Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ISP. Show all posts

Hackers Breach ISP to Poison Software Updates With Malware

 

A Chinese hacking group, known as StormBamboo, has compromised an internet service provider (ISP) to distribute malware through automatic software updates. This cyber-espionage group, also called Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting organizations in China, Hong Kong, Macao, Nigeria, and various countries in Southeast and East Asia. 

On Friday, cybersecurity researchers from Volexity revealed that StormBamboo exploited insecure software update mechanisms that did not verify digital signatures. This allowed the group to deploy malware on Windows and macOS devices instead of the intended updates. 

They did this by intercepting and modifying DNS requests, directing them to malicious IP addresses. This method delivered malware from their command-and-control servers without needing user interaction. 

"Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware. Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped," the researchers added. 

For example, StormBamboo used 5KPlayer update requests to push a backdoored installer from their servers. Once the target's system was compromised, the hackers installed a malicious Google Chrome extension, ReloadText, which stole browser cookies and email data. Volexity noted that StormBamboo targeted multiple software vendors with insecure update processes. The company worked with the ISP to investigate and resolve the issue, immediately stopping the DNS poisoning once the network components were rebooted. 
 
In April 2023, ESET researchers observed StormBamboo using the Pocostick (MGBot) Windows backdoor by exploiting the update mechanism for Tencent QQ. In July 2024, Symantec found the group targeting an American NGO in China and several organizations in Taiwan with new Macma macOS and Nightdoor Windows malware versions. 

Although the exact method was unclear, it was suspected to be a supply chain or adversary-in-the-middle attack. This incident highlights the importance of secure update mechanisms to prevent such cyber-attacks.

Google Backs Messaging Layer Security for Enhanced Privacy and Interoperability

 

In 2023, Google pledged its support for Messaging Layer Security (MLS), a protocol designed to provide practical interoperability across various messaging services while scaling efficiently to accommodate large groups. This move marks a significant step towards enhancing security and privacy across platforms. Although Google has not officially announced the timeline for adopting MLS, references to the standard have been found in a recent Google Messages build, suggesting that its implementation might be on the horizon. 

To appreciate the significance of MLS, it is essential to understand the basics of end-to-end encryption (E2EE). E2EE ensures secure communication by preventing unauthorized entities, such as hackers and internet service providers (ISPs), from accessing data. In asymmetric or public key encryption, both parties possess a public and a private key. The public key is available to anyone and is used to encrypt messages, while the private key, which is much harder to crack, is used to decrypt them. 

Despite its advantages in providing privacy, security, and data integrity, E2EE has its shortcomings. If security is compromised at either the sender’s or receiver’s end, malicious actors can intercept the public key, allowing them to eavesdrop on conversations or impersonate one of the parties. Additionally, E2EE does not conceal metadata, which can be exploited to gather information about the communication. Messaging Layer Security (MLS) is a standard proposed by the Internet Engineering Task Force (IETF) that offers enhanced security for communication groups, ranging from small to large sizes. 
While popular messaging services typically use E2EE for one-on-one chats, group chats present a unique challenge. MLS addresses this by using sender keys over secure channels to provide forward secrecy, meaning that the theft of a single key does not compromise the rest of the data. The protocol is based on asynchronous ratcheting trees (ART), which enable group members to derive and update shared keys. This tree structure approach ensures forward secrecy, post-compromise security, scalability, and message integrity, even as group sizes increase.  

Google Messages, the default messaging app on most Android phones, currently uses Rich Communication Services (RCS) to offer features like encrypted chats, read receipts, high-resolution media sharing, typing indicators, and emoji reactions. Although the Universal Profile version used by Google Messages does not support E2EE, it uses the Signal Protocol as a workaround for security. Recent APK teardowns of Google Messages have revealed code snippets mentioning MLS, hinting that Google might incorporate this feature in future updates. 

If MLS becomes the default security layer in Google Messages, it will significantly enhance the app’s security and interoperability. Google’s adoption of MLS could set a precedent for other messaging services, promoting better interoperability and security across communication apps. This move might also influence how Apple integrates RCS in iOS. With iOS 18 set to support the RCS Universal Profile 2.4 for messaging without E2EE, Apple may need to consider adopting MLS to stay competitive in offering secure communication. 

As Google prepares to implement MLS, we can expect a push towards standardizing communication protocols. Google Messages already offers features like auto spam detection, photomojis, and cross-device compatibility, making it a robust choice for staying connected. Should MLS be integrated, users can look forward to even more secure and private messaging experiences.

Korean ISP Accused of Installing Malware to Block Torrent Traffic

 

A major scandal has emerged in South Korea, where the internet service provider KT is accused of intentionally installing malware on the computers of 600,000 subscribers. This invasive action was reportedly designed to interfere with and block torrent traffic, a move driven by the financial pressures associated with the high bandwidth costs of torrenting. This revelation has significant implications for user privacy and the ethics of ISP practices. 

According to an investigative report by Korean outlet JBTC, KT—formerly known as Korea Telecom—took extreme measures to combat torrenting. Despite a decrease in filesharing traffic over the years, torrenting remains popular in South Korea, particularly through Web Hard Drive services (Webhard). These services use the BitTorrent-enabled ‘Grid System’ to keep files available, leading to significant bandwidth usage that caught the attention of ISPs like KT. KT, one of the largest ISPs in South Korea, had previously been involved in a court case in 2020 over throttling user traffic, citing network management costs. 

The court ruled in KT’s favor, but new reports indicate the company went beyond merely slowing downloads. Users of Webhard services began experiencing unexplainable errors and service outages around four years ago, all of whom were KT subscribers. JBTC’s investigation uncovered that KT had installed malware on these users’ computers, causing these disruptions. A dedicated team at KT, consisting of sections for malware development, distribution and operation, and wiretapping, allegedly planted malware to eavesdrop on subscribers and interfere with their file transfers. This malware not only limited torrent traffic but also allowed the ISP to access and alter data on users’ computers, raising serious legal and ethical concerns. 

The Gyeonggi Southern District Police Office, after conducting a search and seizure of KT’s data center and headquarters, believes the company may have violated the Communications Secrets Protection Act and the Information and Communications Network Act. In November last year, police identified 13 people of interest, including KT employees and employees of partner companies. 

The investigation is ongoing, with a supplementary probe continuing since last month. KT’s actions, ostensibly aimed at reducing network management costs, now appear likely to result in significant legal repercussions and potential financial losses. This case highlights the need for stricter regulatory oversight and transparency in ISP practices to protect consumer privacy and maintain trust.

Hundreds of Network Operators' Credentials Compromised on Dark Web


Leaked creds of RIPE, APNIC, AFRINIC, and LACNIC are available on the Dark Web

After doing a comprehensive scan of the Dark Web, Resecurity discovered that info stealer infections had compromised over 1,572 customers of RIPE, the Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC). 

Included in this number are new artifacts and historical records discovered in January 2024 as a result of an examination of subterranean marketplaces and Command and Control (C2) servers. In light of the highly disruptive hack that occurred recently against telecom provider Orange España, the cybersecurity community should reconsider how it protects the digital identities of employees who work in network engineering and IT infrastructure management.

Victims whose credentials were revealed on the Dark Web by info stealers such as Azorult, Redline, Vidar, Lumma, and Taurus have been alerted by Resecurity. 

Cybersecurity experts were able to compile the following data using the feedback that was gathered:

  • 16% of respondents were already aware that their accounts had been compromised due to a malicious code infection, and they had made the required password changes and enabled two-factor authentication. 
  • The remaining 45% did not know about the compromised credentials and acknowledged that their password change had been successful.
  • 14% knew of the compromised credentials, however, they didn't activate 2FA until they were notified (statement received).
  • Twenty percent of respondents agreed that further investigation into the incident that compromised credentials was necessary.
  • Five percent of the recipients were unable to offer any comments.

Cyberespionage organizations active

It's noteworthy that the majority of network administrators (those found to have been infiltrated) who oversaw networks used email addresses registered with free services like Gmail, GMX, and Yahoo. 
Cyberespionage organizations that are intensely focused on particular targets, including network administrators and their social networks, may find great value in these facts. Finding out about their private emails might result in more advanced campaigns and increase the chances of successful reconnaissance.

Malicious actors do more than just steal credentials. If they have access to network settings, they might change current setups or add dishonest components, which could seriously damage company infrastructure. 

Unauthorized changes of this nature have the potential to cause serious service interruptions and security breaches, which emphasizes how important it is to protect digital assets with strong security procedures and increased awareness.

The gathered data might verify that personnel engaged in mission-critical IT administration and network engineering tasks are similarly susceptible to malicious programming. If their accounts are compromised, they could serve as "low-hanging fruit" for significant cyberattacks.

What are experts saying?

Resecurity's cybersecurity specialists have drawn attention to the growing threats posed by the Dark Web, where nefarious actors could take advantage of credential compromises held by network engineers, data center technicians, ISP/Telco engineers, IT infrastructure managers, and outsourcing firms that oversee networks for their corporate customers. 

Therefore, for highly skilled threat actors, this employee category represents a high-value target. Resecurity's Dark Web study highlighted the danger landscape by identifying several compromised network engineer credentials that could allow threat actors to access gateways.

How to Increase Your WiFi Speed in Five Simple Steps

 

If you're here, you're probably interested in learning how to boost your home WiFi speed. We expect the internet to function at steady speed as it has become a vital part of daily life. Otherwise, it may lead to frustration and perplexing communication breakdowns. 

This blog post discusses five ways to improve WiFi speed. Should everything else fail, you can try contacting your Internet Service Provider (ISP) to see if they can assist. Take a speed test first to make sure your speed matches the plan you signed up for before you begin troubleshooting. If not, see if any of the suggested fixes can be helpful by looking through this list. 

Update your router 

You can buy the fastest internet speed your ISP has to offer, but you won't be able to enjoy it if your hardware is outdated. Check to see if your router has the 802.11ac or 802.11ax label to ensure it is up to date. If it doesn't, you should definitely update your router!

Why? Modern routers are typically dual-band routers with multiple Ethernet ports and a maximum throughput of 10Gbps. Furthermore, unlike previous versions, they can operate on both the 5 GHz and 2.4 GHz frequencies simultaneously.

If you don't have a dual-band router, we recommend connecting to the 5 GHz frequency. The 2.4 frequency is slower and more susceptible to signal interference. 

Reboot your router frequently

If you call your ISP to improve your wireless speed, they will first instruct you to reboot the router. This helps to decongest the channels and remove any unnecessary information that has been saved, similar to how clearing cache and cookies can optimise your browser. 

The more devices you connect to your network, the more likely you will experience interference or congestion issues. Rebooting resolves some of these issues quickly and efficiently. 

Perform a virus scan 

Malware and viruses have the ability to reduce device performance and internet speed. Because of this, it's essential to regularly run virus scans on your computer and router if you want to boost WiFi speed. 

Any cyber threats to your home network will be automatically found and eliminated by an antivirus programme. Some internet service providers offer a free app that checks online traffic for threats to help their customers stay safe online. 

Consider your location and minimise signal interference 

The position of your router influences the strength of signal it emits. Think about the location of your router. Is your router securely tucked away in a corner or next to furniture? If so, your home's sluggish internet might be the result of that. 

Furthermore, the hardest materials for a wireless signal to pass through are metal and concrete, followed by brick, wood, and glass. Signal strength can be decreased even by positioning your router close to windows.

It is recommended to position your router in a room where you spend the most time using WiFi or in an open, central area of your house. Additionally, avoid putting it in an attic or basement at all costs. 

Purchase a better Internet plan and fibre internet 

If you've been unhappy with your WiFi speed, you can enhance it by switching your internet plan or service provider. For example, if you have a cable internet plan, consider switching to fibre. Fibre internet is the fastest, most stable, and secure type of internet connection. Furthermore, fibre internet provides greater bandwidth than cable or DSL connections, as well as symmetrical upload and download speeds.

Four Red Flags Warning You of a Hacked Wi-Fi Router

 

Wi-Fi has become a necessary component of our daily lives in today's hyperconnected society. Everything from watching movies online to doing our banking online depends on it. But this convenience also raises the possibility of cyberthreats, such as the hacking of our Wi-Fi routers. Numerous recent investigations have alerted billions of Wi-Fi customers to four warning signs that their routers may have been hijacked.
  1. Sluggish Performance: One of the first signs that your router may have been hacked is a noticeable decline in its performance. If your internet speed suddenly becomes slower than usual or if you experience frequent disconnections, it could be a red flag. Hackers often use compromised routers as a gateway to carry out their malicious activities, which can result in a significant drop in network performance.
  2. Unauthorized Access: If you have noticed any unfamiliar devices connected to your Wi-Fi network, it's a clear indication that your router's security may have been breached. Hackers gain unauthorized access to routers and connect their devices to snoop on your internet traffic, steal sensitive information, or launch further attacks on other connected devices.
  3. Unexpected Behavior: Another red flag of a hacked router is the occurrence of unusual or unexpected behavior. This could include your router's settings being changed without your knowledge or consent, strange error messages appearing, or unknown devices attempting to access your network. These abnormal activities should raise suspicion and prompt further investigation.
  4. Increased Data Usage: If you notice a sudden and significant increase in your monthly data usage, it could be a sign of a hacked router. Cybercriminals may use compromised routers to carry out activities such as distributing malware, participating in botnets, or mining cryptocurrencies, all of which can consume a substantial amount of data without your knowledge.

So, what can you do if you suspect your router has been hacked? Here are a few steps you can take to address the issue:
  • Change Router Passwords: Begin by changing the administrative password for your router. Use a strong, unique password that combines upper and lowercase letters, numbers, and special characters.
  • Update Firmware: Check if there are any available firmware updates for your router and install them promptly. Manufacturers often release updates to address security vulnerabilities and improve overall performance.
  • Enable Encryption: Ensure that your Wi-Fi network is encrypted with a strong security protocol, such as WPA2 or WPA3. This will help protect your network from unauthorized access.
  • Scan for Malware: Run a comprehensive antivirus and anti-malware scan on all devices connected to your network. This can help detect and remove any malware or malicious programs that may have been introduced through the hacked router.
  • Contact Your Internet Service Provider (ISP): If you suspect that your router has been compromised, reach out to your ISP for assistance. They can provide guidance and support in resolving the issue and may even replace the router if necessary.
Knowing the warning signs that suggest your router may have been compromised is essential. You can safeguard your private information, maintain a secure Wi-Fi network, and make sure that you and your family have a safer online experience by quickly recognizing and responding to these indicators. Take proactive measures to protect your router and the network's attached devices by being alert, educated, and cautious.

VPN Split Tunneling: A Better VPN Option?

 


As long as your VPN connection is encrypted, you can protect your privacy and security because you cannot see your IP address. A VPN is an application that offers users a secure tunnel through which they can send and receive data securely from and to their devices. 

A cybercriminal (crime ring, invasive advertiser, etc.) attempting to spy on your online activities so as to discover your VPN's IP address, instead of your own, which sabotages your privacy will be met with 'built-in encryption' which will prevent him from intercepting your traffic. 

Using a virtual private network can also be a great way to circumvent geographic restrictions on online content, allowing you to watch content that isn't available in your region or country.  

It would be extremely useful to have this feature while connected to a local area network (LAN), to be able to access foreign networks and at the same time protect bandwidth by accessing foreign networks. There is no need to worry about security threats when you are accessing a network printer or downloading sensitive files, for example.   

Due to the encryption applied to all data traveling through it, you may experience slower network speeds and bandwidth issues when using a VPN.

Split Tunneling - What Does it Mean? 

The splitting of tunnels is a feature that many VPN software providers offer so that you can choose which apps, services, and games connect to your VPN and which are connected to your standard Internet connection. An encryption-based VPN setup is different from regular VPN setups, which send all traffic on your system, regardless of its origins or destinations, through an encrypted tunnel on your system. Using split tunneling will allow you to use your standard connection when you wish to use your VPN and disable it when you desire additional security as you would need to do otherwise.  

Newer split tunneling techniques usually allow you to choose which apps you want to secure and which apps you want to leave open. It is possible to send some of the internet traffic through an encrypted VPN tunnel and allow the rest of it to travel through another tunnel that is available on the open internet through a VPN split tunnel connection. There is a default option in the settings of a VPN which routes 100% of the internet traffic through the VPN, but if you require higher speeds while encrypting certain data and being able to access the local devices, then splitting tunneling might be an option for you. 

You might find this to be a helpful feature if you are trying to keep some of your traffic private, yet at the same time want to maintain access to some device on your local network. Thus, you can have access to both local networks as well as foreign networks at the same time. Additionally, you can save some bandwidth in the process by using this method. 

The VPN Split Tunneling Process: How Does it Work?

Having the ability to split the tunnel through a VPN is a very useful feature because it allows you to select what data you wish to encrypt via a VPN and what data you wish to leave open for other users to see. Traditionally, a VPN is used to route your traffic over a private network through a tunnel that is encrypted to ensure integrity. 

Using VPN split tunneling, you can route some traffic from your applications or devices through a VPN. You can also point other applications or devices to the internet directly, while others are routed through an encrypted VPN.

If you want to enjoy the benefits of services that perform best when your location is recognized while enjoying the security of accessing potentially sensitive communications and data through this method, it may be particularly useful to you.  While considering this option, it is essential to keep in mind that there can be some security risks involved. 

Split tunneling is a technique that encrypts your traffic like a VPN and it comes with two main benefits: speed and security. The full tunnel option is the most secure because all traffic is routed through your VPN connection, making it the safest option; however, since there is so much traffic to be encrypted, it will also result in slower speeds. This is because when all traffic passes through headquarters, the infrastructure gets overloaded as well. 

Split tunneling allows you to only send a small amount of your traffic through a VPN, which means that things like video streaming and video calls will have better performance, and this will mean that the infrastructure in HQ will be under less strain because only part of your traffic goes through a VPN. 

Split tunneling is beneficial in terms of conserving bandwidth since it allows you to use less of it. You will be able to enjoy faster internet access by choosing certain applications to send traffic through the VPN server, which will not clog up your bandwidth as it will filter applications through the VPN server. 

It is planned to offer a complete split tunneling solution within the next few months as NordLayer works on this area. NordLayer is currently only able to assist us partially in resolving the use cases related to split tunneling. 

Split Tunneling is Advantageous for VPNs 

There may be a situation where VPN split tunneling is not a suitable choice for all organizations, but it is an option you can set up when setting up your VPN service. VPNs are often a problem for organizations with restricted bandwidth, primarily because the VPN is responsible for encrypting the data and sending it to a server located in another location at the same time. Without split tunneling, performance issues can result in the implementation of a virtual private network. 

Ensure Bandwidth Conservation

Split tunneling is a method that allows traffic that would have been encrypted on one tunnel to be sent through the other tunnel that is likely to transmit more slowly, as opposed to being encrypted by the VPN. In the case of routing traffic through a public network, there is no need to encrypt the traffic, which leads to improved performance. 

Connect Remote Workers Securely

Through a VPN, remote employees can have access to sensitive files and email that they would normally be unable to get to without a secure network connection. Additionally, their internet service provider (ISP) can also offer them access to other internet resources at a faster speed, allowing access to a wider variety of resources.

Developing a Network For the Local Area Network (LAN)

A VPN may prevent you from accessing your LAN when connected to it through encryption. Split tunneling allows you to use LAN resources like printers, while still utilizing VPN security and also having access to local resources like printers through your local network. 

Without the use of foreign IP addresses, stream content 

The ability to stream YouTube videos while traveling abroad is a very convenient way to get access to web services that rely on an IP address local to that area of the globe. When the split tunneling feature is enabled on the VPN, you will be able to use websites and search engines that work better when they know your location in your home country, and you will be able to access content in your home country by connecting to your VPN.

Metador APT is Lurking ISPs and Telecom Entities

Researchers at SentinelLabs have discovered a threat actor identified as Metador which primarily targets universities, ISPs, and telecommunications in various Middle Eastern and African nations.

SentintelLabs researchers dubbed the organization Metador after the phrase 'I am meta' that exists in the malicious code as well as the fact that the server messages are often in Spanish. As per the findings revealed at the first-ever LabsCon security conference, the group is thought to have started operating in December 2020, but throughout the past few years, it has managed to remain undetected. 

SentinelLabs senior director Juan Andrés Guerrero-Saade claimed that despite sharing information on Metador with experts at other security companies and government partners, no one was aware of the group.

SentinelLabs researchers found Metador in a Middle Eastern telecommunications business that had been hacked by roughly ten threat actors, including Moshen Dragon and MuddyWater, who all hail from China and Iran. Metador's goal appears to be long-term espionage inventiveness. 

Along with two incredibly complex Windows-based viruses  "metaMain" and "Mafalda," that the gang uses – there are clues of Linux malware, according to the researchers at SentinelLabs.

The attackers loaded both malware into memory and decrypted it using the Windows debugging tool "cdb.exe."

Mafalda is a versatile implant that can support up to 67 commands. Threat actors have regularly updated it, and the more recent iterations of the threat are heavily disguised. The attacker can maintain a persistent connection, log keystrokes, download and upload arbitrary files, and run shellcode thanks to the robust feature set of metaMain, which is used independently.

Mafalda gained support for 13 new commands among two variations that were produced in April and December 2021, adding possibilities for credential theft, network espionage, and file system manipulation. This is proof that Mafalda is being actively developed by its developers.

Attack chains have also included unidentified Linux malware that is used to collect data from the infected environment and send it back to Mafalda. The intrusions' entrance vector has not yet been identified.

Running into Metador is a serious reminder that another category of threat actors still operates covertly and without consequence. Security product creators should seize the chance to actively design their products to keep an eye out for the most sophisticated, well-funded hackers.



Cloudflare Blocks a  DDoS Attack with 15 million Requests Per Second

 

On Wednesday, Cloudflare, an internet infrastructure company, revealed it has successfully resisted one of the largest volumetric distributed denials of service (DDoS) attacks ever seen. A DDoS attack with a pace of 15.3 million requests per second (rps) was discovered and handled earlier this month, making it one of the greatest HTTPS DDoS attacks ever. 

According to Cloudflare's Omer Yoachimik and Julien Desgats, "HTTPS DDoS assaults are more pricey of necessary computational resources due to the increased cost of establishing a secure TLS encrypted connection." "As a result, the attacker pays more to launch the assault, and the victim pays more to mitigate it. Traditional bandwidth DDoS assaults, in which attackers seek to exhaust and jam the victim's internet connection bandwidth, are different from volumetric DDoS attacks. Instead, attackers concentrate on sending as many spam HTTP requests as possible to a victim's server to consume valuable server CPU and RAM and prevent legitimate visitors from accessing targeted sites."

Cloudflare previously announced it mitigated the world's largest DDoS attack in August 2021, once it countered a 17.2 million HTTP requests per second (rps) attack, which the company described as nearly three times larger than any prior volumetric DDoS attack ever observed in the public domain. As per Cloudflare, the current attack was launched from a botnet including about 6,000 unique infected devices, with Indonesia accounting for 15% of the attack traffic, trailed by Russia, Brazil, India, Colombia, and the United States. 

"What's intriguing is the majority of the attacks came from data centers," Yoachimik and Desgats pointed out. "We're seeing a significant shift away from residential network Internet Service Providers (ISPs) and towards cloud compute ISPs." According to Cloudflare, the attack was directed at a "crypto launchpad," which is "used to showcase Decentralized Finance projects to potential investors." 

Amazon Web Services recorded the largest bandwidth DDoS assault ever at 2.3 terabytes per second (Tbps) in February 2020. In addition, cybersecurity firm Kaspersky reported this week about the number of DDoS attacks increased 4.5 times year over year in the first quarter of 2022, owing partly to Russia's invasion of Ukraine.

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware

 

Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta), a China-based advanced persistent threat (APT), has been traced to an ongoing cyberattack campaign using a formerly undocumented variation of the PlugX remote access trojan on affected workstations mostly in and around Southeast Asia. For its similarities to another PlugX (aka Korplug) variation called THOR which surfaced in July 2021, slovak cybersecurity firm ESET termed the current version Hodur. 

Korplug is a proprietary virus used widely, it was initially uncovered in a 2020 investigation that looked into Chinese hackers' activities against Australian targets. Mustang Panda employs phishing lures with counterfeit papers to target European embassies, ISPs (Internet Service Providers), and research institutes in the most recent known campaign, according to cybersecurity firm ESET. "Anti-analysis measures and control-flow obfuscation are used at every level of the deployment process," the firm told.

Hodur is based on PlugX, a remote access tool that "allows remote users to steal data or take control of impacted systems without authorization. It can copy, move, rename, execute, and delete files, as well as log keystrokes and fingerprint the infected system." The infections end with the implementation of the Hodur backdoor on the infected Windows host, irrespective of the phishing lure used. 

As formerly stated, the campaign begins simply, with the group phishing its targets using current events. Proofpoint identified it using a NATO diplomat's email address to send out.ZIP and.EXE files labeled "Situation at the EU Borders with Ukraine" last month. If a victim accepts the bait, a legitimate, properly signed executable prone to DLL search-order hijacking will be delivered. Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South Sudan are the countries targeted in this campaign. 

ESET claims to have sampled sophisticated custom loaders as well as new Korplug (Hodur) versions still using DLL side-loading but has considerably more robust obfuscation and anti-analysis techniques across the infection chain. The side-loading custom DLL loader uses a digitally-signed genuine executable, in this case, a SmadAV file, and leverages a known flaw. Except for one, which loads the new Korplug variation, the loader's many functions are all fake. 

As it is a Chinese actor with a history of pursuing higher political espionage purposes, the scope of its targeting should be rather consistent.

Viasat Claims Delay on a "Cyber Event"

 

Viasat Inc., an American communications provider, claims its satellite internet services in Ukraine and Europe are being disrupted by a "cyber incident." 

Based in Carlsbad, California, Viasat offers high-speed satellite broadband access and secure networking systems to military and commercial customers throughout the United States and around the world. The problem stems from Viasat's purchase of the Ka-SAT satellite from the satellite's launcher and former owner, Eutelsat, in April 2021. 

"While we attempt to restore service to affected consumers, we're also looking into and evaluating our European network and systems to figure out what's causing the problem. We're also putting further network safeguards in place to avoid any further consequences." authorities stated. 

According to the firm, the interruption began on February 24, the day Russia invaded Ukraine, and it contacted "law enforcement and government partners," adding it had "no indication of consumer data is implicated." In a statement to PaxEx.Aero, another ISP, Germany-based EUSANET, the company said it was suffering problems as well. 

An insider told British news channel Sky News that the interruptions were triggered by a distributed denial of service (DDoS) attack. The number of Viasat users in Ukraine is unknown, and the firm has declined to specify how many are affected. Subsequently, Viasat's stock was up 3.5 percent in lunchtime trade Monday, trading at around $45. 

To optimize service area, Viasat operates huge satellites in geosynchronous orbit, which means people are stationary at a location roughly 35,000 kilometers from Earth.

This is the conventional method of providing broadband access from space, but a number of businesses, including SpaceX's Starlink, are investing in constructing networks in low-Earth orbit which use hundreds or thousands of satellites.

Personal Information of 2,000 FOID Cardholders Compromised in ISP Website Breach

 

The Illinois State Police are notifying Firearm Owners Identification cardholders regarding a possible data breach after attackers attempted to breach the agency's Police FOID card portal.

According to ISP officials, the personal information of about 2,000 FOID cardholders, or about .0008% of the total number of FOID cardholders in the state, may have been compromised in the attempted hack. Those people will be contacted, the agency said in a news release.

“The software vendor determined that using previously stolen personal data to access existing accounts, unauthorized users may or may not have accessed additional “auto-populated” personal identifiers unique to that account and card such as the last four of a social security number. 2,067 FOID card holders, less than .0008 % of total cardholders, were possibly impacted by these attempts. In accordance with state law and out of an abundance of caution, all affected persons were sent a notice and issued a new card at no cost, according to the news release.

The ISP has strengthened its online security requirements and is limiting the use and access of personal information that FOID card applicants submit in their online FOID account that could match Illinois resident personal identification information unlawfully obtained from any number of previous cyber breaches. The personal information did not come from their systems and servers, ISP officials said after an investigation. 

The FOID website software vendor, working with ISP, recently determined unauthorized persons were attempting to use this type of previously unlawfully obtained personal information to match with and access existing FOID online account information to add further detail to their existing stolen data, the release read. 

The site is back online and is accepting applications. The residents who want to buy and own firearms and ammunition possess a Firearm Owners Identification card issued by Illinois State Police. For more than 18 months, the state has been delayed in processing applications for the required ID, with many waiting months, the agency said. 

“I’d rather there not be a database somewhere of gun owners and their addresses. It doesn’t take that much imagination to figure out how that information can be used in ways that increase the risk to those persons,” Cybersecurity consultant John Bambenek said while raising questions regarding cybersecurity.