Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ISP. Show all posts
Technological Threats
ISP malware Malware Threats Technological Threats

Hackers Breach ISP to Poison Software Updates With Malware

 

A Chinese hacking group, known as StormBamboo, has compromised an internet service provider (ISP) to distribute malware through automatic software updates. This cyber-espionage group, also called Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting organizations in China, Hong Kong, Macao, Nigeria, and various countries in Southeast and East Asia. 

On Friday, cybersecurity researchers from Volexity revealed that StormBamboo exploited insecure software update mechanisms that did not verify digital signatures. This allowed the group to deploy malware on Windows and macOS devices instead of the intended updates. 

They did this by intercepting and modifying DNS requests, directing them to malicious IP addresses. This method delivered malware from their command-and-control servers without needing user interaction. 

"Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware. Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped," the researchers added. 

For example, StormBamboo used 5KPlayer update requests to push a backdoored installer from their servers. Once the target's system was compromised, the hackers installed a malicious Google Chrome extension, ReloadText, which stole browser cookies and email data. Volexity noted that StormBamboo targeted multiple software vendors with insecure update processes. The company worked with the ISP to investigate and resolve the issue, immediately stopping the DNS poisoning once the network components were rebooted. 
 
In April 2023, ESET researchers observed StormBamboo using the Pocostick (MGBot) Windows backdoor by exploiting the update mechanism for Tencent QQ. In July 2024, Symantec found the group targeting an American NGO in China and several organizations in Taiwan with new Macma macOS and Nightdoor Windows malware versions. 

Although the exact method was unclear, it was suspected to be a supply chain or adversary-in-the-middle attack. This incident highlights the importance of secure update mechanisms to prevent such cyber-attacks.
Read more »
Online Privacy
alternative messaging apps Cyber Security E2EE Google Google Security Tools Google Updates ISP MLS providers Online Privacy

Google Backs Messaging Layer Security for Enhanced Privacy and Interoperability

 

In 2023, Google pledged its support for Messaging Layer Security (MLS), a protocol designed to provide practical interoperability across various messaging services while scaling efficiently to accommodate large groups. This move marks a significant step towards enhancing security and privacy across platforms. Although Google has not officially announced the timeline for adopting MLS, references to the standard have been found in a recent Google Messages build, suggesting that its implementation might be on the horizon. 

To appreciate the significance of MLS, it is essential to understand the basics of end-to-end encryption (E2EE). E2EE ensures secure communication by preventing unauthorized entities, such as hackers and internet service providers (ISPs), from accessing data. In asymmetric or public key encryption, both parties possess a public and a private key. The public key is available to anyone and is used to encrypt messages, while the private key, which is much harder to crack, is used to decrypt them. 

Despite its advantages in providing privacy, security, and data integrity, E2EE has its shortcomings. If security is compromised at either the sender’s or receiver’s end, malicious actors can intercept the public key, allowing them to eavesdrop on conversations or impersonate one of the parties. Additionally, E2EE does not conceal metadata, which can be exploited to gather information about the communication. Messaging Layer Security (MLS) is a standard proposed by the Internet Engineering Task Force (IETF) that offers enhanced security for communication groups, ranging from small to large sizes. 
While popular messaging services typically use E2EE for one-on-one chats, group chats present a unique challenge. MLS addresses this by using sender keys over secure channels to provide forward secrecy, meaning that the theft of a single key does not compromise the rest of the data. The protocol is based on asynchronous ratcheting trees (ART), which enable group members to derive and update shared keys. This tree structure approach ensures forward secrecy, post-compromise security, scalability, and message integrity, even as group sizes increase.  

Google Messages, the default messaging app on most Android phones, currently uses Rich Communication Services (RCS) to offer features like encrypted chats, read receipts, high-resolution media sharing, typing indicators, and emoji reactions. Although the Universal Profile version used by Google Messages does not support E2EE, it uses the Signal Protocol as a workaround for security. Recent APK teardowns of Google Messages have revealed code snippets mentioning MLS, hinting that Google might incorporate this feature in future updates. 

If MLS becomes the default security layer in Google Messages, it will significantly enhance the app’s security and interoperability. Google’s adoption of MLS could set a precedent for other messaging services, promoting better interoperability and security across communication apps. This move might also influence how Apple integrates RCS in iOS. With iOS 18 set to support the RCS Universal Profile 2.4 for messaging without E2EE, Apple may need to consider adopting MLS to stay competitive in offering secure communication. 

As Google prepares to implement MLS, we can expect a push towards standardizing communication protocols. Google Messages already offers features like auto spam detection, photomojis, and cross-device compatibility, making it a robust choice for staying connected. Should MLS be integrated, users can look forward to even more secure and private messaging experiences.
Read more »
Webhards And Torrents
Cyber Attacks data security ISP Malware Attack Service Provider South Korea User Privacy Webhards And Torrents

Korean ISP Accused of Installing Malware to Block Torrent Traffic

 

A major scandal has emerged in South Korea, where the internet service provider KT is accused of intentionally installing malware on the computers of 600,000 subscribers. This invasive action was reportedly designed to interfere with and block torrent traffic, a move driven by the financial pressures associated with the high bandwidth costs of torrenting. This revelation has significant implications for user privacy and the ethics of ISP practices. 

According to an investigative report by Korean outlet JBTC, KT—formerly known as Korea Telecom—took extreme measures to combat torrenting. Despite a decrease in filesharing traffic over the years, torrenting remains popular in South Korea, particularly through Web Hard Drive services (Webhard). These services use the BitTorrent-enabled ‘Grid System’ to keep files available, leading to significant bandwidth usage that caught the attention of ISPs like KT. KT, one of the largest ISPs in South Korea, had previously been involved in a court case in 2020 over throttling user traffic, citing network management costs. 

The court ruled in KT’s favor, but new reports indicate the company went beyond merely slowing downloads. Users of Webhard services began experiencing unexplainable errors and service outages around four years ago, all of whom were KT subscribers. JBTC’s investigation uncovered that KT had installed malware on these users’ computers, causing these disruptions. A dedicated team at KT, consisting of sections for malware development, distribution and operation, and wiretapping, allegedly planted malware to eavesdrop on subscribers and interfere with their file transfers. This malware not only limited torrent traffic but also allowed the ISP to access and alter data on users’ computers, raising serious legal and ethical concerns. 

The Gyeonggi Southern District Police Office, after conducting a search and seizure of KT’s data center and headquarters, believes the company may have violated the Communications Secrets Protection Act and the Information and Communications Network Act. In November last year, police identified 13 people of interest, including KT employees and employees of partner companies. 

The investigation is ongoing, with a supplementary probe continuing since last month. KT’s actions, ostensibly aimed at reducing network management costs, now appear likely to result in significant legal repercussions and potential financial losses. This case highlights the need for stricter regulatory oversight and transparency in ISP practices to protect consumer privacy and maintain trust.
Read more »
Network Security
cyber espionage Cyber Security Dark Web ISP Network Security

Hundreds of Network Operators' Credentials Compromised on Dark Web


Leaked creds of RIPE, APNIC, AFRINIC, and LACNIC are available on the Dark Web

After doing a comprehensive scan of the Dark Web, Resecurity discovered that info stealer infections had compromised over 1,572 customers of RIPE, the Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC). 

Included in this number are new artifacts and historical records discovered in January 2024 as a result of an examination of subterranean marketplaces and Command and Control (C2) servers. In light of the highly disruptive hack that occurred recently against telecom provider Orange España, the cybersecurity community should reconsider how it protects the digital identities of employees who work in network engineering and IT infrastructure management.

Victims whose credentials were revealed on the Dark Web by info stealers such as Azorult, Redline, Vidar, Lumma, and Taurus have been alerted by Resecurity. 

Cybersecurity experts were able to compile the following data using the feedback that was gathered:

  • 16% of respondents were already aware that their accounts had been compromised due to a malicious code infection, and they had made the required password changes and enabled two-factor authentication. 
  • The remaining 45% did not know about the compromised credentials and acknowledged that their password change had been successful.
  • 14% knew of the compromised credentials, however, they didn't activate 2FA until they were notified (statement received).
  • Twenty percent of respondents agreed that further investigation into the incident that compromised credentials was necessary.
  • Five percent of the recipients were unable to offer any comments.

Cyberespionage organizations active

It's noteworthy that the majority of network administrators (those found to have been infiltrated) who oversaw networks used email addresses registered with free services like Gmail, GMX, and Yahoo. 
Cyberespionage organizations that are intensely focused on particular targets, including network administrators and their social networks, may find great value in these facts. Finding out about their private emails might result in more advanced campaigns and increase the chances of successful reconnaissance.

Malicious actors do more than just steal credentials. If they have access to network settings, they might change current setups or add dishonest components, which could seriously damage company infrastructure. 

Unauthorized changes of this nature have the potential to cause serious service interruptions and security breaches, which emphasizes how important it is to protect digital assets with strong security procedures and increased awareness.

The gathered data might verify that personnel engaged in mission-critical IT administration and network engineering tasks are similarly susceptible to malicious programming. If their accounts are compromised, they could serve as "low-hanging fruit" for significant cyberattacks.

What are experts saying?

Resecurity's cybersecurity specialists have drawn attention to the growing threats posed by the Dark Web, where nefarious actors could take advantage of credential compromises held by network engineers, data center technicians, ISP/Telco engineers, IT infrastructure managers, and outsourcing firms that oversee networks for their corporate customers. 

Therefore, for highly skilled threat actors, this employee category represents a high-value target. Resecurity's Dark Web study highlighted the danger landscape by identifying several compromised network engineer credentials that could allow threat actors to access gateways.
Read more »
WiFi Routers
Internet Connection Internet Speed ISP Technology WiFi Routers

How to Increase Your WiFi Speed in Five Simple Steps

 

If you're here, you're probably interested in learning how to boost your home WiFi speed. We expect the internet to function at steady speed as it has become a vital part of daily life. Otherwise, it may lead to frustration and perplexing communication breakdowns. 

This blog post discusses five ways to improve WiFi speed. Should everything else fail, you can try contacting your Internet Service Provider (ISP) to see if they can assist. Take a speed test first to make sure your speed matches the plan you signed up for before you begin troubleshooting. If not, see if any of the suggested fixes can be helpful by looking through this list. 

Update your router 

You can buy the fastest internet speed your ISP has to offer, but you won't be able to enjoy it if your hardware is outdated. Check to see if your router has the 802.11ac or 802.11ax label to ensure it is up to date. If it doesn't, you should definitely update your router!

Why? Modern routers are typically dual-band routers with multiple Ethernet ports and a maximum throughput of 10Gbps. Furthermore, unlike previous versions, they can operate on both the 5 GHz and 2.4 GHz frequencies simultaneously.

If you don't have a dual-band router, we recommend connecting to the 5 GHz frequency. The 2.4 frequency is slower and more susceptible to signal interference. 

Reboot your router frequently

If you call your ISP to improve your wireless speed, they will first instruct you to reboot the router. This helps to decongest the channels and remove any unnecessary information that has been saved, similar to how clearing cache and cookies can optimise your browser. 

The more devices you connect to your network, the more likely you will experience interference or congestion issues. Rebooting resolves some of these issues quickly and efficiently. 

Perform a virus scan 

Malware and viruses have the ability to reduce device performance and internet speed. Because of this, it's essential to regularly run virus scans on your computer and router if you want to boost WiFi speed. 

Any cyber threats to your home network will be automatically found and eliminated by an antivirus programme. Some internet service providers offer a free app that checks online traffic for threats to help their customers stay safe online. 

Consider your location and minimise signal interference 

The position of your router influences the strength of signal it emits. Think about the location of your router. Is your router securely tucked away in a corner or next to furniture? If so, your home's sluggish internet might be the result of that. 

Furthermore, the hardest materials for a wireless signal to pass through are metal and concrete, followed by brick, wood, and glass. Signal strength can be decreased even by positioning your router close to windows.

It is recommended to position your router in a room where you spend the most time using WiFi or in an open, central area of your house. Additionally, avoid putting it in an attic or basement at all costs. 

Purchase a better Internet plan and fibre internet 

If you've been unhappy with your WiFi speed, you can enhance it by switching your internet plan or service provider. For example, if you have a cable internet plan, consider switching to fibre. Fibre internet is the fastest, most stable, and secure type of internet connection. Furthermore, fibre internet provides greater bandwidth than cable or DSL connections, as well as symmetrical upload and download speeds.
Read more »
WiFi Routers
Antivirus Botnets Crypto Data Breach data threat ISP Protocol WiFi Routers

Four Red Flags Warning You of a Hacked Wi-Fi Router

 

Wi-Fi has become a necessary component of our daily lives in today's hyperconnected society. Everything from watching movies online to doing our banking online depends on it. But this convenience also raises the possibility of cyberthreats, such as the hacking of our Wi-Fi routers. Numerous recent investigations have alerted billions of Wi-Fi customers to four warning signs that their routers may have been hijacked.
  1. Sluggish Performance: One of the first signs that your router may have been hacked is a noticeable decline in its performance. If your internet speed suddenly becomes slower than usual or if you experience frequent disconnections, it could be a red flag. Hackers often use compromised routers as a gateway to carry out their malicious activities, which can result in a significant drop in network performance.
  2. Unauthorized Access: If you have noticed any unfamiliar devices connected to your Wi-Fi network, it's a clear indication that your router's security may have been breached. Hackers gain unauthorized access to routers and connect their devices to snoop on your internet traffic, steal sensitive information, or launch further attacks on other connected devices.
  3. Unexpected Behavior: Another red flag of a hacked router is the occurrence of unusual or unexpected behavior. This could include your router's settings being changed without your knowledge or consent, strange error messages appearing, or unknown devices attempting to access your network. These abnormal activities should raise suspicion and prompt further investigation.
  4. Increased Data Usage: If you notice a sudden and significant increase in your monthly data usage, it could be a sign of a hacked router. Cybercriminals may use compromised routers to carry out activities such as distributing malware, participating in botnets, or mining cryptocurrencies, all of which can consume a substantial amount of data without your knowledge.

So, what can you do if you suspect your router has been hacked? Here are a few steps you can take to address the issue:
  • Change Router Passwords: Begin by changing the administrative password for your router. Use a strong, unique password that combines upper and lowercase letters, numbers, and special characters.
  • Update Firmware: Check if there are any available firmware updates for your router and install them promptly. Manufacturers often release updates to address security vulnerabilities and improve overall performance.
  • Enable Encryption: Ensure that your Wi-Fi network is encrypted with a strong security protocol, such as WPA2 or WPA3. This will help protect your network from unauthorized access.
  • Scan for Malware: Run a comprehensive antivirus and anti-malware scan on all devices connected to your network. This can help detect and remove any malware or malicious programs that may have been introduced through the hacked router.
  • Contact Your Internet Service Provider (ISP): If you suspect that your router has been compromised, reach out to your ISP for assistance. They can provide guidance and support in resolving the issue and may even replace the router if necessary.
Knowing the warning signs that suggest your router may have been compromised is essential. You can safeguard your private information, maintain a secure Wi-Fi network, and make sure that you and your family have a safer online experience by quickly recognizing and responding to these indicators. Take proactive measures to protect your router and the network's attached devices by being alert, educated, and cautious.
Read more »
VPN Split Tunneling
Cyberattacks CyberCrime IP Address ISP LAN Technology VPN VPN Split Tunneling

VPN Split Tunneling: A Better VPN Option?

 


As long as your VPN connection is encrypted, you can protect your privacy and security because you cannot see your IP address. A VPN is an application that offers users a secure tunnel through which they can send and receive data securely from and to their devices. 

A cybercriminal (crime ring, invasive advertiser, etc.) attempting to spy on your online activities so as to discover your VPN's IP address, instead of your own, which sabotages your privacy will be met with 'built-in encryption' which will prevent him from intercepting your traffic. 

Using a virtual private network can also be a great way to circumvent geographic restrictions on online content, allowing you to watch content that isn't available in your region or country.  

It would be extremely useful to have this feature while connected to a local area network (LAN), to be able to access foreign networks and at the same time protect bandwidth by accessing foreign networks. There is no need to worry about security threats when you are accessing a network printer or downloading sensitive files, for example.   

Due to the encryption applied to all data traveling through it, you may experience slower network speeds and bandwidth issues when using a VPN.

Split Tunneling - What Does it Mean? 

The splitting of tunnels is a feature that many VPN software providers offer so that you can choose which apps, services, and games connect to your VPN and which are connected to your standard Internet connection. An encryption-based VPN setup is different from regular VPN setups, which send all traffic on your system, regardless of its origins or destinations, through an encrypted tunnel on your system. Using split tunneling will allow you to use your standard connection when you wish to use your VPN and disable it when you desire additional security as you would need to do otherwise.  

Newer split tunneling techniques usually allow you to choose which apps you want to secure and which apps you want to leave open. It is possible to send some of the internet traffic through an encrypted VPN tunnel and allow the rest of it to travel through another tunnel that is available on the open internet through a VPN split tunnel connection. There is a default option in the settings of a VPN which routes 100% of the internet traffic through the VPN, but if you require higher speeds while encrypting certain data and being able to access the local devices, then splitting tunneling might be an option for you. 

You might find this to be a helpful feature if you are trying to keep some of your traffic private, yet at the same time want to maintain access to some device on your local network. Thus, you can have access to both local networks as well as foreign networks at the same time. Additionally, you can save some bandwidth in the process by using this method. 

The VPN Split Tunneling Process: How Does it Work?

Having the ability to split the tunnel through a VPN is a very useful feature because it allows you to select what data you wish to encrypt via a VPN and what data you wish to leave open for other users to see. Traditionally, a VPN is used to route your traffic over a private network through a tunnel that is encrypted to ensure integrity. 

Using VPN split tunneling, you can route some traffic from your applications or devices through a VPN. You can also point other applications or devices to the internet directly, while others are routed through an encrypted VPN.

If you want to enjoy the benefits of services that perform best when your location is recognized while enjoying the security of accessing potentially sensitive communications and data through this method, it may be particularly useful to you.  While considering this option, it is essential to keep in mind that there can be some security risks involved. 

Split tunneling is a technique that encrypts your traffic like a VPN and it comes with two main benefits: speed and security. The full tunnel option is the most secure because all traffic is routed through your VPN connection, making it the safest option; however, since there is so much traffic to be encrypted, it will also result in slower speeds. This is because when all traffic passes through headquarters, the infrastructure gets overloaded as well. 

Split tunneling allows you to only send a small amount of your traffic through a VPN, which means that things like video streaming and video calls will have better performance, and this will mean that the infrastructure in HQ will be under less strain because only part of your traffic goes through a VPN. 

Split tunneling is beneficial in terms of conserving bandwidth since it allows you to use less of it. You will be able to enjoy faster internet access by choosing certain applications to send traffic through the VPN server, which will not clog up your bandwidth as it will filter applications through the VPN server. 

It is planned to offer a complete split tunneling solution within the next few months as NordLayer works on this area. NordLayer is currently only able to assist us partially in resolving the use cases related to split tunneling. 

Split Tunneling is Advantageous for VPNs 

There may be a situation where VPN split tunneling is not a suitable choice for all organizations, but it is an option you can set up when setting up your VPN service. VPNs are often a problem for organizations with restricted bandwidth, primarily because the VPN is responsible for encrypting the data and sending it to a server located in another location at the same time. Without split tunneling, performance issues can result in the implementation of a virtual private network. 

Ensure Bandwidth Conservation

Split tunneling is a method that allows traffic that would have been encrypted on one tunnel to be sent through the other tunnel that is likely to transmit more slowly, as opposed to being encrypted by the VPN. In the case of routing traffic through a public network, there is no need to encrypt the traffic, which leads to improved performance. 

Connect Remote Workers Securely

Through a VPN, remote employees can have access to sensitive files and email that they would normally be unable to get to without a secure network connection. Additionally, their internet service provider (ISP) can also offer them access to other internet resources at a faster speed, allowing access to a wider variety of resources.

Developing a Network For the Local Area Network (LAN)

A VPN may prevent you from accessing your LAN when connected to it through encryption. Split tunneling allows you to use LAN resources like printers, while still utilizing VPN security and also having access to local resources like printers through your local network. 

Without the use of foreign IP addresses, stream content 

The ability to stream YouTube videos while traveling abroad is a very convenient way to get access to web services that rely on an IP address local to that area of the globe. When the split tunneling feature is enabled on the VPN, you will be able to use websites and search engines that work better when they know your location in your home country, and you will be able to access content in your home country by connecting to your VPN.
Read more »
telecommunications
Cyber Crime ISP Linux SentineLabs Telecom telecommunications

Metador APT is Lurking ISPs and Telecom Entities

Researchers at SentinelLabs have discovered a threat actor identified as Metador which primarily targets universities, ISPs, and telecommunications in various Middle Eastern and African nations.

SentintelLabs researchers dubbed the organization Metador after the phrase 'I am meta' that exists in the malicious code as well as the fact that the server messages are often in Spanish. As per the findings revealed at the first-ever LabsCon security conference, the group is thought to have started operating in December 2020, but throughout the past few years, it has managed to remain undetected. 

SentinelLabs senior director Juan Andrés Guerrero-Saade claimed that despite sharing information on Metador with experts at other security companies and government partners, no one was aware of the group.

SentinelLabs researchers found Metador in a Middle Eastern telecommunications business that had been hacked by roughly ten threat actors, including Moshen Dragon and MuddyWater, who all hail from China and Iran. Metador's goal appears to be long-term espionage inventiveness. 

Along with two incredibly complex Windows-based viruses  "metaMain" and "Mafalda," that the gang uses – there are clues of Linux malware, according to the researchers at SentinelLabs.

The attackers loaded both malware into memory and decrypted it using the Windows debugging tool "cdb.exe."

Mafalda is a versatile implant that can support up to 67 commands. Threat actors have regularly updated it, and the more recent iterations of the threat are heavily disguised. The attacker can maintain a persistent connection, log keystrokes, download and upload arbitrary files, and run shellcode thanks to the robust feature set of metaMain, which is used independently.

Mafalda gained support for 13 new commands among two variations that were produced in April and December 2021, adding possibilities for credential theft, network espionage, and file system manipulation. This is proof that Mafalda is being actively developed by its developers.

Attack chains have also included unidentified Linux malware that is used to collect data from the infected environment and send it back to Mafalda. The intrusions' entrance vector has not yet been identified.

Running into Metador is a serious reminder that another category of threat actors still operates covertly and without consequence. Security product creators should seize the chance to actively design their products to keep an eye out for the most sophisticated, well-funded hackers.



Read more »
Subscribe to: Posts (Atom)