Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Kaspersky. Show all posts
Windows PC
Cyber Vulnerabilities CyberCrime Cybersecurity IP Address Kaspersky malware STeelFox Windows Windows PC

Windows PCs at Risk as SteelFox Malware Targets Driver Vulnerabilities

 


Several experts have warned that hackers are using malware to attack Windows systems with the intention of mining cryptocurrency and stealing sensitive information from their devices. The latest Kaspersky Security Report claims to have spotted tens of thousands of infected endpoints. Cybercriminals have obtained fake cracks and activators for several commercial software products, such as Foxit PDF Editor, JetBrains, or AutoCAD, which they are selling to users. 

There is a vulnerability in a driver called WinRing0.sys that is associated with some fake cracks. The victim of this attack has reintroduced the CVE-2020-14979 and the CVE-2021-41285 vulnerabilities back onto the system by adding this driver at the same time, two three-year-old vulnerabilities that extended the privileges of the attacker to the maximum possible. 

SteelFox is a malware package that has been designed to mine cryptocurrency and steal credit card details via SYSTEM privileges by taking advantage of the "bring your own vulnerable driver" attack method. In forums and torrent trackers, malware bundle droppers appear as crack tools. These tools act as crack tools that activate legitimate versions of various software, such as Foxit PDF Editor, JetBrains, and AutoCAD. 

To evade detection and evade detection, state-sponsored threat actors and ransomware groups are known to exploit vulnerable drivers to escalate privileges. As of late, however, this method seems to be extended to attack against information-stealing malware as well. According to Kaspersky researchers, the SteelFox campaign was discovered in August of this year, but they add that the malware has been active since February 2023 and has been distributed through various channels (such as torrents, blogs and forum posts) in the past few weeks. 

The Rhadamanthys data theft malware has been available for download for some time, but since July 2024 the virus' version has been updated with copyright-related themes in an ongoing phishing campaign. There is a large-scale cybercrime campaign being tracked by the checkpoint group under the name CopyRightAdamantys. In addition to targeting the U.S., Europe, East Asia, and South America, the organization targets other regions as well. 

The campaign tries to impersonate dozens of companies, while each email is sent from a different Gmail account, providing a tailored impersonation of the target company as well as a tailored language based on the targeted entity, according to a technical analysis provided by the company. In the case of impersonated companies, there is almost 70% of them from the entertainment/media/technology/software sector." 

There is an element that stands out about the attacks: the deployment of the Rhadamanthys stealer version 0.7, which, as described by Insikt Group, Recorded Future's security division, early last month, is utilized to carry out optical character recognition. Cisco Talos, an Israeli company that specializes in cyber security, disclosed last week that it had been targeting users of Facebook business and advertising accounts in Taiwan by delivering malware known as Lumma or Rhadamanthys, which is designed to steal information.

There are three components inside the RAR archive. A legitimate executable vulnerable to DLL side-loading, a malicious DLL containing the stealer payload, and a decoy document containing the stealer payload. After the binary has been executed, it will sideload the DLL file that will create the environment that will allow Rhadamanthys to be deployed. It is likely that the threat actors were using artificial intelligence tools to spread the malware, based on both the scale of the campaign and the variety of lures that were included in the campaign and the emails sent by the sender, which Check Point attributed to a possible cybercrime group. 

It seems likely that this campaign was orchestrated by a financially motivated cybercrime group and not a nation-state actor, particularly given the large number of organizations across multiple regions targeted in this campaign," he continued. In addition to its global reach, the use of automated phishing tactics, and the use of a variety of lures, this campaign demonstrates how attackers continue to enhance their success rates." 

As part of these findings, Kaspersky also revealed a full-featured crimeware bundle dubbed SteelFox, which has been spreading via forums posts, torrent trackers, and blogs, passing itself off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD in order to steal personal information. In the last two years, the campaign of terrorism has claimed victims in nearly 50 countries. The majority of the victims were in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India, and Sri Lanka, with many more in Brazil, China, Russia, and Mexico. 

At this point in time, there is no known threat actor or group associated with this attack. A security researcher, Kirill Korchemny, said: "Delivered via sophisticated execution chains, notably shellcode, this type of malware abuses both Windows services and drivers in an attempt to accomplish its objectives." As a result of it, he said that he used stealer malware to obtain details about the victim's device as well as his credit card information. 

A dropper program is the starting point of this setup, in the sense that it mimics cracked versions of popular software, so when it is run, the dropper application will request administrator permissions and drop a next-stage loader which, in turn, will establish persistence and launch the SteelFox module. It is Kaspersky's opinion that although SteelFox's C2 domain is hardcoded, it has managed to conceal its presence through the use of multiple IP addresses and using DNS over HTTPS to resolve its IP addresses in order to hide its presence. Although SteelFox attacks don't have specific targets, they seem to focus on users of AutoCAD, JetBrains, and Foxit's Adobe PDF Editor app. 

In accordance with Kaspersky's visibility information, Kaspersky indicates that the malware is compromising systems in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka among others. Researchers have identified a new and potent cyber threat: the SteelFox malware, a sophisticated crimeware bundle targeting Windows PCs through vulnerable drivers. This malware, still relatively new to the landscape, demonstrates advanced functionality and appears to be the product of a skilled C++ developer who has integrated multiple external libraries to enhance its capabilities. 

In a related development, analysts from FortiGuard Labs have reported the discovery of another malicious software framework named Winos4.0. This advanced framework, embedded in game-related applications, is engineered specifically to target Windows users. Originating as an evolved version of the Gh0strat malware, Winos4.0 enables attackers to remotely execute various actions, providing them with substantial control over compromised systems. The infection process for Winos4.0 is particularly deceptive. 

It spreads through game-related applications, such as installation utilities and performance enhancement tools, designed to appeal to gamers and other Windows users. Once an individual downloads and installs one of these compromised applications, a seemingly harmless BMP file is retrieved from a remote server. This file subsequently extracts and activates the Winos4.0 DLL file, initiating the malware’s operations. 

In its initial phase, Winos4.0 sets up an environment for deploying further modules and establishes persistence on the infected machine by modifying system registry keys or creating scheduled tasks. Through this multi-stage infection process, Winos4.0 builds a durable foothold on affected devices, opening avenues for continuous exploitation and control.
Read more »
Spear Phishing
Critical Infrastructure Cyber Attacks cybercrime group Defense Kaspersky Russian Government Spear Phishing

Awaken Likho Targets Russian Agencies with MeshCentral Remote Access Tool

 

Awaken Likho, also referred to as Core Werewolf or PseudoGamaredon, is a cyber threat group targeting Russian government agencies and industrial entities. Since June 2024, a new campaign has been observed, where attackers have shifted from using UltraVNC to MeshCentral’s legitimate agent for remote access to compromised systems. The campaign primarily focuses on Russian government contractors and industrial enterprises, as reported by Kaspersky. Spear-phishing is a key method employed by Awaken Likho, with malicious executables disguised as Word or PDF files. 

These files trick victims by using double extensions such as “.doc.exe” or “.pdf.exe,” making them appear like standard document formats. When opened, these files trigger the installation of UltraVNC or, in the new campaign, MeshCentral’s MeshAgent tool, which grants the attackers full control over the compromised system. Awaken Likho’s cyberattacks date back to at least August 2021, first gaining attention through targeting Russia’s defense and critical infrastructure sectors. However, more recently, the group has shifted to using self-extracting archives (SFX) to covertly install UltraVNC, along with presenting decoy documents. 

In its latest campaigns, an SFX archive triggers the execution of a file named “MicrosoftStores.exe,” which unpacks an AutoIt script. This script eventually runs the MeshAgent tool, facilitating ongoing remote control via the MeshCentral server. By creating a scheduled task, Awaken Likho ensures persistence within the infected system. The scheduled task consistently runs the command file, which in turn launches MeshAgent, allowing communication with the MeshCentral server. This tactic gives the attackers access to the system long after the initial breach. Russian cybersecurity company Kaspersky has revealed that the campaign’s primary focus remains within Russian government bodies, contractors, and industrial enterprises. 

Additionally, earlier findings from BI.ZONE in June 2023 indicated that Awaken Likho has targeted sectors including defense and critical infrastructure, emphasizing the group’s intent on penetrating Russia’s most vital industries. A notable attack in May 2023 targeted a Russian military base in Armenia, as well as a research institute involved in weapons development. These actions suggest Awaken Likho’s primary focus on entities involved in Russia’s security and defense sectors, with significant consequences for the country’s critical infrastructure. 

This new chapter in Awaken Likho’s activity signals the group’s evolving tactics and its continued interest in leveraging spear-phishing attacks with more sophisticated tools. By transitioning to the MeshCentral platform, the group showcases its adaptability in maintaining control over systems while evading detection, making it a significant threat to Russian entities in the future.
Read more »
Techhnology
Kaspersky Malicious Payload Phishing Attacks RansomHub Ransomware Techhnology

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

Ransomware groups continue to innovate and adapt their tactics to bypass security measures. One such group, RansomHub, reported by Malwarebytes, has recently garnered attention for its sophisticated approach to disabling Endpoint Detection and Response (EDR) systems. By leveraging Kaspersky’s TDSSKiller, a legitimate rootkit removal tool, RansomHub has managed to execute its malicious payloads undetected, posing a significant threat to organizations worldwide.

The Rise of RansomHub

RansomHub is a relatively new player in the ransomware scene, but it has quickly made a name for itself with its advanced techniques and targeted attacks. Unlike traditional ransomware groups that rely on brute force methods or simple phishing campaigns, RansomHub employs a more nuanced strategy. By using legitimate software tools in unexpected ways, they can evade detection and maximize the impact of their attacks.

The Role of Kaspersky’s TDSSKiller

Kaspersky’s TDSSKiller is a well-known tool in the cybersecurity community, designed to detect and remove rootkits from infected systems. Rootkits are a type of malware that can hide the presence of other malicious software, making them particularly dangerous. TDSSKiller is widely trusted and used by security professionals to clean compromised systems.

However, RansomHub has found a way to exploit this tool for malicious purposes. By incorporating TDSSKiller into their attack chain, they can disable EDR software that would otherwise detect and block their ransomware. This tactic is particularly insidious because it uses a trusted tool to carry out malicious actions, making it harder for security teams to identify and respond to the threat.

The Attack Chain

RansomHub’s attack chain typically begins with a phishing email or a compromised website that delivers the initial payload. Once the ransomware is on the target system, it uses a variety of techniques to escalate privileges and gain control over the machine. This is where TDSSKiller comes into play.

By running TDSSKiller, the ransomware can disable EDR software and other security measures that would normally detect and block the attack. With these defenses out of the way, RansomHub can then proceed to encrypt the victim’s files and demand a ransom for their release. In some cases, they also use a credential-harvesting tool called LaZagne to extract sensitive information, further increasing the pressure on the victim to pay the ransom.

Threats Posed by Tools

The use of legitimate tools like TDSSKiller in ransomware attacks highlights a significant challenge for the cybersecurity community. Traditional security measures are often designed to detect and block known malware and suspicious behavior. However, when attackers use trusted tools unexpectedly, these measures can be less effective.

This tactic also underscores the importance of a multi-layered approach to cybersecurity. Relying solely on EDR software or other endpoint protection measures is no longer sufficient. Organizations must implement a comprehensive security strategy that includes network monitoring, threat intelligence, and user education to detect and respond to these advanced threats.

Read more »
Privacy
Amazon Android Vulnerability Cyberattacks Cyberdrime Cybersecurity CyberThreat Facebook Kaspersky Passwords Privacy

Security Alert for Gmail, Facebook, and Amazon Users

 


The number of hacks that occur on Google, Gmail, and Amazon accounts keeps on rising, causing users to become anxious. By using phishing tactics, hackers are targeting users' passwords for Gmail, Facebook, and Amazon through phishing campaigns that pose significant risks to their personal information. 

A new notice has appeared warning users of Google Mail, Facebook, and Amazon that there has been a new attack on password hacking that puts their personal information at risk because society has gone digital and protecting your credentials is "the name of the game." There is no denying the fact that these platforms are among the most popular in the world, so it is vital to have a good understanding of what threats are coming and what possibilities there are to prevent these threats. 

Overall, cybersecurity experts predict a steady increase for the year, but they also note that the complexity of password hacks for Gmail and Facebook, as well as attempts to access Amazon accounts, has grown dramatically as well. It has been found that the complexity of password hacks for Gmail and Facebook has increased dramatically as a result of increased complexity in the attacks. 

Typically, these hacking attempts benefit from phishing attacks, brute force attacks, and social engineering attacks, all of which are designed to take advantage of overly trustful users or weaknesses within the platforms that make them vulnerable. Several new threat analyses, including those conducted by Kaspersky Labs, reveal that password theft attacks have become increasingly common against Amazon users, Facebook users, and, most of all, Google users. There have been several attacks targeting these platforms, including those aimed at stealing passwords. 

Kaspersky reported an increase of 40% in attempts of hackers to entice users to access malicious sites impersonating these brands in comparison to last year based on a study it conducted. It is no surprise that malicious hackers are seeking credentials for Gmail, Facebook, and Amazon accounts to spread their malicious programming. As a matter of fact, these accounts may be exploited to reach the full heights of cybercrime by committing data theft, malware distribution, and credit card fraud all at the same time. 

A Google account is a skeleton key that can be used to unlock an entire treasure trove of other account credentials, as well as personal information, enabling fraudsters to access a treasure trove of private information. The information contained in a user's Gmail inbox is immeasurable when compared to that contained in their inbox on the web, and the chances are that they will have one given how popular this web-based free email service is with most people these days. As per Kaspersky reports, hackers are mainly targeting Google, Amazon, and Facebook passwords in their effort to steal personal information. 

During the first half of 2024, Kaspersky Security reported a 243% increase in the number of attack attempts, with the company itself preventing approximately 4 million attempts. It is estimated that Facebook users were exposed to 3.7 million phishing attempts during the same period, and Amazon users were exposed to 3 million.  In an interview with Kaspersky Internet Security, Olga Svistunova, who is an expert in data security at the company, warned that a criminal with access to a Gmail account may be able to access "multiple services". 

Thus, it is important to note that not only may business information be leaked as a result, but also the personal information of customers can also be leaked as a result. To target these platforms, hackers are looking for account passwords, as getting access to these platforms allows them to commit fraud, distribute malware, and steal sensitive information. It is proposed that Google accounts are especially valuable since they can be used to hack into other accounts and to collect personal information that can be used in fraud attempts. 

According to researchers at GuidePoint Research and Intelligence Team, Rui Ataide and Hermes Bojaxhi of the GuidePoint Research and Intelligence Team, there is an ongoing phishing campaign targeting more than 130 U.S. organizations, which has been detected as a new and worrying one. There have been so many misuses of the term "highly sophisticated threat actor" in recent years that it almost has lost all meaning, but the tactics and intrusion capabilities that were employed by this as-yet-unnamed attacker have led the GRIT researchers to conclude that this attacker deserves to be called such a label. 

A spear-phishing attack, as with other spear-phishing campaigns, revolves around the targeting of specific employees within an organization rather than attempting to hit every single email account in an organization with a scattergun approach, as is so often the case with so-called spear-phishing campaigns. The attack has also targeted other tech giants, including Microsoft and Apple, as well as numerous smaller companies. Additionally, DHL, Mastercard, Netflix, eBay, and HSBC are also among the companies involved.  

Cloud security provider Netskope, in a recent report, found a 2,000-fold increase in traffic to phishing pages sent through Microsoft Sway, a cloud-based application that provides users with the ability to create visual instructions, newsletters, and presentations through the use of visual illustrations. Hackers are increasingly exploiting a technique known as “quishing,” a form of phishing that utilizes QR codes to deceive users into logging into malicious websites, thereby stealing their passwords. This method is particularly effective as QR codes can bypass email scanners designed to detect text-based threats. 

Additionally, since QR codes are frequently scanned with mobile devices—which often lack the robust security measures found on desktops and laptops—users become more vulnerable to these types of attacks. A new variant of QR code phishing has been recently detailed by J. Stephen Kowski, the Field Chief Technology Officer at SlashNext, in a LinkedIn article. Unlike traditional QR code phishing, which typically involves an image-based QR code redirecting users to a malicious site, this new method leverages Unicode text characters to create QR codes. 

According to Kowski, this approach presents three significant challenges for defenders: it evades image-based analysis, ensures accurate screen rendering, and creates a duality in appearance between the screen rendering and plain text, making detection more difficult. Given these emerging threats, individuals who frequently use platforms such as Google’s Gmail, Facebook, and Amazon, as well as other major online services, should exercise caution to avoid becoming victims of identity theft. The risk of falling prey to password-hacking attempts can be significantly reduced by adhering to best practices in security hygiene across different accounts and maintaining a high level of vigilance. 

In today’s technology-driven world, personal awareness and proactive measures serve as the first line of defence against such cyber threats. Protecting Business Accounts from Phishing Attacks 

1. Recognize Phishing Indicators

- Generic Domain Extensions: Be cautious of emails from generic domains like "@gmail.com" instead of corporate domains, as attackers use these to impersonate businesses.

- Misspelt Domains: Watch for near-identical domains that slightly alter legitimate ones, such as "Faceb0ok.com." These deceptive domains are used to trick users into providing sensitive information. 

- Content Quality: Legitimate communications are typically polished and professional. Spelling errors, poor grammar, and unprofessional formatting are red flags of phishing attempts. 

- Urgency and Fear Tactics: Phishing messages often create a sense of urgency, pressuring recipients to act quickly to avoid negative consequences, such as account suspensions or security breaches. 

- Unusual Requests: Be wary of unexpected requests for money, personal information, or prompts to click links or download attachments. Hackers often impersonate trusted entities to deceive recipients. 

2. Implement Security Software 

- Install robust security tools, including firewalls, spam filters, and antivirus software, to guard against phishing attacks. 

- Utilize web filters to restrict access to malicious websites. - Regularly update software to patch vulnerabilities and protect against new threats. 

3. Use Multi-Factor Authentication (MFA) 

- Enhance account security by implementing MFA, which requires a second verification factor (e.g., a code, fingerprint, or secret question) in addition to a password. 

- MFA significantly reduces the risk of unauthorized access and helps safeguard business credentials. By staying vigilant, maintaining updated security software, and utilizing MFA, businesses can better protect their accounts and sensitive information from phishing attacks.
Read more »
password strength
Cyber Security Dangers of default password data security Kaspersky online account security Password Password Crackers password strength

The Speed and Efficiency of Modern Password-Cracking Techniques

 

With minimal expense and a bit of time, passwords can be cracked much faster than expected using a smart brute-force guessing algorithm. A recent analysis by Kaspersky revealed that 59% of 193 million real passwords were cracked in under an hour, with 45% broken in less than a minute. 

However, as explained by Antonov from Kaspersky, "smart guessing algorithms are trained on a data set of passwords to determine the frequency of various character combinations, starting with the most common and working down to the rarest." Although brute-force attacks are popular due to their straightforward approach, they are not the most efficient method for password cracking. Most commonly used passwords contain predictable patterns like dates, names, dictionary words, and keyboard sequences. Incorporating these patterns into the algorithm speeds up the cracking process significantly. 

The Kaspersky study demonstrated the advantage of combining brute-force and smart-guessing techniques. Pure brute force cracked 10% of passwords in under a minute, but this success rate jumped to 45% with the addition of smart-guessing. For passwords cracked between one minute and one hour, the success rate increased from 20% to 59%. Humans are generally not good at creating secure passwords because the choices are rarely random. We tend to use familiar elements that smart-guessing algorithms can easily identify: common names, important dates, and recognizable patterns. 

For example, a YouTube channel asked over 200,000 people to pick a 'random' number between 1 and 100, and most chose from a small set of numbers like 7, 37, 42, 69, 73, and 77. Even when attempting to create random character strings, people often stick to the center of the keyboard. This analysis underscores the importance of creating stronger, less predictable passwords. Using a combination of upper and lower case letters, numbers, and special characters can help enhance password security. 

Additionally, implementing multi-factor authentication (MFA) adds an extra layer of protection, making unauthorized access much more challenging. Regularly updating passwords and avoiding reuse of old ones are also essential practices for safeguarding accounts from being easily compromised. Employing password managers can also aid in generating and storing complex passwords, reducing the reliance on human memory and, thus, the use of predictable patterns. 

As cyber threats continue to evolve, staying informed about the latest security practices and adopting proactive measures will be crucial in defending against sophisticated password-cracking techniques.
Read more »
Privacy
Algorithm Data Kaspersky Online Security Passwords Privacy

Many Passwords Can Be Cracked in Under an Hour, Study Finds


 

If you're not using strong, random passwords, your accounts might be more vulnerable than you think. A recent study by cybersecurity firm Kaspersky shows that a lot of passwords can be cracked in less than an hour due to advancements in computer processing power.

Kaspersky's research team used a massive database of 193 million passwords from the dark web. These passwords were hashed and salted, meaning they were somewhat protected, but still needed to be guessed. Using a powerful Nvidia RTX 4090 GPU, the researchers tested how quickly different algorithms could crack these passwords.

The results are alarming: simple eight-character passwords, made up of same-case letters and digits, could be cracked in as little as 17 seconds. Overall, they managed to crack 59% of the passwords in the database within an hour.

The team tried several methods, including the popular brute force attack, which attempts every possible combination of characters. While brute force is less effective for longer and more complex passwords, it still easily cracked many short, simple ones. They improved on brute force by incorporating common character patterns, words, names, dates, and sequences.

With the best algorithm, they guessed 45% of passwords in under a minute, 59% within an hour, and 73% within a month. Only 23% of passwords would take longer than a year to crack.

To protect your accounts, Kaspersky recommends using random, computer-generated passwords and avoiding obvious choices like words, names, or dates. They also suggest checking if your passwords have been compromised on sites like HaveIBeenPwned? and using unique passwords for different websites.

This research serves as a reminder of the importance of strong passwords in today's digital world. By taking these steps, you can significantly improve your online security and keep your accounts safe from hackers.


How to Protect Your Passwords

The importance of strong, secure passwords cannot be overstated. As the Kaspersky study shows, many common passwords are easily cracked with modern technology. Here are some tips to better protect your online accounts:

1. Use Random, Computer-Generated Passwords: These are much harder for hackers to guess because they don't follow predictable patterns.

2. Avoid Using Common Words and Names: Hackers often use dictionaries of common words and names to guess passwords.

3. Check for Compromised Passwords: Websites like HaveIBeenPwned? can tell you if your passwords have been leaked in a data breach.

4. Use Unique Passwords for Each Account: If one account gets hacked, unique passwords ensure that your other accounts remain secure.

Following these tips can help you stay ahead of hackers and protect your personal information. With the increasing power of modern computers, taking password security seriously is more important than ever.


Read more »
The Mask
Careto Cyber Security espionage Kaspersky The Mask

The Mask: A Resilient Espionage Group Returns After a Decade


An APT group that has been missing for over a decade has reappeared in a cyber-espionage campaign aimed at organizations in Latin America and Central Africa.

The Mask’s history

  1. Origins: The Mask first appeared in 2007, operating with stealth and sophistication.
  2. Vanishing Act: In 2013, the group seemingly vanished, leaving behind a trail of cyber-espionage campaigns.
  3. Unique Victims: Over the years, they targeted around 380 unique victims across 31 countries, including major players like the US, UK, France, Germany, China, and Brazil.

About Careto aka The Mask

The gang "Careto" or "The Mask" began operations in 2007 and suddenly vanished in 2013. During that time, the Spanish-speaking threat actor claimed around 380 unique victims in 31 countries, including the United States, the United Kingdom, France, Germany, China, and Brazil.

Kaspersky researchers, who monitored Careto ten years ago and recently discovered new attacks, classified Careto's former victims as government organizations, diplomatic offices and embassies, energy, oil and gas corporations, research institutions, and private equity firms.

Sophisticated Tailored Methods

According to Kaspersky, Careto group actors use specialized tactics to sneak into both victim environments, maintain persistence, and harvest information.

In both attacks, for example, it appears that the attackers got early access using the organization's MDaemon email server, a software that many small and medium-sized enterprises use. According to Kaspersky, the attackers planted a backdoor on the server, giving them control of the network. They used a driver connected with the HitmanPro Alert malware scanner to sustain persistence.

Careto distributed four multi-modular implants on workstations across each victim's network as part of the attack chain, exploiting a previously undisclosed weakness in a security product utilized by both. Kaspersky's analysis did not specify the security product or weakness that Careto is exploiting in its latest operation. However, the company stated that it has provided comprehensive details about Careto's recent attacks, including tactics, strategies, and procedures, in a private APT report for customers.

The implant

The implants, named "FakeHMP," "Careto2," "Goreto," and the "MDaemon implant," allowed the attackers to carry out a variety of harmful acts in the victim environments. According to Kucherin, the MDaemon implant permitted threat actors to conduct initial reconnaissance, extract system configuration information, and execute commands for lateral movement. 

He emphasizes that threat actors use FakeHMP to record microphones and keyloggers and steal confidential papers and login information. Both Careto2 and Goreto perform keylogging and screenshot capture. Careto2 also facilitates file theft, according to Georgy Kucherin, security researcher at Kaspersky.

Implications and lessons

  1. Vigilance Matters: Organizations must remain vigilant even when APTs go silent. The Mask’s resurgence underscores the need for continuous monitoring.
  2. Advanced Techniques: The group’s ability to exploit zero-day vulnerabilities highlights the importance of robust security measures.
  3. Global Reach: The Mask’s diverse victim pool emphasizes that cyber threats transcend borders.

Read more »
malware
Credential Darknet Data Theft Kaspersky malware

Rise In Cybercrime: Dark Web Fueling Credential Attacks

 


In an unsettling situation, cybercriminals are increasingly turning to credential theft as a lucrative business, aided by the rise of infostealer malware attacks. Over the past three years, these threat actors have capitalised on the opportunity, compromising millions of personal and corporate devices globally.

The Rise of Infostealer Malware

According to cybersecurity experts at Kaspersky, infostealer malware attacks have surged sevenfold in recent years, with over 10 million devices compromised in 2022 alone. These sophisticated attacks enable hackers to silently collect login credentials and sensitive data from devices, posing a significant cybersecurity threat.

The Lucrative Market for Stolen Credentials

The value of corporate credentials in the cybercrime market has soared, leading to a 643% increase in data theft attacks. Cybercriminals act as initial access brokers, stealing corporate credentials and selling them on dark web forums for substantial profits. Kaspersky researchers highlight various sales models, with prices starting at $10 per log file.

Emerging Dark Web Hubs

Darknet markets have become key enablers of cybercrime, facilitating the sale of stolen credentials and victim profiles to cybercriminal groups. Following the takedown of Genesis Market, new hubs like Kraken Market and DNM Aggregator have emerged, offering seamless payment options via crypto processors.

Regional Impact

Regions like the Asia-Pacific and Latin America have been particularly affected by credential stealing attacks, with millions of credentials stolen from countries like Brazil, India, Colombia, and Vietnam. In Australia, compromised credentials accounted for the majority of cybersecurity incidents, with compromised or stolen credentials implicated in 56% of all incidents.

The Role of Initial Access Brokers

The number of initial access brokers (IABs) operating worldwide has risen significantly, with the APAC region experiencing a particularly sharp increase. These brokers play a critical role in fueling cybercrime operations, selling access to corporate networks and facilitating activities like ransomware attacks.

Despite the perception of cyberattacks as complex operations, the reality is that many exploit the simplicity of credential vulnerabilities. According to the Cybersecurity and Infrastructure Security Agency (CISA), over half of government and critical infrastructure attacks leverage valid credentials, with stolen credentials implicated in 86% of breaches involving web-based platforms. Credential stuffing, a technique where attackers use stolen usernames and passwords on various websites, has become increasingly popular due to individuals' tendency to reuse login information for convenience. 

With cybercriminals exploiting vulnerabilities in corporate and personal networks, organisations and individuals must remain a step ahead to protect against this pervasive threat.




Read more »
Malware attacks
Credential stealing Cyber Attacks Cyber Criminals Cyber Security Data data stealing Data stealing malware Kaspersky Malware attacks

Data-Stealing Malware Infections Surge by 600% in Three Years, Kaspersky Reports

 

The digital landscape has become increasingly treacherous, with a startling surge in data-stealing malware compromising millions of devices worldwide. According to cybersecurity firm Kaspersky, the number of devices infected with data-stealing malware has skyrocketed by over 600% in the past three years alone. This alarming trend underscores the urgent need for heightened vigilance and robust cybersecurity measures to safeguard personal and corporate data in an era plagued by relentless cyber threats. 

Kaspersky's Digital Footprint Intelligence data paints a grim picture, revealing that the number of compromised devices reached a staggering 10 million in 2023, marking a 643% increase since 2020. The threat posed by data-stealers has escalated exponentially, posing a significant risk to both consumers and businesses alike. What's particularly concerning is the sheer volume of log-in credentials pilfered by cybercriminals from infected devices. 

On average, each compromised device surrenders a staggering 50.9 log-in credentials, encompassing a wide array of sensitive accounts ranging from social media and online banking services to cryptocurrency wallets and email accounts. This abundance of stolen credentials fuels the illicit underground economy, where cybercriminals peddle stolen data for profit. The actual scope of the problem may be even more extensive than reported, as Kaspersky's data draws insights from infostealer malware log files traded on underground markets. 

The clandestine nature of these transactions makes it challenging to quantify the full extent of the threat landscape accurately. According to Sergey Shcherbel, a cybersecurity expert at Kaspersky Digital Footprint Intelligence, the dark-web value of log files containing login credentials varies depending on their appeal and the method of sale. These credentials may be sold through subscription services, aggregators catering to specific requests, or exclusive shops offering freshly acquired login credentials to select buyers. 

Prices typically start at $10 per log file, highlighting the lucrative nature of stolen data in the cyber underground. The impact of data-stealing malware extends beyond individual devices, with a staggering 443,000 websites worldwide falling victim to compromised credentials in the past five years alone. In the .in domain associated with India, compromised accounts surged to over 8 million in 2023, underscoring the global reach and pervasive nature of the threat. 

As the threat landscape continues to evolve, organizations and individuals must prioritize cybersecurity as a fundamental aspect of their digital hygiene practices. Proactive measures such as robust antivirus software, regular software updates, and user education can help mitigate the risk of data breaches and protect sensitive information from falling into the wrong hands. 

The exponential rise in data-stealing malware serves as a stark wake-up call for individuals and organizations worldwide. By staying vigilant, informed, and proactive in combating cyber threats, we can collectively fortify our defenses and safeguard against the perils of the digital age.
Read more »
Ransomware
2024 cyber crimes Cyber Crime cyber threat Cyber-attacks in India India Kaspersky Ransomware

India's Businesses Under Huge Cyber Threats, Kaspersky Reported

Indian businesses are being warned about the looming threat of ransomware attacks by cybersecurity experts. These attacks not only jeopardize company data but also pose a serious risk to user information. To address this urgent issue, experts stress the importance of promptly implementing advanced threat intelligence and industrial cybersecurity solutions. 

Kaspersky, a prominent cybersecurity firm, sheds light on the severity of the situation through their research findings. They indicate that ransomware attacks expected in 2024 could result in significant financial losses similar to those experienced in 2023. This underscores the vulnerability of both IT and operational systems within Indian companies, urging them to take proactive steps to defend against potential cyber threats. 

India's vast user base and thriving enterprises have become prime targets for cybercriminals, as per insights from Kaspersky. The cybersecurity firm reveals that India consistently ranks among the top 12 targeted countries and territories for Advanced Persistent Threats (APTs) globally. 

Kaspersky's data underscores ransomware as the predominant cyber threat in 2024. The company points out that the increasing adoption of digital platforms within Indian organizations has stretched the local ICT supply chain, exposing visible vulnerabilities that attract cyberattacks. 

According to Kaspersky, following are Current Challenges Faced by Organizations in India: 

Escalation of Cyberthreats: The advent of the digital age has exposed organizations to heightened vulnerabilities, underscoring the critical importance of cybersecurity. India grapples with a wide array of cyber threats, spanning from financial fraud and data breaches to sophisticated cyber espionage campaigns. 

Varied Attack Methods: Given its expansive population, India serves as a fertile ground for cybercriminals who employ diverse tactics such as phishing, ransomware, and social engineering to infiltrate systems and networks. 

Sector-Specific Targets: Certain sectors, including financial institutions, e-commerce platforms, and government entities, find themselves particularly susceptible to cyberattacks due to the sensitive nature of the data they handle. 

Surge in Ransomware Attacks: The proliferation of ransomware incidents has witnessed a dramatic surge, resulting in significant disruptions to businesses that endure downtime ranging from several days to weeks. 

Furthermore, according to Kaspersky's report, more than 200,000 ransomware incidents were identified by their solutions in India during 2023. Notable ransomware groups such as Fonix and LockBit have actively targeted Indian organizations spanning various sectors including manufacturing, retail, agriculture, media, and healthcare. 

Additionally, findings from a CISCO study reveal a significant impact of cyber attacks on Indian startup businesses and SMBs. Approximately 62% of these entities have incurred costs amounting to ₹3.5 crore (equivalent to over US$430,000). Interestingly, the financial damages resulting from these cyber attacks surpass the investment required for implementing solutions aimed at mitigating such threats.
Read more »
masOS Apps
Command and Control(C2) DNS attacks Hackers Kaspersky macOS malware masOS Apps

Hackers Drain Wallets via Cracked macOS Apps using Scripts Accessed From DNS Records


Hackers have found another clever way to transfer information-stealing malware to macOS users, apparently through DNS records that could hide malicious scripts.

The attack is being targeted to macOS Ventura and later, depending on the vulnerable applications repackaged as PKG files that include a trojan. 

Attack details

The attack was discovered by researchers at Kaspersky, following which they analyzed the stages of the infection chain. 

While downloading an Application/folder, victims tend to follow installation instructions, unaware that they are actually executing the malware. Following this, they open the bogus Activator window that asks for the administrator password. 

The malware uses the 'AuthorizationExecuteWithPrivileges' method to execute a 'tool' executable (Mach-O) after acquiring permission. If Python 3 is not already installed on the system, it installs it and appears to be "app patching."

The malware then contacts its C2 server, at a site named ‘apple-health[.]org,’ in order to obtain a base64- encoded Python script that is designed to run arbitrary commands on the targeted device. 

Researchers discovered that the attacker employed a clever technique to reach the C2 server at the right URL: a third-level domain name consisting of a random string of five letters and words from two hardcoded lists.

This way, the hacker was able to conceal its activity in traffic and download the Python script payload disguised as TXT records from the DNS server, which seem like common requests. 

Three TXT entries, each a base64-encoded portion of an AES-encrypted message containing the Python script, were included in the DNS server's response.

This first Python script served as a downloader for a second Python script that captures and sends information about the compromised system, including the CPU type, installed apps, directory listings, operating system version, and external IP address.

Kaspersky notes that during their analysis, the C2 provided upgraded copies of the backdoor script, indicating continuing development, but didn't see command execution, thus this might not have been deployed yet.

Additionally, two functions in the downloaded script search the compromised system for Bitcoin Core and Exodus wallets; if they are detected, they replace the original wallets with backdoored versions obtained from 'apple-analyzer[.]com.'

The code in the compromised wallets transmits to the attacker's C2 server the seed phrase, password, name, and balance.

Users usually do not get suspicious when their wallet app suddenly asks them to re-enter their wallet details, making them vulnerable to getting their wallets emptied. 

As indicators of compromise, the cracked software used in this campaign is made public in the Kaspersky study. According to the researchers, these applications "are one of the easiest ways for malicious actors to get to users’ computers."

While using cracked programs to trick users into downloading malware is a popular attack vector, the campaign that Kaspersky examined demonstrates that threat actors are sufficiently crafty to devise novel ways of delivering the payload, such as concealing it in a DNS server's domain TXT record.  

Read more »
User Data
Android Apps Cyber Security Data collection Google Playstore Kaspersky User Data

Unused Apps Could Still be Tracking and Collecting User’s Data


While almost everyone in this era is glued to their smartphones for long hours, there still remain several mysteries about the device that are not actively being deduced by the users. So how does one begin to know their phones?

Most of the users are still unaware that even when the apps are not in use, the phone can still track and collect data without them being aware. Fortunately, there is a solution to prevent this from happening.

One may have ten, twenty or even thirty apps on their phones, and there is a possibility that many of these apps remain unused. 

In regards to this, the cybersecurity giant – Kaspersky – warned that apps on a user’s phone that are not being used could still be collecting data about the device owner even if they are not using it.

A recently published memo from the company urged users to delete their old apps, stating: "You probably have apps on your smartphone that you haven't used in over a year. Or maybe even ones you've never opened at all. Not only do they take up your device's memory, but they can also slowly consume internet traffic and battery power."

The security memo continued: "And, most importantly, they clog up your interface and may continue to collect data about your smartphone - and you."

While spring cleaning the phones might not be on the priority list of people, it does not take away its significance. In case a user is concerned about ‘over-sharing’ their data, Kaspersky has shared a ‘one-day rule’ to ease the task of removing unused apps on phones. 

According to the experts, following the practice of merely uninstalling one useless app each day will greatly increase phone performance and free up storage space. By doing this, users will be able to control how their data is used and prevent data harvesting.

To delete an app on the iPhone, users need to find the app on the home screen, touch and hold down the icon and tap “Remove app.” Android users, they need to go to the Google Play store, tap the profile icon in the top right, followed by Manage Apps and Devices > Manage. Tap the name of the app they want to delete and click to uninstall.

Users can still disable pre-installed apps on their phones to prevent them from operating in the background and taking up unnecessary space on the screen, even if they cannot be fully removed from the device.  

Read more »
StripedFly
cryptocurrency Cryptominer EternalBlue Kaspersky malware Monero Miner StripedFly

StripedFly: Cryptomining Tool Infects 1 Million Targets Worldwide


Security firm Kaspersky Lab has revealed that a cryptominer, which never really generated a hefty crypto amount for its operators, is now a part of a bigger digital espionage campaign. Since 2017, the platform, known as StripedFly, has infected over a million Windows and Linux targets worldwide. StripedFly was most likely developed as a component of a well-funded state espionage program rather than a cybercriminal operation because it is modular and has several components for infiltrating targets' devices and gathering various types of data. Additionally, it has an update system that allows attackers to add new features and upgrades to the malware. 

Among other malware, StripedFly can steal access credentials from targeted systems, and take capture screenshots, obtain databases, private files, movies, or other relevant data, and record audio in real time by breaking into a target's microphone. Interestingly, StripedFly conceals communication and exfiltration between the malware and its command-and-control servers using a novel, proprietary Tor client. 

Additionally, there is a ransomware component that has occasionally been used by attackers. Using a modified version of the infamous EternalBlue exploit that was published by the US National Security Agency, it first infects targets.

While StripFly can steal Monera cryptocurrency, that is only a portion of what it is capable of. The researchers found this out last year and thoroughly examined it before making their results public.

Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post, "What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity."

According to the researchers, the platform is essentially "a hallmark of APT malware" since it has update and delivery capabilities via reliable services like Bitbucket, GitHub, and GitLab—all of which use specially encrypted archives—as well as an integrated Tor network tunnel for communication with command-and-control (C2) servers./ The researchers further notes that discovering the breadth of StripedFly is ‘astonishing,’ taking into account its successful evasion from getting detected in six years. 

How Does StripedFly Operates? 

The main structural component of the malware is a monolithic binary code that could be expanded by the attackers through different pluggable modules. Every module, whether for added functionality or to offer a service, is in charge of setting up and maintaining its own callback function in order to communicate with a C2 server.

The platform initially emerges on a network as a PowerShell that seems to leverage a server message block (SMB) attack, which looks to be a modified variant of EternalBlue. EternalBlue was first discovered in April 2017 and is still a danger to unpatched Windows systems.

Depending on the availability of its PowerShell interpreter and certain privileges made available in the process, the malware uses a variety of methods for persistence. The researchers notes that, "typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

The functionality modules are wide and varied, giving attackers a range of options that enable them to continuously monitor a victim's network activity. The modules include the Monero cryptominer mentioned earlier, as well as a variety of command handlers, a credential harvester, repeatable tasks that can record microphone input, take screenshots, and carry out other tasks on a scheduled basis, a reconnaissance module that gathers a lot of system data, and SMBv1 and SSH infectors for worming and penetration capabilities.

Read more »
Software
Android Apple Cyber Security Encryption Instagram iOS Kaspersky New York Software

Analyzing Android and iOS Cybersecurity Vulnerabilities

In the ever-evolving landscape of mobile technology, the debate surrounding the security of Android and iOS operating systems continues to captivate the tech community. With cyberattacks becoming increasingly sophisticated, understanding which platform, Android or iOS, is more vulnerable to such threats is a crucial concern for users worldwide.

Making considerable progress in strengthening their security mechanisms over time, both Android and iOS have been shown by a thorough investigation conducted by MakeUseOf. There is a report indicating that Android has a higher attack surface because it is an open-source operating system. This feature may increase its vulnerability to virus assaults and unapproved software installations. Reiterating that Android's open ecosystem can draw the attention of more cybercriminals, top cybersecurity firm Kaspersky supports this idea.

As the Kaspersky information center discusses, iOS, on the other hand, has a strict app review procedure that makes it more difficult for malicious apps to enter the App Store. This thorough screening process helps to create the impression that iOS is a more secure platform by serving as a barrier against potentially dangerous software.

Recent remarks made by well-known businesspeople stoke the controversy even further. According to YourStory, the head of Instagram said that Android had better security than iOS. He cited the flexible security features and strong encryption methods of Android as factors that have improved its security profile. But considering Android's greater user base, it's also crucial to recognize that this viewpoint might be influenced by business reasons.

The Wirecutter of the New York Times highlights in its thorough analysis how crucial frequent updates are to maintaining security. iOS has an advantage here since Apple's closed environment allows it to quickly release updates to its devices. Since multiple manufacturers and carriers are involved in the update process for Android, iOS is able to quickly address security flaws, giving it an advantage over Android.

In terms of cyberattack susceptibility, there is no clear winner between Android and iOS. The security features and vulnerabilities of each operating system are distinct. While iOS's closed environment gives tighter control and faster updates, Android's openness lets it be more flexible but also attracts more dangers. Selecting a platform requires users to take into account their usage habits, preferences, and risk tolerance. Both Android and iOS will probably keep improving their security features as cyber threats continue to change in order to dominate the digital security space.


Read more »
WiFi
Kaspersky Phishing Attacks User Privacy VPN Vulnerabilities and Exploits. WiFi

The Safety of VPN Use: A Closer Look

The usage of Virtual Private Networks (VPNs) has experienced an unprecedented surge in recent years, as individuals and organizations seek enhanced online privacy and security. However, amidst this widespread adoption of VPNs, it is crucial to question whether users are truly safeguarded in their digital endeavors. 

According to a recent report by Cybersecurity Insiders and Zscaler, VPN usage has reached an all-time high, with 78% of organizations employing VPN services to safeguard their network traffic. Additionally, a study conducted by Security.org revealed that 30% of internet users globally rely on VPNs for various purposes, including bypassing geo-restrictions, securing public Wi-Fi connections, and shielding their digital footprints from prying eyes.

While VPNs offer several benefits, such as encryption and anonymity, it is crucial to understand that not all VPNs are created equal. Some low-quality or free VPN services may pose significant risks to users' online safety. Dr. Max Vetter, Chief Cyber Officer at Immersive Labs, emphasizes this concern, stating, "A VPN is only as secure as its provider. Users must exercise caution when selecting a VPN service, as not all providers prioritize security and privacy."

In the pursuit of privacy and security, users often overlook the fact that their VPN provider may still have access to their online activities. Some VPN companies log user data, including browsing history and connection timestamps, raising concerns about privacy breaches. To ensure maximum protection, it is essential to choose a reputable VPN service that follows a strict no-logging policy.

Moreover, a VPN cannot shield users from all threats. It encrypts internet traffic and masks IP addresses, making it difficult for hackers or cybercriminals to intercept data. However, users must remain vigilant against other online risks, such as phishing attacks, malware, and social engineering. As Denis Legezo, Security Expert at Kaspersky, advises, "VPNs are not a panacea. They must be used in conjunction with other cybersecurity measures to ensure comprehensive protection."

It is worth noting that VPNs are not immune to vulnerabilities themselves. A recent industry report by Zscaler highlights that 91% of VPN services exhibit at least one potential security vulnerability. These vulnerabilities range from outdated protocols to weak encryption standards, putting users at risk. Regularly updating VPN software and opting for services with robust security protocols are essential steps in mitigating such vulnerabilities.
Read more »
US Government
APT China Cyber Security Cyber Attacks data bias Kaspersky National Cyber Power Index US Government

Why are Western Cyber Attacks Less Heard of?


Camaro Dragon, Fancy Bear, Static Kitten and Stardust Chollima – these are some of the most notorious hacking group around the world. These cyber teams have been under the radar for hacking, stealing information and causing trouble allegedly on the orders of their governments.

Marketers of these companies have been pin pointing locations these groups are originating from, warning users of these ‘advanced persistent threat’ groups (APTs). The groups have majorly been tracked back to Russia, China, North Korea and Iran.

Cyber Defenders Under Attack

Russia’s most popular cyber company Kaspersky were made to investigate its own employees when several staff members’ mobile phones begin distributing their information to some shady parts of the internet.

"Obviously our minds turned straight to spyware but we were pretty sceptical at first[…]Everyone's heard about powerful cyber tools which can turn mobile phones into spying devices but I thought of this as a kind of urban legend that happens to someone else, somewhere else," said chief security researcher Igor Kuznetsov.

Igor came to the conclusion that his intuition had been correct and that they had in fact discovered a sizable sophisticated surveillance-hacking effort against their own team after painstakingly analyzing "several dozen" infected iPhones. Apparently, the attackers had found a way to infect iPhones by simply sending an iMessage, that after installing malware to devices, deleted itself from the device.

In the operation to tackle the issue, the victims’ phone contents were tracked back to the hackers at regular intervals. This included messages, emails, pictures, and even access to cameras and microphones.

Once the issue was solved, on being asked, Kaspersky did not tell the origin of the attack, saying they are not interested “in from where this digital espionage attack was launched.”

The incident raised concerns of the Russian government. Russian security agencies released an urgent advisory the same day Kaspersky reported their discovery, claiming to have "uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices.”

The bulletin even accused Apple of being involved in the campaign, however the conglomerate denied the accusation. Neither did the firm in question, the US National Security Agency (NSA), comment on the accusations.

In addition to this, the US Government issues a statement with Microsoft last month, confirming that the Chinese state-sponsored hackers have been found “lurking inside energy networks in US territories”.

In response to this, China denied the accusations saying the "story was a part of a disinformation campaign" from the Five Eyes countries – the UK, Australia, Canada and New Zealand.

Chinese Foreign Ministry official Mao Ning added China's regular response: "The fact is the United States is the empire of hacking."

But as with Russia, China now appears to be taking a more assertive stance in criticizing Western hacking.

According to China Daily, China’s official news source, the foreign government-backed hackers are currently the biggest threat to the nation's cyber security.

Additionally, the Chinese company 360 Security Technology included a statistic with the warning, stating that it has found "51 hacker organizations targeting China." Requests for comments from the business received no response.

China also charged the US with hacking a government-funded university in charge of space and aviation research last September.

While many would brush off the accusation of China, there might could be some truth to it.

According to researchers, there are reasons why the western hacking groups never come to light. We are listing some of these reasons below: 

  • The US is the only tier-one cyber power in the world, based on attack, defence and influence. Its is also labelled as ‘World’s top cyber power,’ by National Cyber Power Index, compiled by researchers at the Belfer Centre for Science and International Affairs. 
  • Western cyber-security companies fail to track western cyber activities, since they do not have customers in the rival countries. It could also be that the companies put less effort in investigating western groups, since many cyber security companies gain major chunk of revenue from the UK or US state-backed lucrative contracts.
  • Another factor contributing to the lack of information about Western cyberattacks is that they are frequently more covert and result in less collateral damage.

Read more »
VPN
Cyber Security Endpoint Kaspersky Phishing email Ransomware Attacks. RDP Software VPN

Tackling the Top Initial Attack Vectors in Ransomware Campaigns

Ransomware attacks remain a major concern for organizations worldwide, causing significant financial losses and operational disruptions. A recent report by Kaspersky sheds light on the primary attack vectors used in ransomware campaigns, highlighting the importance of addressing these vulnerabilities to mitigate the risk of an attack.

According to the report, three common initial attack vectors account for the majority of ransomware campaigns: phishing emails, vulnerable remote access services, and software vulnerabilities. These vectors serve as entry points for threat actors to gain unauthorized access to systems and initiate ransomware attacks.

Phishing emails remain one of the most prevalent methods used by attackers to distribute ransomware. These emails often employ social engineering techniques to deceive users into opening malicious attachments or clicking on malicious links, leading to the execution of ransomware on their devices. It is crucial for organizations to educate employees about recognizing and avoiding phishing attempts and to implement robust email security measures to filter out such malicious emails.

Vulnerable remote access services pose another significant risk. Attackers target exposed Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services, exploiting weak or compromised credentials to gain unauthorized access to networks. Organizations should implement strong authentication mechanisms, enforce secure password practices, and regularly update and patch their remote access solutions to mitigate this risk.

Software vulnerabilities also play a crucial role in enabling ransomware attacks. Threat actors exploit known vulnerabilities in operating systems, applications, or plugins to gain a foothold in networks and deploy ransomware. It is essential for organizations to establish a comprehensive patch management process, promptly applying security updates and patches to address known vulnerabilities.

To effectively combat ransomware campaigns, organizations should adopt a multi-layered security approach. This includes implementing strong perimeter defenses, such as firewalls and intrusion detection systems, to detect and block malicious traffic. Endpoint protection solutions that utilize advanced threat detection and prevention mechanisms are also critical in identifying and mitigating ransomware threats.

Regular backups of critical data are essential to recovering from ransomware attacks without paying the ransom. Organizations should ensure that backups are stored securely, offline, and tested regularly to verify their integrity and effectiveness in restoring data.

Reducing the risk of ransomware attacks requires addressing the three primary attack vectors: phishing emails, weak remote access services, and software flaws. Businesses may fortify their defenses and lessen the effects of ransomware events by implementing strong security measures, employee education, timely patching, and backup procedures.
Read more »
Trojan Attacks
Android 10 Banking Data Kaspersky malware Sensitive data Supply Chain Attack Trojan Attacks

Preinstalled ‘Guerrilla’ Malware Infects Millions of Smartphones Worldwide

 

Security experts have made the alarming discovery that preloaded 'Guerrilla' malware has been disseminated on millions of smartphones globally. Once embedded in the device, this sneaky type of malware grants attackers unrestricted access to private user data, potentially resulting in privacy violations and financial loss.

The Guerrilla malware, also known as the Triada trojan, is one of the most advanced and persistent mobile threats to date. It was first identified by Kaspersky researchers, who found it embedded in the firmware of various Android devices. This preinfection tactic makes it extremely difficult for users to detect and remove the malware, as it resides deep within the device's system files.

The Lemon Group, a notorious cybercriminal organization, is believed to be behind the distribution of these infected smartphones. They capitalize on unsuspecting users who unknowingly purchase devices already compromised with the Guerrilla malware. Once activated, the malware acts as a backdoor, allowing the cybercriminals to remotely control the device, intercept communications, and steal sensitive information such as login credentials, banking details, and personal data.

The implications of this preinfection tactic are profound. Users are left vulnerable, unaware that their devices have been compromised from the moment they start using them. Even performing a factory reset or flashing the firmware does not guarantee the complete removal of the malware, as it can persist in the device's system files.

To make matters worse, many of these infected devices are sold in regions with limited cybersecurity awareness and infrastructure, making it even more challenging to address the issue effectively. The impact extends beyond individual users to businesses and organizations that may unwittingly integrate these compromised devices into their networks, potentially exposing sensitive corporate data to cybercriminals.

The discovery of millions of smartphones distributed with preinstalled Guerrilla malware underscores the urgent need for stronger security measures throughout the supply chain. Smartphone manufacturers must implement rigorous security checks to ensure that their devices are free from malware before they reach the market. Additionally, users should exercise caution when purchasing devices, opting for reputable sellers and performing regular security scans on their devices.

The battle against preinstalled malware requires collaboration between smartphone manufacturers, cybersecurity researchers, and law enforcement agencies. By sharing intelligence and implementing proactive measures, it is possible to mitigate the impact of this growing threat and protect users from the dangers of preinstalled malware.

Guerrilla spyware that comes preinstalled on millions of cellphones poses a serious threat to consumer security and privacy. Users, manufacturers, and the cybersecurity community must all exercise vigilance and be proactive in addressing this sneaky danger due to the clandestine nature of this malware. We can only protect our digital life and maintain the integrity of our cellphones by working together.
Read more »
Kaspersky
App security Cyber Crime Cybercrime Actors Darknet Markets Google Apps Google Play Google Play Threats Kaspersky

Cybercriminals Set Android Apps For Sale for Up to $20K a Piece


Cyber threat actors have lately been targeting the official Google Play app store’s security by developing trojan malwares for existing Android apps, selling the malwares for up to $20,000 a piece on darknet markets. 

In a blog post published on April 10, Kaspersky researchers reported their findings of a thorough analysis of nine of the most well-known Dark Web forums. They discovered a booming market of buyers and sellers exchanging access to botnets, malicious Android applications, and app developer accounts for hundreds of dollars at a time by monitoring activities between 2019 and 2023. 

Some highly valuable products, such as source code that can let a threat actor hack into an existing cryptocurrency or a dating app on Google Play can cost several thousand dollars. 

"It's an infinite cat and mouse game[…]The attackers find a way to bypass security scanners. Then the people developing the security scanners deploy patches to ensure that doesn't happen again. Then the attackers find new flaws. And it goes on and on," says Georgy Kucherin, Kaspersky research with regards to Google’s app security. 

The Marketplace for Google Play Hacks 

Any program that is posted to the Apple or Google app stores undergoes a rigorous inspection. However, according to the Kaspersky researchers “just like any security solution that exists in the world, it's not 100% effective[…]Every scanner contains flaws that threat actors exploit to upload malware to Google Play." 

Commonly, there are two methods by with a hacker attempts to sneak malware onto an app store: 

  • The first method entails publishing a completely safe software to the app store. If it has been approved, or even better, if it has attracted a sizable enough audience, hackers will submit an update that contains the malicious code. 
  • The second involves hackers compromising legitimate app developers, accessing their accounts to upload malware to already-existing programs. With no two-factor authentication and strong password restrictions in place, app developer accounts are more vulnerable to hacking. Credential leaks occasionally enable hackers to accomplish the majority of their goals by giving them access to important company development systems and accounts. 

Moreover, depending on the developer, access to a Google Play account may only cost as little as $60, depending on the developer. However, other, more beneficial accounts, resources, and services have significantly greater costs. 

For example, considering the power they hold, loaders — the software necessary to deploy malicious code into an Android app — can cost big bucks on the darknet markets, ranging up to a whopping $5,000 each for an instance. 

A well-resourced criminal could well go with a premium package, like the source code for a loader. 

 "You can do whatever you want with that — deploy it to as many apps as you want[…]You can modify the code as much as you want, adapting it to your needs. And the original developer of the code may even provide support, like updates for the code, and maybe new ways to bypass security measures," Kucherin explains. 

How Can a Company Protect Itself from Google Play Threats 

The threats posed by Google Play are a cause of great concern to organizations, especially the ones with feeble enterprise security. Kucherin notes that many businesses still have lax bring-your-own-device arrangements in place, which extend the security perimeter outside of corporate networks and right into the hands of its employees. 

"Say an employee installs a malicious app on the phone[…]If this app turns out to be a stealer, cybercriminals can get access to, for example, corporate emails or sensitive corporate data, then they can upload it to their servers and sell it on the Dark Web. Or even worse: An employee might keep their passwords in, for example, their phone's notes app. Then hackers can steal those notes and get access to corporate infrastructure," he explains. 

In order to prevent such severe outcomes, Kucherin suggests two simple precautionary measures: 

One, you can teach the employees cyber-hygiene principles, like not downloading apps that are not trusted. However, this might not suffice, so "another thing you can do — though it's more expensive — is give your employees a separate phone, which they will use only for purposes of work. Those devices will contain a limited number of apps — just the essentials like email, phone, no other apps allowed,” he adds. 

Just as it is for the cybercriminals, you have to pay more to get more, he notes: "Using dedicated work devices is more effective, but more expensive."  

Read more »
Subscribe to: Posts (Atom)