Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Germany. Show all posts
malware
Backdoor Badbox BSI Germany malware

Germany Warns of Pre-Installed Malware on 30,000 Devices

 

Earlier this week, Germany's cybersecurity office issued a warning about at least 30,000 internet-connected devices across the nation being compromised by pre-installed malware known as BadBox.

The Federal Office for Information Security (BSI) announced that it had successfully halted communication between the infected devices and the hackers' control servers, preventing further damage. However, devices with outdated software remain at significant risk.

BadBox: A Threat to Low-Cost Devices

The hacker group behind BadBox primarily targets Android devices by embedding malicious code into their firmware. Affected devices include:

  • Smartphones
  • Tablets
  • Connected TV streaming boxes

BadBox’s operators focus on low-cost devices distributed through online merchants or resale platforms. These devices come pre-installed with Triada malware, which opens a backdoor, enabling attackers to:

  • Remotely control the device
  • Inject new software
  • Perform illegal actions

Capabilities of the BadBox Malware

BSI discovered that the malware on compromised devices, such as digital photo frames and streaming gadgets, can discreetly:

  • Generate email and messenger accounts
  • Propagate fake news
  • Commit advertising fraud
  • Act as a proxy for cyberattacks or illegal content distribution

BSI’s Countermeasures

German cyber officials employed a technique known as sinkholing to redirect traffic from infected devices to secure servers, effectively limiting hackers' access. Additionally, the BSI mandated that all German internet service providers (ISPs) with over 100,000 subscribers reroute BadBox traffic to its sinkhole.

The BSI refrained from naming the manufacturers of the compromised devices but advised consumers who received warnings from authorities to disconnect or cease usage of the affected products immediately.

BSI President Claudia Plattner reassured consumers, stating: "There is no immediate danger for these devices as long as the BSI maintains the sinkholing measure. Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions, in particular, pose a huge risk."

Plattner also stressed the need for collective action: "We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market."

Takeaways for Consumers

To protect against threats like BadBox, consumers should:

  • Ensure devices are updated with the latest firmware
  • Purchase devices only from reputable manufacturers
  • Stay vigilant about warnings from cybersecurity authorities

As malware threats continue to evolve, proactive measures and industry accountability remain essential in safeguarding digital ecosystems.

Read more »
Germany
botnet Golang C2 Server Cyber Security Cyber Threats DDOS Attack DNS Germany

New Golang-Based Botnet 'Zergeca' Discovered


 

Researchers at QiAnXin XLab have found a new and dangerous botnet called Zergeca. This botnet, written in the Go programming language (Golang), can launch powerful distributed denial-of-service (DDoS) attacks, which can overwhelm and shut down targeted websites or services.

How Zergeca Was Discovered

In May 2024, researchers came across a suspicious file uploaded from Russia to a security website called VirusTotal. This file, located at /usr/bin/geomi, had a unique identifier but wasn't marked as harmful. Another similar file was uploaded from Germany on the same day. This led experts to discover that these files were part of a new botnet, which they named Zergeca, inspired by a string in its code that reminded them of the Zerg creatures from the video game StarCraft.

Zergeca is capable of six different types of DDoS attacks. It also has additional features, such as acting as a proxy, scanning networks, upgrading itself, staying persistent on infected devices, transferring files, providing remote access, and collecting sensitive information from compromised devices. One unique aspect of Zergeca is its use of multiple DNS resolution methods, preferring DNS over HTTPS (DoH) for communicating with its command and control (C2) server. It also uses an uncommon library called Smux for encrypted communication.

The C2 server used by Zergeca has been linked to at least two other botnets named Mirai since September 2023. This suggests that the creator of Zergeca has prior experience with running botnets.

Between early and mid-June 2024, Zergeca was used to carry out DDoS attacks on organisations in Canada, the United States, and Germany. The primary attack method used was known as ackFlood. Victims of these attacks were spread across multiple countries and different internet networks.

Zergeca operates through four main modules: persistence, proxy, silivaccine, and zombie. The persistence module ensures the botnet stays active on infected devices, while the proxy module manages proxying tasks. The silivaccine module removes any competing malware, ensuring that Zergeca has full control of the device. The zombie module is the most critical, as it carries out the botnet's main functions, including DDoS attacks, scanning, and reporting information back to the C2 server.

To stay active, Zergeca adds a system service called geomi.service on infected devices. This service ensures that the botnet process restarts automatically if the device reboots or the process is stopped.

Researchers have gained insights into the skills of Zergeca’s creator. The use of techniques like modified file packing, XOR encryption, and DoH for C2 communication shows a deep understanding of how to evade detection. The implementation of the Smux protocol demonstrates advanced development skills. Given these abilities, researchers expect to see more sophisticated threats from this author in the future.

The discovery of Zergeca highlights the increasing intricacy of cyber threats. Organisations must remain vigilant and adopt strong security measures to protect against such advanced attacks. The detailed analysis of Zergeca provides valuable information on the capabilities and tactics of modern botnets, emphasising the need for continuous monitoring and proactive defence strategies in cybersecurity.


Read more »
Worldcoin project
Biometric data Data Protection Supervision Germany Iris scan OpenAI Privacy Worldcoin Worldcoin project

Germany Admits Investigating Worldcoin’s Eye-Scanning Orb

Privacy issues with the Worldcoin cryptocurrency project, a venture by OpenAI CEO Sam Altman has been in talks since the announcement of its official launch. Several countries have now started considering its potential threats and are looking into the issue with much significance. 

Adding to this, Germany became the third European country ato admit investigating Worldcoin, after France and the US. Thereby, it seems like it would be tough regulatory road ahead for the venture.

The head of Bavarian State Office for Data Protection Supervision, Germany's data watchdog, recently noted that that they have been investigating Worldcoin since November 2022 over suspicion of the venture’s potential of accessing "sensitive data at a very large scale."

Despite being officially launched just last week, Worldcoin continues collecting iris scans from individuals all over the world for the past two years to add to its database. The company claims that this will enable users to verify their identity as humans in the developing age of artificial intelligence by connecting human identity to specific biometric data. While there is hint of intrigue in the project’s idea, it has raised concerns of the critiques. 

For instance, when reporters were dispatched to the project to have their irises scanned, Gizmodo and Futurism both reported that Orb operators did not ask for any prior identification or confirmation that participants are who they claim to be. In the underdeveloped world, participants in the project's pilot program have expressed feeling duped by the trade. Furthermore, since a blockchain is involved, it is unclear whether an individual can ask to have their data removed from the company's database.

However, neither these European data watchdogs nor Ethereum co-founder Vitalik Buterin, whose blockchain Worldcoin relies on, are persuaded that this type of "proof-of-personhood" venture is ready for a widespread adoption.

In a blog post regarding Worldcoin, Buterin claimed that "if even one Orb manufacturer is malicious or hacked, it can generate an unlimited number of fake iris scan hashes, and give them World IDs."

This only leads us to one conclusion, we will not be convinced until Worldcoin reveals what exactly they do with the collected data.

Read more »
Illegal spying
COP27 Cyber Security Egypt Germany Human rights Illegal spying

Germany Accuses Egypt of Spying at COP27

 

German officials have lodged a complaint with the Egyptian government over covert surveillance by the country’s security agents at the COP27 World Climate Conference. 

According to the German Press Agency (DPA), the host country’s security agents have secretly monitored, photographed, and filmed events held at the German pavilion inside the summit venue in the Red Sea resort of Sharm el Sheikh. 

Prior to the incident on November 12, German police warned its speakers of potential security threats that could arise from their participation at the conference. 

"We expect all participants in the U.N. climate conference to be able to work and negotiate under safe conditions. This is not just true for the German but for all delegations, as well as representatives of civil society and the media," Germany's Foreign Ministry issued a statement following the security breach incident. 

Egypt Thwarts Spying Accusations 

Egyptian security sources thwarted the claims, telling DPA that personnel was only present for the safeguarding of foreign seminars and activities for the UN team, and their role as Egyptians was limited to security outside the halls and in the city. 

However, delegations from multiple nations told DPA that Egyptian security personnel had been forced on being a part of closed sessions as well. 

"It is very obvious that the Egyptian authorities are monitoring human rights activities. The only reason they haven't used physical violence yet is that we're in an UN-controlled area," Hossam Bahgat, founder of the Egyptian human rights organization EIPR, stated. 

The UN also acknowledged that some security agents were from the national police and said it was investigating the complaints.

Egypt's shady history 

The issue of Human rights has always been a matter of discussion in Egypt, with President Abdel Fattah al-Sisi's government accused of holding a tight grip on the Middle East nation. 

According to multiple media reports, thousands of individuals, including human rights activists, journalists, students, opposition politicians, businesspeople, and peaceful protesters have been arbitrarily detained. 

Many dissenters are subjected to unfair trials and mistreatment or torture by the Egyptian government. Due to deplorable prison conditions, many have fallen sick and even died. To safeguard the rights of these individuals, neither Human Rights Watch (HRW) nor Amnesty has offices in Egypt. However, a ban on the HRW website, in place for years, was only lifted a few days ago.
Read more »
Phishing and Spam
Arrests Cyber Fraud Cyber Phishing Germany hacker arrested Mobile Phishing phishing Phishing and Spam

Germany: Individual Hacker Arrested for Stealing € 4 Million via Phishing Attacks

 

Germany’s federal criminal police, Bundeskriminalamt (BKA) carried out home raids on three suspects for executing a large-scale phishing campaign, defrauding internet users of €4 million. The phishing campaign was carried out by the charged suspects between October 3, 2020, and May 29, 2021, as per the evidence gathered by the German Computer Crime Office. 

One of the three suspects, a 24-year-old, has been arrested and charged by the BKA, the second, a 40-year-old, has also been charged with 124 acts of computer fraud, while the investigation for the third suspect is still ongoing.  

The hackers allegedly defrauded their victims by imitating as legitimate German banks and sending them phishing e-mails that were clones of messages from some real banks.  

“These e-mails were visually and linguistically believable based on real bank e-mails. The victims were informed in these letters that their house bank would change their security system – and their own account would be affected [...] The e-mail recipients were thus tricked into clicking on a link, which in turn led to a deceptively real-looking bank page. There, the phishing victims were asked to enter their login data and a current TAN, which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount of credit and availability. The perpetrators then contacted the victims and tricked them into revealing further TAN numbers as alleged bank employees. With the TAN, they were then able to withdraw funds from the accounts of the victims.” reads the statement issued by BKA. 

The phishing emails reportedly informed the internet users of the changes in their respective bank’s security systems, beseeching the victims to click on an embedded link to continue using the bank’s services. The links redirected victims to a landing page, asking them to enter their credentials and Transaction Authentication Number (TAN), allowing the hackers access to their online banking accounts and withdrawal funds.  

According to the BKA, the hackers even used DDoS against the banks to conceal their fraudulent transactions. "In order to carry out their crimes, the accused are said to have resorted to offers from other cybercriminals who worked on the dark net, selling various forms of cyber-attacks as crime-as-a-service." BKA stated in an announcement. 

In regard to the active cases of phishing attacks and online fraud, the police urged internet users to take certain cautionary measures, such as never clicking a link or opening file attachments in emails that appear to be from a legitimate bank. If in doubt, the users are recommended to contact their banks personally or obtain information from the bank’s respective websites.
Read more »
Investigation
Bitcoin Crypto Cyber Security Germany Hydra Investigation

Germany Shuts Down World's Largest Illegal Marketplace on Darknet

 

The German authorities have confiscated the servers of Hydra Market, the most well-known Russian darknet network for drug sales and money laundering. The authorities were also able to seize 543 bitcoins worth a little more than $25 million from the earnings of Hydra. 

The money seized reflects the scale of the Hydra market, which had over 19,000 registered vendor accounts serving at least 17 million clients worldwide. Hydra Market had a turnover of $1.35 billion in 2020, according to the Central Office for Combating Cybercrime (ZIT) and Germany's Federal Criminal Police Office (BKA), making it the world's largest darknet market. 

Elliptic, a blockchain analytics firm, confirmed the authorities' confiscation of digital assets today, charting the action as 88 transactions totalling 543.3 bitcoin. Hydra also provided stolen databases, falsified documents, and hacking for hire services, in addition to the core focus of narcotics and money laundering. 

An investigation into a shady area 

The BKA, operating on behalf of the Attorney General's Office in Frankfurt am Main, confiscated the market's infrastructure following a coordinated international law enforcement action, according to Hydra's homepage. This move was made possible following a lengthy examination of the platform's previously unknown operators and administrators. 

 Hydra Market had a Bitcoin Bank Mixer, which disguised all bitcoin transactions done on the platform, making it difficult for law enforcement organisations to track money gained through illicit activity, according to the BKA announcement. 

According to a BKA spokesperson, no arrests have been made in this operation, and they are unable to give any other information on the evaluation of the confiscated infrastructure owing to ongoing investigations.
Read more »
Threat actor
Credential stealing Cyber Attacks Germany Phishing Campaign Threat actor

A Phishing Campaign in Germany is Attempting to Steal Banking Credentials

 

Credential phishing attacks aimed at obtaining German banking credentials have become more widespread, according to Proofpoint researchers. Proofpoint analysts have identified multiple high-volume operations imitating large German institutions, such as Volksbank and Sparkasse, employing customized, actor-owned landing sites, since August 2021. Hundreds of organizations are affected by the activity, which is still ongoing.

The commercials were aimed at a variety of industries, with a focus on German companies and foreign workers in Germany. Each campaign, which included tens of thousands of letters, had an influence on hundreds of organizations. Account administration information is included in the phishing emails, but they also contain links or QR codes that lead to a geo-fenced credential harvesting website. Targeted information includes banking branch details, login identity, and PIN. The threat actor used a number of URL redirection tactics to spread the infected URLs. In various efforts, the threat actor used hacked WordPress websites to redirect users to phishing landing pages. 

To spread malicious URLs for phishing and malware assaults, threat actors regularly use WordPress plugins and websites built using WordPress software. Feedproxy URLs and QR codes were also identified being exploited to redirect to phishing pages. Only German visitors are directed to the phishing website. The threat actor's employment of geofencing measures is to blame. Threat actors are utilising IP geolocation checks to determine the location of a target, according to Proofpoint. If the user is not in Germany, they are directed to a website clone ostensibly providing tourist information for Dusseldorf's Rhine Tower. If the user is in Germany, they will be directed to a website that resembles a bank's website. 

Using identical domain naming conventions, the actor hosts these pages on their own actor-controlled infrastructure. Sparkasse credential phishing URLs, for example, frequently begin with "spk-," whereas Volksbank clones begin with "vr-." Some samples of the domains used by this threat actor are, vr-mailormular[.]com/Q20EBD6QLJ, vr-umstellungssystem-de[.]com/FLBSEKZ9S3, spk-security-spk[.]com/P84OZ3OIS2, spk-systemerneuerung-spk[.]com/CJ4F6UFR0T. 

This campaign cannot be linked to a known threat group, according to Proofpoint. However, registrant information linked to several domains found in some of this activity has been linked to over 800 phoney websites, the majority of which imitate banks or financial institutions. This perpetrator may have been targeting users of Spanish banks early this year, according to domain registration. Banking credential theft and fraudulent financial activity cybercriminal threat actors are opportunistic and target huge numbers of victims.
Read more »
Vulnerabilities and Exploits
API Bug Data Exposure Germany Scoolio Vulnerabilities and Exploits

400,000 German Students Data Exposed due to API Flaw

 

A newly found API issue in Scoolio, a school software used by 400,000 German students, has exposed the personal information of those kids. Lilith Wittmann of the IT security collective Zerforchung discovered the issue and notified the applications team immediately. 

Scoolio employs targeted advertising based on data collected from users, the majority of whom are students, without their knowledge or permission. It does, however, assert that it does not collect any user information. 

Scoolio's API shortcomings, as per Wittmann's report, facilitate information extraction based on the user ID. Anyone who uses this technique can obtain the user's username, email address, GPS history, school name and class, interests, UUID data, and personal information such as origin, religion, gender, and so on. 

Furthermore, the researcher also gave a fake representation of the data types affected by the issue. 

The researcher also noted that the API patch to avoid data leak was relatively straightforward and that it arrived in 30 days, on October 25, 2021, after they were notified of the issue on September 21, 2021. She goes on to say that it is impossible to say how many students were affected as Scoolio inflates user statistics. The app's creators have produced an official paper outlining the patch and have confirmed it. 

Scoolio provides users with tools for managing time, homework planning, staying in touch with friends, and even contacting firms for job vacancies or internship options. The business behind this one collaborated with several German schools and marketed it as a remote teaching support software. It was created with funding from three state-owned investment groups: SIB Innovations und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen, so many students are compelled to use the software as a result of collaborations and government initiatives endorsing the same. 

The fundamental issue is that no security flaws are being audited. An initiative dubbed "EduCheck Digital" (EDCD) that began in August is attempting to evaluate which instructional media fulfills German data protection requirements and have the green signal for usage in schools. 

"I would like to thank Ms. Wittmann for the information and the SDS for the exchange and thank you for your feedback on our security measures," Danny Roller, CEO, and founder of the Scoolio app shared in a statement. 

"Fortunately, after extensive testing, we can confirm that No user data was intercepted by third parties before the investigation by Ms. Wittmann and we have successfully closed the gaps found."
Read more »
Subscribe to: Posts (Atom)