar, and Vietnam, where scammers are exploiting Indian SIM cards for large-scale digital fraud. With over ₹2,140 crore siphoned off in the past ten months, scammers primarily operate from call centers in Chinese-owned casinos in Cambodia, deploying tactics like “digital arrest fraud” to manipulate victims. In response, Indian agencies are enhancing international collaboration and public awareness efforts to counter these sophisticated cross-border scams and safeguard citizens against evolving cyber threats.

Windows Recall Release Pushed Back, Microsoft Sets December Date

 


Once again, Microsoft has delayed the rollout of its controversial Recall feature for Copilot Plus PCs, which had been planned for December. It had been planned that the software giant would begin testing Recall with Windows Insiders in October, which would take screenshots of most of what users see on a Copilot Plus PC once it is turned on. 

It has now been confirmed that Microsoft needs more time to develop the new feature. In the summer, Microsoft’s Copilot+ AI PC initiative had yet to be released, but one of its most recent features was Recall, which would log months’ worth of users' PC usage and would attempt to help them keep track of things and find them again if users forgot about them. Nevertheless, if users are familiar with Recall, likely learned about it because of the problems that emerged during preview builds of Windows before it was released. 

All of the data on the PC was stored in plaintext, so other users (or malicious software) could easily get to the database and take screenshots, which could potentially expose a lot of sensitive data, such as the name and contact information of the user. As originally anticipated, Recall would have launched in conjunction with the release of the Copilot+ PC, which can take advantage of the AI-driven feature built into Recall. 

Afterwards, it was postponed because of security concerns. As it turns out, the feature was first supposed to debut in September, then in October, and now in December. Security experts had raised some concerns about how the feature, which is intended to capture and store data, is capturing and storing data, and the company previously clarified that it would be a purely opt-in feature. The researcher who developed this tool demonstrated that malware can be used against the Recall platform to steal information about users, such as passwords and banking information. 

There has been some recent news from Microsoft that it has added some security features to recall so that it won't screenshot any passwords, personal information, banking information, or any medical pages when users look at them. Users will also be required to authenticate their identity via biometrics via Windows Hello when they attempt to access a feature that requires biometric authentication. A new feature that Microsoft added to Recall is quickly deleting all screenshots with one click. Users can also add website addresses to a list that users do not want Recall to look at or store any screenshots they found. 

A recall of the actions performed in the web browser in Private Mode, like Chrome's Incognito Mode, will also not be screenshotted. Microsoft had to delay the release of Recall multiple times because it was changing Recall's security, enabling it to be an opt-in experience, and permitting owners of Copilot Plus PCs to remove the software completely. This past month, Microsoft has been concentrating on ensuring that its Recall database is completely encrypted and that access can only be gained by authenticating through Windows Hello, which has been implemented over the past couple of months. 

To use Recall, Copilot Plus PCs have local AI models built into Windows 11 that can be used to take screenshots of most things users do or see on their computer and then search and retrieve those things. With this explorable timeline, users can scroll through the snapshots on their PC to have a closer look at what they did on a certain day as they recall the events from the previous day. It was announced earlier this week that Recall would not be a mandatory feature on Copilot Plus PCs, but will instead be an opt-in feature and could be removed completely at any time. 

There appeared to be confusion after several YouTube videos claimed that Recall could be installed on any PC running Windows 11, version 24H2, but the video was later deleted. The classic elements of fear, uncertainty, and doubt have permeated discussions across the tech community, primarily due to recent references to Windows Recall in version 24H2. Microsoft's direct removal of the Recall feature earlier in the summer seems to have inadvertently introduced some inconsistencies in how the feature displays and operates within Windows 11. 

These issues have raised concerns among users and developers, as the unexpected appearance of Recall references has led to questions about the stability and control of this feature within the latest version. As Microsoft continues refining and enhancing the Recall feature, prioritizing security and user control, the company aims to reassure users that privacy concerns will be carefully addressed. This extended development period reflects Microsoft’s commitment to establishing Recall as a secure, user-friendly, and reliable addition to the Windows ecosystem, particularly on Copilot Plus PCs. 

By ensuring that Recall remains an entirely opt-in experience with robust encryption and privacy safeguards, Microsoft seeks to mitigate the challenges and uncertainties raised within the community. With the December release now set as the anticipated launch, users and industry experts alike will be closely watching for further improvements and successful integration of this innovative tool into the broader Windows experience.

Meta Infostealer Malware Network Taken Down by Authorities

 


In the course of Operation Magnus, the FBI has partnered with various international law enforcement agencies to seize the servers, software, and source code of the RedLine and Meta thieves as part of an investigation into these two cyber-crime rings. RedLine's developer has been charged with a series of crimes by US authorities, including tax evasion and money laundering. 

Evidence suggests that the thieves allegedly stole millions of unique credentials from victims across the globe in the past year. There are several international agencies, including the US Department of Justice (DoJ) as well as the Intelligence Bureau — as well as the Dutch National Police, the Belgian Federal Police, the Belgium Federal Prosecutor's Office, the UK National Crime Agency, the Australian Federal Police, the Portuguese Federal Police, and Eurojust — that were involved in the October incident. 

According to authorities, the cybercriminal group responsible for the stealers has been disrupted by the incident, which they claim to be "pretty much the same" malware on the operation's website that disrupted the group's operations. There was an increased likelihood that RedLine and Meta would be able to steal personal information from infected devices. It is important to note that the data was compiled in a way that included saved usernames and passwords and automatically saved form data, such as addresses, email addresses, phone numbers, cryptographic wallets, and cookie information. 

As soon as the info thieves recovered the personal information, they sold the information to other criminals through criminal marketplaces so that they can make use of the information. A criminal syndicate that purchased the personal data the attacker used to steal money, and cryptocurrency, as well as carry out follow-on hacking activities in the future. According to the Dutch National Police, the Redline and Meta malware operations have been targeted as part of Operation Magnus, which comes as a warning to cybercriminals that their data is now in the hands of law enforcement officials. There was an announcement on a dedicated website regarding Operation Magnus, which disclosed the disruption of Redline and Meta operations. In addition, it was reported that legal action is currently being taken against the hacker organizations using the seized data. 

According to a brief announcement posted on the Operation Magnus site, on October 28th, 2024, the Dutch National Police, in coordination with the FBI and other members of the international law enforcement task force Operation Magnus, disrupted the operations of the Redline and Meta info stealers. Information thieves are a very common form of malware that is used to steal sensitive data from victim's computers such as usernames and passwords, financial information, system information, and even cookies and cryptocurrency accounts. 

There is a way for the stolen information—already known as "logs" in cybercrime circles—to be sold on cybercrime forums and used for further fraudulent activities and other attacks. A number of major corporations have been targeted using RedLine as a method to conduct intrusions. Cybercriminals have also discovered that RedLine and META infostealers can allow them to bypass multi-factor authentication (MFA) by accessing authentication cookies and other information that is not required by the security system. This particular form of malware, RedLine, as well as META, is sold via a decentralized Malware as a Service ("MaaS") model, in which affiliates purchase licenses for them to use the malware, and then launch their own campaigns to spread it to their intended targets. 

In order to spread the malware, it is distributed through malvertising, e-mail phishing, fraudulent software downloads, and malicious software sideloading through the use of malicious advertising. Law enforcement agencies have successfully dismantled operations associated with RedLine and META, two widespread malware variants involved in stealing sensitive information on a global scale. Deceptive schemes, such as fake COVID-19 updates and fraudulent Windows updates, were used to lure victims into downloading these malicious programs. Both RedLine and META malware have been advertised across cybercrime forums and Telegram channels, with sellers offering ongoing customer support and software updates. 

The malware has infected millions of computers worldwide, and RedLine is considered one of the most prevalent malware types in circulation. Through a detailed investigation, authorities have gathered extensive logs containing data stolen from infected devices, identifying millions of unique credentials, including usernames, passwords, email addresses, bank accounts, cryptocurrency addresses, and credit card numbers. However, investigators believe there may be additional stolen data yet to be uncovered. 

A warrant issued in the Western District of Texas has authorized law enforcement to seize two domains used by RedLine and META for command and control purposes. The U.S. Department of Justice unsealed this warrant, marking a significant step in disrupting the malware’s infrastructure. According to Recorded Future’s Identity Intelligence metrics, RedLine has enabled the theft of nearly a billion credentials since its inception. A joint report from Specops and KrakenLabs further estimates that RedLine facilitated the theft of over 170 million passwords in just six months. 

These stolen credentials are frequently sold to other cybercriminals, who exploit them to infiltrate corporate networks as part of larger cyberattack operations. The misuse of compromised credentials has contributed to several high-profile breaches, including the Snowflake data theft attacks and the Change Healthcare ransomware attack, which severely impacted the U.S. healthcare system. The investigation is ongoing as authorities work to recover stolen data and prevent further damage caused by this malware.

When and Why to Consider a Data Removal Service

 


With the risk of data misuse and breaches increasing daily, individuals will be driven to seek reliable methods for securing their online privacy in 2024 to manage these risks. A growing number of privacy solutions are available online now, including services for removing users' data online, generating a great deal of interest. 

As a result of these services, individuals can identify and remove personal information from the internet that can lead to identity theft and other unpleasant circumstances, in some cases targeting data brokers, people searching websites, and other repositories where potentially sensitive information is readily accessible. 

There is, however, the need to evaluate the effectiveness, reliability, and value of these services, regardless of how appealing they may seem. This is a crucial step that needs to be understood by those who are considering whether to invest in these services, as well as finding out the scope of their capabilities, and what limitations they may have. 

Individuals need to judge the reality behind the promises made by data removal services before deciding whether or not such services are a worthwhile endeavour to achieve greater privacy control or if alternative methods might be more effective for making the required changes. With the widespread importance of digital privacy, as well as the increased risk it is subject to, understanding the nuances of online data removal services is vital for individuals to make informed choices regarding how to protect their personal information effectively. 

A vast amount of information about an individual is readily available on the internet today, and this has increased dramatically over the past few years as advertisers attempt to target us with ads and content based on the information they can gather about them. As well as this advances in technological advances such as artificial intelligence have compounded the situation by making it easier for cybercriminals to gather data and commit online scams across the world. 

While online privacy concerns continue to grow, data removal services offer a glimmer of hope that privacy can be preserved. It is a third-party tool that helps individuals locate online platforms and databases where their private data can be found, make sure they are removed from those platforms and curtail their digital footprints by removing these private data from those platforms. 

For data removal services to be available to the general public, they require specialized professional services that can locate and remove personal information from an array of online platforms and databases promptly. Initially, these services were developed with a strong focus on privacy protection. They worked hard to make sure that sensitive data, such as credit card numbers, driver's licenses, or other forms of personal information, was not easily accessible by anyone other than authorized parties, such as strangers, corporations, or criminals. 

Data removal services essentially function as a crew of "digital cleaners" for resolving problems in terms of data security and privacy concerns. The experts at these services have a deep understanding of data-sharing pathways and online repositories, which allow them to track down where personal information is stored across the internet, and to assist clients in either eradicating or restricting access to it as needed. 

A variety of sources, including social media platforms, online directories, websites, and a variety of data brokers, are commonly used to remove personal information from electronic domains. This usually involves removing data from their sources, including websites, social media, and data brokers. 

Here is a brief overview of the purpose and benefits of data removal services-

 A data removal service should always be able to guarantee enhanced privacy protection, in that it aims to make sure that no unauthorized parties have access to or misuse personal information. 

They are an integral part of the defence mechanism against identity theft, fraud, and data breaches that occur due to their use. There is a growing number of companies that offer services to help companies and individuals protect their sensitive information by targeting data from public records, databases, and marketing platforms. By doing so, they provide security layers that help limit who has access to sensitive information and assist them in securing it. 

As people move into an increasingly hyper-connected world, digital footprints are accumulating rapidly, and the information they leave behind can often be obsolete or irrelevant due to their rapid accumulation. To reduce this digital footprint, data removal services remove unnecessary or outdated information from these files as part of their operations. Through the minimization of online presence, these services can increase the difficulty of third parties being able to control the online activities of their users, which leads to greater control over a person's privacy online. 

A lower risk of falling victim to fraudulent schemes and receiving excessive marketing solicitations Due to the scattered nature of personal information on the internet, there is a high probability that one will fall victim to fraud or receive unwanted marketing solicitations. To mitigate this risk, data removal services manage the visibility of data, thereby reducing the chances of being contacted by marketers or malicious actors using personal details for phishing attacks, scams, and frauds. 

Many people find peace of mind in knowing that their personal information is being managed by privacy experts who are committed to protecting their privacy. As a result, clients can navigate the internet with a greater sense of security, free from the continuous worry about data misuse or privacy infringement when they are dealing with personal information online.

It is quite common for companies and data brokers to collect a wide range of personal information about us through a variety of different methods, including the users' shopping history on e-commerce sites, public records, social media profiles (including posts, likes, comments, and connections), medical records, online search history, credit card transactions, and other forms of information. There is a great deal of valuable information that advertisers can use to target their advertisements, including users' names, ages, genders, and Social Security Numbers, along with their IP address, browser cookies, and how they use the internet. 

To achieve this purpose, it is important to understand that it can be used for targeted advertising, suggesting content/products that users may find beneficial and ultimately decide to buy. Is there a benefit for the companies and data brokers who harvest their data to sell to other companies and businesses? The company sells users' data to advertisers for a profit, which is how they make money. It is a well-oiled system in which everyone benefits from the information that they provide. 

The results of having users' data exposed, however, can lead to identity theft, financial fraud, harassment (including stalking and surveillance), and social engineering attacks such as doxxing, potential discrimination, and, of course, targeted advertising, which is something most people do not like. Several benefits can be gained from using data removal services, but they also have certain limitations as well. As far as the effectiveness of the services is concerned, there is a primary concern. 

These services cannot completely guarantee that personal information will be removed from the platforms or brokers of online data, but they do have some assurances. The effort to erase data from specific sites could, however, fail for various reasons, including data breaches, data mining activities, or newly updated public records which might reappear when the site is updated. The use of a data removal service, on the other hand, does not provide a comprehensive, one-time solution to the problem of data loss. 

A data removal service usually targets companies that sell search engine optimization and data analytics software, which means they have limited ability to remove "public" data - that is, any information that is publicly available through government records, social networking sites, and news publications. Publicly available data, such as information found in government records, social media posts, or news publications, remains accessible despite data removal efforts. This underscores a critical limitation in the scope of data removal services, as they are unable to remove information classified as public.

The persistence of this data online reflects the inherent challenges these services face in fully securing individual privacy across all platforms. Cost considerations also play a significant role in evaluating the viability of data removal services. Typically, these services charge subscription fees that can range from moderate to significant monthly costs, often amounting to several tens of dollars. 

While they strive to protect personal information, they cannot guarantee complete data removal from all sources. This limitation is not due to a lack of effort but rather the complexities involved in tracking and controlling data spread through diverse online channels, some of which are continually refreshed or redistributed by third parties. Consequently, for individuals or businesses considering data removal services, it is important to weigh these costs against the limitations and partial protections offered, ensuring that the service aligns with their privacy needs and risk tolerance.

Embargo Ransomware Uses Custom Rust-Based Tools for Advanced Defense Evasion

 


Researchers at ESET claim that Embargo ransomware is using custom Rust-based tools to overcome cybersecurity defences built by vendors such as Microsoft and IBM. An instance of this new toolkit was observed during a ransomware incident targeting US companies in July 2024 and was composed of a loader and an EDR killer, namely MDeployer and MS4Killer, respectively, and was observed during a ransomware attack targeting US companies. 

Unlike other viruses, MS4Killer was customized for each victim's environment, excluding only selected security solutions. This makes it particularly dangerous to those who are unaware of its existence. It appears that the tools were created together and that some of the functionality in the tools overlaps. This report has revealed that the ransomware payloads of MDeployer, MS4Killer and Embargo were all made in Rust, which indicates that this language is the programming language that the group favours. 

During the summer of 2024, the first identification of the Embargo gang took place. This company appears to have a good amount of resources, being able to develop custom tools as well as set up its own infrastructure to help communicate with those affected. A double extortion method is used by the group - as well as encrypting the victims' data and extorting data from them, they threaten to publish those data on a leak site, demonstrating their intention to leak their data. 

Moreover, ESET considers Embargo to be a provider of ransomware-as-a-service (RaaS) that provides threats to users. The group is also able to adjust quickly during attacks. “The main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into that, replicating the same functionality at different stages of the attack,” the researchers wrote. 

“We have also observed the attackers’ ability to adjust their tools on the fly, during an active intrusion, for a particular security solution,” they added. MDeployer is the main malicious loader Embargo attempts to deploy on victims’ machines in the compromised network. Its purpose is to facilitate ransomware execution and file encryption. It executes two payloads, MS4Killer and Embargo ransomware, and decrypts two encrypted files a.cache and b.cache that were dropped by an unknown previous stage. 

When the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system. Another feature of MDeployer is when it is executed with admin privileges as a DLL file, it attempts to reboot the victim’s system into Safe Mode to disable selected security solutions. As most cybersecurity defenses are not in effect in Safe Mode, it helps threat actors avoid detection. 

MS4Killer is a defense evasion tool that terminates security product processes using a technique known as bring your own vulnerable driver (BYOVD). MS4Killer terminates security products from the kernel by installing and abusing a vulnerable driver that is stored in a global variable. The process identifier of the process to terminate is passed to s4killer as a program argument. 

Embargo has extended the tool’s functionality with features such as running in an endless loop to constantly scan for running processes and hardcoding the list of process names to kill in the binary. After disabling the security tooling, Embargo affiliates can run the ransomware payload without worrying whether their payload gets detected. During attacks, the group can also adjust to the environment quickly, which is another advantage.

Basically, what Embargo toolkit does is that it offers a method of ensuring the successful deployment of the ransomware payload and prevents the security solution from being enabled in the victim's infrastructure on the day of deployment. This is something that Embargo invests a lot of time and effort into, replicating the same functionality at different stages of the attack process," wrote the researchers. They added that the attackers also showed a capability to modify their tools on the fly, during an active intrusion, by adjusting the settings on different security solutions on the fly. 

As part of Embargo's campaign against victims in the compromised network, MDeployer is one of the main malicious loaders that it attempts to deploy on victims' machines. With the use of this tool, ransomware can be executed and files can be encrypted easily. During the execution process, two payloads are executed, MS4Killer and Embargo ransomware, which decrypt two encrypted files a.cache and b.cache that have been left over from an unknown earlier stage onto the system.

After its encryption process, the MDeployer program systematically terminates the MS4Killer process, erases any decrypted payloads, and removes a driver previously introduced by MS4Killer. Upon completing these actions, the MDeployer initiates a system reboot. This process helps ensure that no remnants of the decryption or defence-evasion components persist on the system, potentially aiding threat actors in maintaining operational security. In scenarios where MDeployer is executed as a DLL file with administrative privileges, it has an additional capability: rebooting the compromised system into Safe Mode. 

This mode restricts numerous core functionalities, which is often leveraged by threat actors to minimize the effectiveness of cybersecurity defences and enhance stealth. Since most security tools do not operate in Safe Mode, this functionality enables attackers to evade detection more effectively and hinder any active defences, making detection and response significantly more challenging. The MS4Killer utility functions as a defense-evasion mechanism that specifically targets security product processes for termination. This is achieved using a technique referred to as "bring your own vulnerable driver" (BYOVD), wherein threat actors exploit a known vulnerable driver. 

By installing and leveraging this driver, which is maintained within a global variable, MS4Killer is able to terminate security processes from the kernel level, bypassing higher-level protections. The identifier for the targeted process is supplied as an argument to the MS4Killer program. To further enhance MS4Killer’s effectiveness, Embargo has incorporated additional capabilities, such as enabling the tool to run continuously in a loop. This looping function allows it to monitor for active processes that match a predefined list, which is hardcoded within the binary, and terminate them as they appear. 

By persistently disabling security tools, Embargo affiliates can then deploy ransomware payloads with minimal risk of detection or interference, creating an environment highly conducive to successful exploitation.

Security Defenses Crippled by Embargo Ransomware

 


There is a new gang known as Embargo ransomware that specializes in ransomware-as-a-service (RaaS). According to a study by ESET researchers published Wednesday, the Embargo ransomware group is a relatively young and undeveloped ransomware gang. It uses a custom Rust-based toolkit, with one variant utilizing the Windows Safe Mode feature to disable security processes.

ESET researchers say that the Embargo ransomware group is developing custom Rust-based tools to defeat the cybersecurity defenses put in place by companies and governments. There is a new toolkit that was discovered in July 2024 during an attack on US companies by ransomware and is made up of a loader and an EDR killer, MDeployer, and MS4Killer, respectively, which can also be accessed and downloaded online. There are several ways in which MS4Killer can be utilized. 

For instance, it can be compiled according to each victim's environment, targeting only specific security solutions. As it appears that both tools were developed together, there is some overlap in functionality between them. Several of the programs that were developed as part of the group, including MDeployer, MS4Killer, and Embargo's ransomware payload, are written in Rust, thus suggesting that the language is one that the developers use most often. It is claimed that the group has committed ten acts of cybercrime on its dark web leak site, including a non-bank lender from Australia, a police department from South Carolina, and a community hospital from Idaho. 

An interview conducted in June with a self-proclaimed representative of Embargo said that the group specializes in ransomware-as-a-service, with affiliates taking an extortion payment of up to 80%. It is believed that the toolkit discovered by Eset consists of two primary components: MDeployer, which is designed to deploy Embargo's ransomware and other malicious payloads, and MS4Killer, which is built to exploit vulnerable drivers to disable endpoint detection and response systems. 

In both MDeployment and MS4Killer, Rust is used as the programming language. Because of its memory protection features as well as its low-level capabilities, it can be used to create malware that is both effective and resilient. A study conducted by Eset reported that Embargo can target both Windows and Linux systems with Rust. It was in May 2024, one month after the first observation of Embargo in the ESET telemetry in June 2024 that Embargo was publicly observed for the first time. There are several reasons why the group has drawn attention besides the fact that it successfully breached high-profile targets as well as the language it used for its ransomware payload that piqued people's curiosity. 

As part of its development, Embargo chose Rust, which is a cross-platform programming language that provided the potential to develop ransomware that targets both Windows and Linux platforms. The Embargo group follows in the footsteps of BlackCat and Hive as yet another group developing ransomware payloads using Rust programming language. It is clear from Embargo's mode of operation that it is a well-resourced group considering its modus operandi. This system also allows victims to communicate with it via Tox, which results in the communication being managed by the system itself. It is a group that uses double extortion to force victims to pay him and then publishes the stolen information on its leaked website too. 

It is the MDeployer that Embargo uses mainly to install malicious loads on victims' computers within the compromised network to destroy them. An application for this purpose is designed to make it easier to execute ransomware and encrypt files. Two payloads are executed, MS4Killer and Embargo ransomware. Additionally, two encrypted files, a.cache, and b.cache, which were dropped by an unknown stage in the previous step, are decrypted and delivered to the victim. 

If the ransomware finishes encrypting the system, the MDeployer terminates the MS4Killer process, deletes all the decrypted payload files and the driver file dropped by MS4Killer, and finally restarts the computer. Besides the fact that MDeployer can run as a DLL file with administrative privileges, it has also the ability to reboot the victim's system into a Safe Mode if it is executed with administrator access. This is because major cybersecurity defenses aren't switched on in Safe Mode, which allows threat actors to continue operating undetected. The initial intrusion vector is unknown, however, once MDeployer has installed itself on the victim machine, it decrypts MS4Killer from the encrypted file "b.cache" and drops the file "praxisbackup.exe" into the system. 

In every single case observed by ESET, the MDeployer used the same hardcoded RC4 key to decrypt both files from "a.cache" and dropped and executed them as "pay.exe." MDeployer decrypted both files using the same hardcoded RC4 key. It has been reported that MS4Killer allegedly builds upon the S4Killer proof-of-concept tool available on GitHub and drops the vulnerable mini-filter drive problem.sys version 3.0.0.4 as part of what is known as the "Bring Your Own Vulnerable Driver" idea (BYOVD), which is a technique developed to deal with driver vulnerabilities in general. The researchers wrote in their paper that MS4Killer exploits this vulnerability to obtain kernel-level code execution and interacts with security software to carry out its malicious purposes. 

The Embargo's version of MS4Killer differs from the original MS4Killer in that Embargo has hardcoded a list of the processes to be killed into its binary. It has also encrypted the embedded driver blob which is an RC4 hash. Using cloud-based techniques, ESET researchers describe how MS4Killer runs in an endless loop and constantly seeks out processes that need to be terminated.   

MDeployer, a component of the Embargo ransomware attack chain, meticulously logs any errors encountered during its operations in a file named “fail.txt.” Upon completion of the attack — whether by successful ransomware deployment or an error in loader execution halting the attack — the MDeployer initiates a cleanup routine. This process includes terminating the MS4Killer loop and deleting specific files such as praxisbackup.exe, pay.exe, and a vulnerable driver. 

Additionally, it generates a control file named “stop.exe,” which certain MDeployer versions reference to prevent re-execution and, consequently, double encryption. Embargo, developed in Rust, appends each encrypted file with a unique, randomly generated six-character extension combining letters and numbers, such as “.b58eeb.” It also drops a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each affected directory. The group has established its secure infrastructure for covert communication with victims but provides the option to negotiate through Tox chat as well. 

Although still developing, Embargo shows signs of ambition, borrowing techniques from established ransomware-as-a-service (RaaS) groups. These include implementing the "bring your vulnerable driver" (BYOVD) strategy, exploiting Safe Mode, and leveraging the adaptable Rust programming language. ESET's analysis highlights Embargo’s indicators of compromise (IoCs) and its tactics, techniques, and procedures (TTPs), offering guidance to help organizations defend against this emerging threat.

AI-Driven Deepfake Scams Cost Americans Billions in Losses

 


As artificial intelligence (AI) technology advances, cybercriminals are now capable of creating sophisticated "deepfake" scams, which result in significant financial losses for the companies that are targeted. On a video call with her chief financial officer, in which other members of the firm also took part, an employee of a Hong Kong-based firm was instructed to send US$25 million to fraudsters in January 2024, after offering instruction to her chief financial officer in the same video call. 

Fraudsters, however, used deepfakes to fool her into sending the money by creating one that replicated these likenesses of the people she was supposed to be on a call with: they created an imitation that mimicked her likeness on the phone. The number of scammers continues to rise, and artificial intelligence, as well as other sophisticated tools, are raising the risk that victims potentially being scammed. It is estimated that over $12.5 billion in American citizens were swindled online in the past year, which is up from $10.3 billion in 2022, according to the FBI's Internet Crime Complaint Center. 

A much higher figure may be possible, but the actual price could be much higher. During the investigation of a particular case, the FBI found out that only 20% of the victims had reported these crimes to the authorities. It appears that scammers are continuing to erect hurdles with new ruses, techniques, and policies, and artificial intelligence is playing an increasingly prominent role. 

Based on a recent FBI analysis, 39% of victims last year were swindled using manipulated or doctored videos that were used to manipulate what a victim did or said, thereby misrepresenting what they said or did. Currently, video scams have been used to perpetrate investment frauds, as well as romance swindles, as well as other types of scams. The number of scammers continues to rise, and artificial intelligence, as well as other sophisticated tools, are raising the risk that victims potentially being scammed.

It is estimated that Americans were scammed out of $12.5 billion online last year, which is an increase from $10.3 billion in 2022, according to the FBI's Internet Crime Complaint Center, but the totals could be much higher due to increased awareness. An FBI official recently broke an interesting case in which only 20% of the victims had reported these crimes to the authorities. Today, scammers perpetrate many different scams, and AI is becoming more prominent in that threat. 

According to the FBI's assessment last year, 39% of victims were swindled based on fake or doctored videos altered with artificial intelligence technology to manipulate or misrepresent what someone did or said during the initial interaction. In investment scams and other ways, the videos are being used to deceive people into believing they are in love, for example. It appears that in several recent instances, fraudsters have modified publicly available videos and other footage using deepfake technology in an attempt to cheat people out of their money, a case that has been widely documented in the news.

In his response, Romero indicated that artificial intelligence could allow scammers to process much larger quantities of data and, as a result, try more combinations of passwords in their attempts to hack into victims' accounts. For this reason, it is extremely important that users implement strong passwords, change them frequently, and use two-factor authentication when they are using a computer. The Internet Crime Complaint Center of the FBI received more than 880,000 complaint forms last year from Americans who were victims of online fraud. 

In fact, according to Social Catfish, 96% of all money lost in scams is never recouped, mainly because most scammers live overseas and cannot return the money. The increasing prevalence of cryptocurrency in criminal activities has made it a favoured medium for illicit transactions, particularly investment-related crimes. Fraudsters often exploit the anonymity and decentralized nature of digital currencies to orchestrate schemes that demand payment in cryptocurrency. A notable tactic includes enticing victims into fraudulent recovery programs, where perpetrators claim to assist in recouping funds lost in prior cryptocurrency scams, only to exploit the victims further. 

The surge in such deceptive practices complicates efforts to differentiate between legitimate and fraudulent communications. Falling victim to sophisticated scams, such as those involving deepfake technology, can result in severe consequences. The repercussions may extend beyond significant financial losses to include legal penalties for divulging sensitive information and potential harm to a company’s reputation and brand integrity. 

In light of these escalating threats, organizations are being advised to proactively assess their vulnerabilities and implement comprehensive risk management strategies. This entails adopting a multi-faceted approach to enhance security measures, which includes educating employees on the importance of maintaining a sceptical attitude toward unsolicited requests for financial or sensitive information. Verifying the legitimacy of such requests can be achieved by employing code words to authenticate transactions. 

Furthermore, companies should consider implementing advanced security protocols, and tools such as multi-factor authentication, and encryption technologies. Establishing and enforcing stringent policies and procedures governing financial transactions are also essential steps in mitigating exposure to fraud. Such measures can help fortify defenses against the evolving landscape of cybercrime, ensuring that organizations remain resilient in the face of emerging threats.

Chinese Quantum Computer Breaks Advanced Military Encryption


 

According to Chinese scientists at Shanghai University, a quantum computer from the Canadian company D-Wave has been demonstrated to be capable of breaking a popular encryption scheme that has been used for many years. A new study shows that it is capable of attacking Rivest-Shamir-Adleman (RSA) encryption, which is used by web browsers, VPNs, email services, and chips of companies such as Samsung and LG, among others. 

The Advanced Encryption Standard (AES), which was adopted by the US government in 2001, can also be hacked by this tool. According to Chinese researchers, there is a real and substantial threat to classical cryptography, which is widely used in financial and military sectors as well as secure communication networks. SCMP published a report last week stating that the researchers utilized a quantum computer known as a D-Wave to mount the first quantum attacks on well-established cryptographic algorithms using quantum computing. 

There are some substitution-permutation-network (SPN) algorithms that can be found in widely used standards such as Rivest-Shamir-Adleman (RSA) and Advanced Encryption Standard (AES), which are both cryptographic algorithms classed as substitution-permutation networks (SPNs). While general-purpose quantum computing is still a long way from being fully operational, there has been a lot of research occurring in this area as well as in specialised quantum computing. 

Modern cryptography, though, should not be considered to be at risk from quantum computing as it does not pose an immediate threat. Professor Wang Chao, a colleague of mine at the Shanghai University, was also part of the team that successfully exploited the quantum computers which were produced by D-Wave Systems, a Canadian company, to crack cryptographic algorithms as part of a new research paper. It is the team of Wang and his students that claim that this is one of the first times that a real quantum computer has presented a substantial threat to fully-scaled SPN-structured algorithms that are used today. 


However, even though the researchers were not able to crack specific passcodes, they warn that quantum computers might be able to challenge modern encryption systems within the next few years. A quantum computer, which exploits quantum tunnelling and annealing to solve complex problems with higher efficiency and accuracy, operates by principles completely different from classical computers. As reported by the SCMP, Wang's team merged quantum techniques with conventional mathematical methods to develop an algorithm capable of breaching algorithms such as Present, Gift-64, and Rectangle designed to evade quantum techniques. 

Despite this breakthrough in quantum computing, the researchers acknowledge certain limitations currently holding the technology back, such as hardware immaturity and interference caused by the environment, which are currently preventing its full potential from being realized. Because of the sensitive nature of the research, Wang did not elaborate further on the findings. Researchers from Shanghai University, led by Wang Chao, have reportedly made significant strides in attacking military-grade encryption using quantum computing technology. 

Their efforts targeted Substitution-Permutation Network (SPN) algorithms, including Present, Gift-64, and Rectangle—systems that form the backbone of the Advanced Encryption Standard (AES). AES-256, in particular, is frequently cited as "military-grade" encryption and is believed to offer resistance against quantum computing attacks. 

However, the specific methods employed by Wang and his team to break these encryption systems remain unclear. In an interview with the South China Morning Post, Wang declined to provide further details, citing the sensitivity of the research. Despite this, the researchers have indicated that their work represents a substantial breakthrough. They claim that, for the first time, a quantum computer has posed a "real and substantial" threat to multiple full-scale SPN-structured algorithms currently in use. This was outlined in a peer-reviewed paper published in the Chinese Journal of Computers, a Mandarin-language journal. 

The paper highlights the potential risk quantum computing now poses to modern encryption standards. While many existing quantum systems are not yet considered advanced enough to threaten contemporary cryptology, this research suggests that the timeline for quantum machines to break widely used cryptographic algorithms may be shorter than previously expected. The researchers warned that the ability to crack these codes is closer than ever before. 

Currently, most general-purpose quantum systems are still in the developmental stages, and it is widely believed that practical quantum computers capable of breaking modern encryption systems are several years away. D-Wave Systems, which claims to be the world’s first commercial quantum computer supplier, counts major organizations like Lockheed Martin, NASA, and Google among its early adopters. Despite these advancements, many cryptography experts are working to develop "quantum-proof" encryption methods to safeguard against future risks posed by more powerful quantum machines. 

Quantum computers have the potential to solve complex problems that traditional computers cannot, and in the long term, they could become capable of breaking most public-key encryption algorithms. This has spurred global efforts to future-proof cryptographic systems against the eventual rise of fully capable quantum computing technologies.

AI Deepfakes Pose New Threats to Cryptocurrency KYC Compliance

 


ProKYC is a recently revealed artificial intelligence (AI)-powered deep fake tool that nefarious actors can use to circumvent high-level Know Your Customer (KYC) protocols on cryptocurrency exchanges, presenting as a very sophisticated method to circumvent high-level KYC protocols. A recent report from cybersecurity firm Cato Networks refers to this development as an indication that cybercriminals have stepped up their tactics to get ahead of law enforcement. 

It has been common practice for identity fraud to involve people buying forged documents on the dark web to commit the crime. There is a difference in approach, however, between ProKYC and another company. Fraudsters can use the tool in order to create entirely new identities, which they can use for fraud purposes. Cato Networks report that the AI tool is aimed at targeting crypto exchanges and financial institutions with the special purpose of exploiting them. 

When a new user registers with one of these organizations, they use technology to verify that he is who he claims to be. During this process, a government-issued identification document, such as a passport or driver's license, must be uploaded and matched with a live webcam image that is displayed on the screen. A design in ProKYC maximizes the ability of customers to bypass these checks by generating a fake identity, as well as a deepfakes video. Thereby, criminals are able to circumvent the facial recognition software, allowing them to commit fraud. 

As noted in the press release from Cato Networks, this method introduces a new level of sophistication to the crypto fraud industry. A Cato Networks report published on Oct. 9 reported that Etay Maor, the company's chief security strategist, believes that the new tool represents a significant step forward in terms of what cybercriminals are doing to get around two-factor authentication and KYC mechanisms. 

In the past, fraudsters were forced to buy counterfeit identification documents on the dark web, but with AI-based tools, they can create brand-new ID documents from scratch. This new tool was developed by Cato specifically for crypto exchanges and financial firms whose KYC protocols require matching photos of a new user's face to their government-issued identification documents, such as a passport or a driver's license taken from the webcam of their computers.  

Using the tool of ProKYC, we have been able to generate fake ID documents, as well as accompanying deepfake videos, in order to pass the facial recognition challenges used by some of the largest crypto exchanges around the world. The user creates an artificially intelligent generated face, and then adds that AI-generated profile picture to a template of a passport that is based on an Australian passport. 

The next step is the ProKYC tool, which uses artificial intelligence (AI) to create a fake video and image of the artificially generated person, which is used to bypass the KYC protocols on the Dubai-based crypto exchange Bybit, which is not in compliance with the Eurozone.  It has been reported recently by the cybersecurity company Cato Networks that a deepfake AI tool that can create fake fake accounts is being used by exchanges to evade KYC checks that are being conducted. 

There is a tool called ProKYC that can be downloaded for the price of 629 dollars a year and used by fraudsters to create fake identification documents and generate videos that look almost real. This package includes a camera, a virtual emulator, facial animations, fingerprints, and an image generation program that generates the documents that need to be verified. A recent report highlights the emergence of an advanced AI deepfake tool, custom-built to exploit financial companies’ KYC protocols. 

This tool, designed to circumvent biometric face checks and document cross-verification, has raised concerns by breaching security measures that were previously impenetrable, even by the most sophisticated AI systems. The deepfake, created with a tool known as ProKYC, was showcased in a blog post by Cato Networks. It demonstrates how AI can generate counterfeit ID documents capable of bypassing KYC verification at exchanges like Bybit. 

In one instance, the system accepted a fictitious name, a fraudulent document, and an artificially generated video, allowing the user to complete the platform’s verification process seamlessly. Despite the severity of this challenge, Cato Networks notes that certain methods can still detect these AI-generated identities. 

Techniques such as having human analysts scrutinize unusually high-quality images and videos or identifying inconsistencies in facial movements and image quality are potential safeguards. Legal Ramifications of Identity Fraud The legal consequences of identity fraud, particularly in the United States, are stringent. Penalties can reach up to 15 years in prison, along with substantial fines, depending on the crime's scope and gravity. With the rise of AI tools like ProKYC, combating identity fraud is becoming more difficult for law enforcement, raising the stakes for financial institutions. Rising Activity Among Scammers 

In addition to these developments, September saw a marked increase in deepfake AI activity among crypto scammers. Gen Digital, the parent company of Norton, Avast, and Avira, reported a spike in the use of deepfake videos to deceive investors into fraudulent cryptocurrency schemes. This uptick underscores the need for stronger security measures and regulatory oversight to protect the growing number of investors in the crypto sector. 

The advent of AI-powered tools such as ProKYC marks a new era in cyber fraud, particularly within the cryptocurrency industry. As cybercriminals increasingly leverage advanced technology to evade KYC protocols, financial institutions and exchanges must remain vigilant and proactive. Collaboration among cybersecurity firms, regulatory agencies, and technology developers will be critical to staying ahead of this evolving threat and ensuring robust defenses against identity fraud.