CySecurity News - Latest Information Security and Hacking Incidents: Malicious Campaign

Cyber Scam Malicious Campaign malware Tria Stealer User Privacy

Fake Wedding Invitation Malware Targets Android Users

Malicious actors are propagating a recently discovered Android malware called Tria by sending phoney wedding invitations to consumers in Brunei and Malaysia.

According to a report published by the Russian cybersecurity firm Kaspersky, the attackers have been using private and group chats on Telegram and WhatsApp since mid-2024 to distribute the malware, inviting users to weddings and prompting them to install a mobile app in order to get the invitation.

Once the malware is installed, it can collect private information from call logs, emails (including Gmail and Outlook), SMS messages, and messaging apps (such as WhatsApp and WhatsApp Business).

Researchers caution that accounts that depend on email and messaging app authentication could be compromised, passwords can be reset, or online banking can be accessed using the stolen data.

The attackers' main objective seems to be taking complete control of the victims' Telegram and WhatsApp accounts so they can make phoney money requests to connections or propagate malware. To process stolen data, the hackers employ two Telegram bots: one for managing SMS data and another for gathering text from emails and instant messaging apps.

According to Kaspersky, posts on social media sites like Facebook and X suggest that the campaign has reached a number of Android users in Malaysia, while the precise number of victims is still unknown.

The researchers have not identified a specific organisation responsible for the attack, but evidence implies that the hackers are Indonesian-speaking.

In 2023, Kaspersky discovered a similar effort known as UdangaSteal, in which hackers stole text messages from users in Indonesia, Malaysia, and India and transmitted the data to their servers using a Telegram bot. The attackers utilised a variety of deceptive approaches to trick users into installing malicious files, such as bogus wedding invites, package delivery notifications, annual tax payment reminders, and job offers.

Despite their similarities, experts identify major differences between the two attacks, such as distinct malware code, geographic targets, and attack techniques. While UdangaSteal has always focused on SMS theft, experts say Tria has a larger reach, attacking emails and chat apps as well as SMS conversations.

Cybercriminals Exploit PDFs in Novel Mishing Campaign



 

User Security

Cyber Attacks Malicious Campaign Mishing PDF Files User Security

Cybercriminals Exploit PDFs in Novel Mishing Campaign

In a recently uncovered phishing campaign, threat actors are employing malicious PDF files to target mobile device users in potentially more than fifty nations.

Dubbed as the "PDF Mishing Attack," the effort exposes new vulnerabilities in mobile platforms by taking advantage of the general belief that PDFs are a secure file format.

The phishing campaign poses as the United States Postal Service (USPS) to earn consumers' trust and trick them into downloading infected PDFs. Once opened, the hidden links take victims to phishing pages designed to steal credentials.

"PDFs are used extensively for contracts, reports, manuals, invoices, and other critical business communications," said the zLabs team at Zimperium, who uncovered the campaign. “Their ability to incorporate text, images, hyperlinks, and digital signatures while maintaining integrity makes them ideal for enterprises prioritizing professionalism and compliance.”

Hidden in plain sight

Threat analysts at zLabs have been keeping a close eye on the phishing campaign, which targets only mobile devices and poses as the US Postal Service (USPS). It has discovered 630 phishing pages and over 20 malicious PDF files.

“This campaign employs sophisticated social engineering tactics and a never-before-seen means of obfuscation to deliver malicious PDF files designed to steal credentials and compromise sensitive data,” the researchers noted.

Advanced evasion techniques hide clickable malicious URLs within PDF documents, easily bypassing traditional endpoint security solutions. This assault is primarily aimed at mobile device users, capitalising on the limited accessibility that mobile platforms provide while previewing file contents. Unlike desktop platforms, where PDFs are often used with security overlays, mobile devices lack the same safeguards, leaving users vulnerable to covert attacks.

On threat detection

This latest attack highlights the need for enhanced mobile threat defenses. PDFs have long been thought to be safe for sharing and storing information, however this is not the case.

According to an HP Wolf Security report, PDF threats are on the rise. While online criminals used to primarily use PDF lures to steal credentials and financial data via phishing, there has been a shift and an increase in malware distribution via PDFs, including strains such as WikiLoader, Ursnif, and Darkgate.

Zimperium emphasises the value of on-device threat detection to find and eliminate these scourges before they can do any damage because traditional endpoint security systems, which are sometimes made with desktop settings in mind, may not be able to detect sophisticated attacks on mobile platforms.

Hackers Employ Fake Mac Homebrew Google Ads in Novel Malicious Campaign



 

malware

fake ads Google Ads Infostealer Malicious Campaign malware

Hackers Employ Fake Mac Homebrew Google Ads in Novel Malicious Campaign

Hackers are once more exploiting Google advertisements to disseminate malware, using a fake Homebrew website to compromise Macs and Linux systems with an infostealer that harvests credentials, browsing data, and cryptocurrency wallets.

Ryan Chenkie discovered the fraudulent Google ad campaign and warned on X regarding the potential of malware infection. The malware employed in this operation is AmosStealer (aka 'Atomic'), an infostealer intended for macOS devices and sold to malicious actors on a monthly subscription basis for $1,000.

The malware recently appeared in various malvertising campaigns promoting bogus Google Meet conferencing pages, and it is now the preferred stealer for fraudsters targeting Apple customers.

Targeting Homebrew customers

Homebrew is a popular open-source package manager for macOS and Linux that lets you install, update, and manage software using the command line.

A fraudulent Google advertising featured the correct Homebrew URL, "brew.sh," misleading even seasoned users into clicking it. However, the ad redirected users to a bogus Homebrew website hosted at "brewe.sh". Malvertisers have extensively exploited this URL strategy to trick users into visiting what appears to be a legitimate website for a project or organisation.

When the visitor arrives at the site, he or she is requested to install Homebrew by copying and pasting a command from the macOS Terminal or Linux shell prompt. The official Homebrew website provides a similar command for installing legitimate software. However, running the command displayed on the bogus website will download and execute malware on the device.

Cybersecurity expert JAMESWT discovered that the malware injected in this case [VirusTotal] is Amos, a potent infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and online browser data. Mike McQuaid, Homebrew's project leader, indicated that the project is aware of the situation but that it is beyond its control, criticising Google's lack of oversight.

"Mac Homebrew Project Leader here. This seems taken down now," McQuaid stated on X. "There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good.”

At the time of writing, the malicious ad has been removed, but the campaign could still run through other redirection domains, therefore Homebrew users should be aware of sponsored project adverts.

To mitigate the risk of malware infection, while clicking on a link in Google, make sure you are directed to the authentic site for a project or company before entering sensitive information or installing software. Another safe option is to bookmark official project websites that you need to visit frequently when sourcing software and utilise them instead of searching online every time.

New “Double-Clickjacking” Threat Revealed: Security Settings at Risk



 

User Security

Clickjacking Cyber Fraud Fake Captcha Malicious Campaign User Security

New “Double-Clickjacking” Threat Revealed: Security Settings at Risk

Cybersecurity experts are raising alarms about a new twist on the classic clickjacking attack technique. Paulos Yibelo, a security engineer at Amazon, has uncovered a variant called “double-clickjacking,” capable of disabling security settings, deleting accounts, or even taking over existing ones. This novel approach reignites concerns over online safety, urging users to be cautious when interacting with websites.

Clickjacking is a malicious tactic where hackers manipulate user clicks on one website to trigger unintended actions on another. For instance, a user might think they are clicking a button to navigate a site but inadvertently perform an action, such as making a purchase, on an entirely different platform.

Double-clickjacking takes this concept further by introducing an additional click. This adaptation helps attackers bypass modern browser protections that no longer deliver cross-site cookies. According to Yibelo, this seemingly minor tweak “opens the door to new UI manipulation attacks that bypass all known clickjacking protections.”

In documented cases, hackers lure victims to phishing websites, often disguised with a standard CAPTCHA verification process. Instead of typing text or identifying objects in images, users are prompted to double-click a button to prove they are human.

Here’s where the attack takes place:

First Click: The user closes the top window, seemingly completing the CAPTCHA process.
Second Click: This click is redirected to a sensitive page, such as an OAuth authorization or account settings page. The victim unknowingly confirms permissions, disables security features, or performs other critical actions.

Yibelo explains that this subtle manipulation is effective against many popular websites, allowing attackers to gain OAuth and API authorizations. The attack can also facilitate one-click account modifications, including disabling security settings, deleting accounts, authorizing money transfers, and verifying sensitive transactions. Even browser extensions are not immune to this method.

The Implications for Online Security

The resurgence of clickjacking attacks, now enhanced by the double-click variant, poses significant risks to both individual and organizational security. By exploiting common website interfaces and leveraging seemingly harmless CAPTCHA verifications, attackers can easily gain unauthorized access to sensitive information and functionalities.

Yibelo’s findings serve as a stark reminder of the evolving nature of cybersecurity threats. Websites must remain vigilant, regularly updating their defenses to counter these new manipulation techniques.

How to Stay Safe

Cybersecurity professionals recommend the following precautions to minimize the risk of falling victim to double-clickjacking:

Verify Websites: Always ensure you are on a legitimate website before interacting with any CAPTCHA or button.
Update Software: Keep browsers and extensions up-to-date with the latest security patches to reduce vulnerabilities.
Use Anti-Phishing Tools: Enable browser settings or software designed to detect and block phishing sites.
Be Skeptical: Avoid double-clicking buttons on unfamiliar sites, especially if prompted during unexpected verifications.

As cyber threats continue to evolve, user awareness remains a critical line of defense. The discovery of double-clickjacking highlights the importance of staying informed and cautious while navigating the digital world. By adopting secure browsing habits and staying vigilant, individuals and organizations can protect themselves against this emerging attack vector.

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign



 

OtterCookie

Infostealer Malicious Campaign malware North Korean Hackers OtterCookie

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

The North Korean hackers behind the ongoing Contagious Interview campaign have been observed launching a new JavaScript malware named OtterCookie.

The campaign includes social engineering techniques, with the hacker team frequently posing as recruiters to trick job seekers into downloading malware during an interview process. This entails sharing malware-laced files via GitHub or the official package registry, paving the way for the propagation of malware like BeaverTail and InvisibleFerret.

Palo Alto Networks Unit 42, which first detected the activity in November 2023, is tracking the cluster as CL-STA-0240. In September 2024, Singaporean cybersecurity company Group-IB disclosed the deployment of an upgraded version of BeaverTail that employs a modular approach, delegating its information-stealing capability to a collection of Python scripts known as CivetQ.

According to the latest findings from Japanese cybersecurity company NTT Security Holdings, the JavaScript malware that launches BeaverTail is also designed to fetch and execute OtterCookie.

The new malware is said to have been launched in September 2024, with a new variant identified in the wild last month. OtterCookie, upon running, establishes connections with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It is intended to execute shell commands that facilitate data theft, including files, clipboard items, and cryptocurrency wallet keys.

The older OtterCookie variant discovered in September is functionally identical, but with a slight implementation difference: the cryptocurrency wallet key theft capability is directly incorporated into the malware, rather than a remote shell command. The discovery indicates that attackers are actively updating their tools while leaving the infection chain mostly intact, highlighting the campaign's efficacy.

This comes as South Korea's Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organisation in connection with a fraudulent IT worker program engineered by North Korea to establish a regular source of funds. These funds are funnelled to North Korea, often through data theft and other illegal means.

Kim Ryu Song, one of the 15 sanctioned individuals, was also charged by the U.S. Department of Justice (DoJ) earlier this month for allegedly participating in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organisations.

Malware Campaign Expands Its Use of Fraudulent CAPTCHAs



 

Online Security

CAPTCHA Lumma Stealer Malicious Campaign malware Online Security

Malware Campaign Expands Its Use of Fraudulent CAPTCHAs

Attackers are increasingly spreading malware using a unique method: a fake CAPTCHA as the initial infection vector. Researchers from multiple companies reported on this campaign in August and September. The attackers, who mainly targeted gamers, first transmitted the Lumma stealer to victims via websites hosting cracked games.

The recent adware research shows that this malicious CAPTCHA is spreading through a wide range of online resources unrelated to gaming, including adult sites, file-sharing services, betting platforms, anime resources, and web apps that monetise traffic. This shows that the distribution network is being expanded to reach a larger pool of victims. Furthermore, we discovered that the CAPTCHA distributes both Lumma and the Amadey Trojan.

Malicious CAPTCHA

It's critical to comprehend how the attackers and their distribution network function in order to prevent falling for their tricks. Legitimate, non-malicious offers are also included in the ad network that pushes pages with the malicious CAPTCHA.

It works as follows: the user is redirected to additional resources when they click anywhere on a page that uses the ad module. As is common with adware, the majority of redirects take users to websites that advertise security software, ad blockers, and similar products. Sometimes, though, the victim is directed to a page that contains the malicious CAPTCHA.

Unlike genuine CAPTCHAs, which are intended to safeguard websites from bots, this copycat promotes illicit resources. As with the previous stage, the victim does not always come across malware. For example, the CAPTCHA on one of the sites invites the visitor to scan a QR code, which leads to a betting site.

The Trojans are distributed using CAPTCHAs that provide instructions. By clicking the "I'm not a robot" button, you can copy the powershell line.exe -eC bQBzAGgAdABhA <...>MAIgA= to the clipboard and displays the following "verification steps":

To open the Run dialogue box, use Win + R.
Subsequently, paste the clipboard line into the text field using CTRL + V.
Finally, press Enter to execute the code.

Payload: Amadey trojan

Researchers have discovered that the same effort is also propagating the Amadey Trojan. Since 2018, Amadey has been the subject of multiple security reports. In short, the Trojan downloads multiple modules that steal credentials from major browsers and Virtual Network Computing (VNC) systems.

It also detects cryptocurrency wallet addresses in the clipboard and replaces them with those owned by the attackers. One of the modules can also capture screenshots. In some cases, Amadey downloads the Remcos remote access tool to the victim's device, allowing the attackers complete control over it.

From September 22 to October 14, 2024, over 140,000 users encountered ad scripts. According to Kaspersky's telemetry data, more than 20,000 of these 140,000 users were routed to infected sites, where some encountered a phoney update notification or a fake CAPTCHA. Users from Brazil, Spain, Italy, and Russia were the most commonly affected.

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations



 

Spear Phishing

Business Security Cyber Attacks Malicious Campaign Russian Hacker Spear Phishing

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations

Microsoft Threat Intelligence has discovered a new attack campaign by Russian hacker group Midnight Blizzard, targeted at thousands of users from over 100 organisations. The attack uses spear-phishing emails that contain RDP configuration files, allowing perpetrators to connect to and potentially compromise the targeted systems.

The malicious campaign targeted thousands of users from higher education, defence, non-governmental organisations, and government institutions. Dozens of nations have been impacted, mainly in the United Kingdom, Europe, Australia, and Japan, consistent with previous Midnight Blizzard phishing attacks.

In the most recent Midnight Blizzard assault campaign, victims received meticulously targeted emails including social engineering lures related to Microsoft, Amazon Web Services, and the concept of Zero Trust.

According to Microsoft Threat Intelligence, the emails were sent using email addresses from legitimate organisations obtained by the threat actor during earlier breaches. Every email included an RDP configuration file signed with a free LetsEncrypt certificate and included multiple sensitive parameters. When the user accessed the file, an RDP connection was established with an attacker-controlled system.

The threat actor could then use the established RDP connection to acquire information regarding the targeted device, such as files and folders, connected network drives, and peripherals such as printers, microphones, and smart cards.

It would also allow for the collection of clipboard data, web authentication via Windows Hello, passkeys and security keys, and even point-of-sale devices. Such a link may also enable the threat actor to install malware on the targeted device or mapped network share(s).

Outbound RDP connections were established to domains constructed to deceive the victim into thinking they were AWS domains. Amazon, which is collaborating with the Ukrainian CERT-UA to combat the threat, began grabbing affected domains immediately in order to stop operations. Meanwhile, Microsoft alerted all impacted customers who had been targeted or compromised.

New Tool Circumvents Google Chrome's New Cookie Encryption System



 

User Security

Chrome Extension Cyber Security Data Privacy Infostealer Malicious Campaign User Security

New Tool Circumvents Google Chrome's New Cookie Encryption System

A researcher has developed a tool that bypasses Google's new App-Bound encryption cookie-theft defences and extracts saved passwords from the Chrome browser.

Alexander Hagenah, a cybersecurity researcher, published the tool, 'Chrome-App-Bound-Encryption-Decryption,' after noticing that others had previously identified equivalent bypasses.

Although the tool delivers what several infostealer operations have already done with their malware, its public availability increases the risk for Chrome users who continue to store sensitive information in their browsers.

Google launched Application-Bound (App-Bound) encryption in July (Chrome 127) as a new security feature that encrypts cookies using a Windows process with SYSTEM rights.

The goal was to safeguard sensitive data against infostealer malware, which operates with the logged user's access, making it impossible to decrypt stolen cookies without first achieving SYSTEM privileges and potentially setting off security software alarms.

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," noted Google in July. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing.”

However, by September, several infostealer thieves had discovered ways to circumvent the new security feature, allowing their cybercriminal customers to once again siphon and decrypt sensitive data from Google Chrome.

Google previously stated that the "cat and mouse" game between info-stealer developers and its engineers was to be expected, and that they never assumed that its defence measures would be impenetrable. Instead, they believed that by introducing App-Bound encryption, they could finally set the groundwork for progressively constructing a more robust system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen.

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”

Microsoft Issues New Warnings For Windows Users



 

Windows User

Cyber Security Fake Captcha Malicious Campaign Threat Intelligence Windows User

Microsoft Issues New Warnings For Windows Users

As we approach the weekend, a new warning has been issued that a "global attack" is now targeting Windows users in multiple nations worldwide. The campaign is surprisingly basic, but it highlights the risk for the hundreds of millions of Windows 10 customers who will be without security upgrades in a year.

Palo Alto Networks' Unit 42 warned about the risks of fake new CAPTCHAs last month. Although it didn't receive much attention at the time, researcher John Hammond's video on X helped spread the word. McAfee researchers have recently released a fresh alert regarding these fraudulent CAPTCHA popups that are currently circulating.

These assaults should be easy to detect—but they’re designed to be casually effective. The fake challenges are designed to distribute Lumma Stealer. “These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use zip archives that don't appear to be inherently malicious on their own,” researchers explained. In its latest research, McAfee cautions that the ClickFix infection chain operates by tricking people into clicking on buttons like Verify you are a human' or 'I am not a robot.'"

When clicked, a malicious script is copied to the user's clipboard. Users are then tricked into pasting the script after pressing the Windows key + R, unknowingly launching the malware. This technique speeds up the infection process, allowing attackers to easily deploy malware.

The pattern is apparent to you. The crypto wallets and your account credentials are the main targets of the information-stealing malware that will be installed on your device. It doesn't appear to be a typical CAPTCHA, even if they are evolving and becoming more difficult to figure out. However, if, at that moment, copying and pasting isn't making you feel uneasy, turn off your computer and perhaps take a break.

Furthermore, McAfee identifies two deviously created lures, one aimed at consumers ready to download illegally copied games and the other at software developers concerned about a security flaw in code they wrote and distributed.

Users searching online for illegal copies of games are likely to have their guard up in any case; yet, the team warns that "they may encounter online forums, community posts, or public repositories that redirect them to malicious links.”

The second target group is even more sneaky. Users get phishing emails that frequently target GitHub contributors, pushing them to fix a fake security flaw. These emails provide links to the same fraudulent CAPTCHA pages.

This fake CAPTCHA campaign is starting to propagate; be cautious and take a moment to look for any signs of compromise when faced with one. It won't always be as clear as it is in this instance. These attacks will change and become more difficult to identify. It goes without saying that you should never, ever copy and paste and then execute from within a CAPTCHA.

This serves as another timely reminder to Windows 10 users that discontinuing support should not be one of their actions between now and October of next year. You'll need to switch to Windows 11 if Microsoft doesn't offer reasonably priced extension alternatives and workarounds aren't sufficient to close the gap.

BT Uncovers 2,000 Potential Cyberattacks Signals Every Second



 

Cyber Attacks Malicious Campaign Telecom Firm UK

BT Uncovers 2,000 Potential Cyberattacks Signals Every Second

BT logs 2,000 potential cyber attack signals per second, according to the latest data from the telecom behemoth, as it warns of the rising threat from cyber criminals.

The telecom firm stated it found that web-connected devices were being scanned more than 1,000 times each a day by known malicious sources, as attackers scan for vulnerabilities in online systems. While some scans are authentic for security monitoring, BT stated that 78% were not harmless.

BT said its most recent data on the issue revealed a 1,234% lift in new malicious scanners across its networks over the last year, and cautioned that the increase could be attributed to more malicious actors using AI-powered, automated bots to scan for vulnerabilities in security systems in order to avoid tools designed to detect suspicious activity.

The UK's National Cyber Security Centre (NCSC) has previously cautioned that AI technologies were upskilling malicious actors and lowering the entrance barrier to launch cyber attacks.

According to BT's research, the IT, defence, and financial services sectors were the most targeted for cyber assaults, but other sectors, such as retail, education, and hospitality, were being increasingly targeted since they are seen to have a lower security focus. The data was made public during BT's Secure Tomorrow cybersecurity festival at the company's Adastral Park research facility in Suffolk.

“Today, every business is a digital business, and our data shows that every 90 seconds hackers are checking connected devices to find a way in – like opportunistic burglars looking for an open window,” Tris Morgan, managing director for security at BT, stated.

“Tools like AI provide new routes of attack, but they can also the first line of defence. At BT, we’re constantly evolving our network security to stay one step ahead and protect more than a million businesses, day in, day out.”

The cybersecurity warning comes after the government announced that all UK data centres will be designated as Critical National Infrastructure (CNI), putting them on an equal footing with energy, water, and emergency services infrastructure, and will now receive more government support and protection from cyber attacks, IT blackouts, and environmental disasters.

Pro-Houthi Group Deploys Android Spyware to Target Yemeni Humanitarian Orgs



 

Yemen

Android Spyware Humanitarian Aid Malicious Campaign malware Pro-Houthi Group Yemen

Pro-Houthi Group Deploys Android Spyware to Target Yemeni Humanitarian Orgs

Insikt Group's research reveals that OilAlpha, a suspected pro-Houthi entity, continues to target humanitarian and human rights organisations in Yemen. They deploy malicious Android applications to steal credentials and gather intelligence, with the ability to control aid distribution.

Notable organisations affected include CARE International and the Norwegian Refugee Council. This report focuses on the continuous threat and recommends mitigating techniques such as social engineering skills, safe passwords, and multi-factor authentication.

In May 2023, Insikt outfit published its first report on OilAlpha, a pro-Houthi outfit that targets humanitarian organisations in Yemen with malicious Android applications. A year later, new discoveries show that OilAlpha is still active and poses a serious threat to humanitarian activities in the region.

A recently published report identified a new group of malicious mobile apps and infrastructure associated with OilAlpha. Employees of internationally renowned humanitarian organisations, such as Saudi Arabia's King Salman Humanitarian Aid and Relief Centre, the Norwegian Refugee Council, and CARE International, are the target audience for these applications.

Last month researchers discovered a malicious Android file named “Cash Incentives.apk,” linked to OilAlpha's infrastructure. The app requests invasive permissions, including access to the camera, audio, SMS, contacts, and more, classifying it as a remote access trojan (RAT). Subsequent investigation identified two more malicious applications targeting the Norwegian Refugee Council and CARE International, all attempting to steal credentials and gather sensitive information.

OilAlpha's operations include a credential theft portal under the domain kssnew[.]online. This webpage impersonates the login pages of humanitarian organisations, prompting users to enter their credentials, which are then captured by the perpetrators.

To address this issue, organisations should create information security policies and perform social engineering and anti-phishing awareness training. Strong passwords and multi-factor authentication (MFA) can dramatically reduce the likelihood of credential theft. Furthermore, users should exercise caution when using direct messaging on social media and encrypted messages, and check the legitimacy of messages whenever possible.

OilAlpha's operations point to a persistent effort to influence humanitarian relief distribution in Yemen. The group's focus on humanitarian organisations is expected to continue, possibly spreading outside Yemen.

Defending Hospitals and Clinics: Strategies Against Ransomware



 

Ransomware

Data Healthcare Malicious Campaign malware Ransomware

Defending Hospitals and Clinics: Strategies Against Ransomware

The healthcare industry has become a prime target for ransomware attacks in recent years. These malicious campaigns exploit vulnerabilities in healthcare systems, disrupt critical services, and compromise sensitive patient data.

According to Steve Stone, president of Rubrik's Zero Labs, ransomware is one of the levers changing how enterprises think about risk. Zero Labs' latest analysis shows that healthcare firms are more likely to lose 20% of their sensitive data after a ransomware attack.

This blog post will explore why healthcare organizations are at risk and discuss strategies to mitigate these threats.

1. Data Sensitivity and Volume

Healthcare organizations handle vast amounts of sensitive data, including patient records, medical histories, and financial information. This data is a goldmine for cybercriminals seeking economic gain. According to recent reports, healthcare data breaches cost organizations an average of $7.13 million per incident. The sheer volume of sensitive data makes healthcare an attractive target.

2. Architectural Similarities

While ransomware operators don’t exclusively focus on healthcare, the industry shares architectural nuances with other sectors. For instance:

Legacy Systems: Many healthcare institutions still rely on legacy systems that lack robust security features. These outdated systems are more susceptible to attacks.

Interconnected Networks: Healthcare networks connect various entities—hospitals, clinics, laboratories, and insurance providers. This interconnectedness creates multiple entry points for attackers.

Medical Devices: Internet of Things (IoT) devices, such as MRI machines and infusion pumps, are integral to patient care. However, they often lack proper security controls, making them vulnerable.

3. Risk Surface Area

Preventing ransomware starts with understanding your risk surface area. Here’s how healthcare organizations can reduce their exposure:

Identity Management: Properly managing user identities and access rights is crucial. Limiting access to sensitive data based on roles and responsibilities helps prevent unauthorized changes.

Data Visibility: Organizations must know where sensitive data resides, both on-premises and in the cloud. Regular audits and data classification are essential.

Backup and Recovery: Robust backup solutions are critical. Regularly backing up data ensures that even if ransomware strikes, organizations can restore systems without paying the ransom.

4. Incident Response Challenges

Healthcare organizations face unique challenges in incident response:

Hybrid Environments: Many healthcare systems operate in hybrid environments—partly on-premises and partly in the cloud. Coordinating incident response across these environments can be complex.

Patient Safety: Ransomware attacks can disrupt critical services, affecting patient care. Balancing data protection with patient safety is a delicate task.

Collaboration: Effective incident response requires collaboration among IT teams, legal departments, and external cybersecurity experts.

Hackers Reveal Their Strategy of Stealing Snowflake's Ticketmaster Data



 

Malicious Campaign

CISA Credential Theft Data Breach Data Leak Malicious Campaign

Hackers Reveal Their Strategy of Stealing Snowflake's Ticketmaster Data

Ticketmaster and other organisations' Snowflake accounts were said to have been accessed by a ShinyHunters hacker via a breach of software engineering firm EPAM Systems, validating a Mandiant report attributing some of the intrusions to third-party contractor hacks, Wired reported.

According to the hacker, information-stealing malware and a remote access trojan deployed against one of EPAM Systems' Ukraine-based employees allowed ShinyHunters to gain access to unencrypted credentials used by the employee to access the firm's customers' Snowflake accounts, which were then used to infiltrate the Snowflake accounts, including the one owned by Ticketmaster.

EPAM ruled out the ShinyHunters hacker's claims, but independent security researcher "Reddington" discovered an infostealer-harvested data repository online, including the internal EPAM URL to Ticketmaster's Snowflake account and the credentials employed by the EPAM worker to access Ticketmaster's account.

"This means that anyone that knew the correct URL to [Ticketmaster’s] Snowflake could have simply looked up the password, logged in, and stolen the data" noted Reddington.

In the hacking campaign targeting Snowflake's clients, nearly 165 customer accounts were potentially compromised, but only a few of these have been identified thus far. In addition to Ticketmaster, the banking corporation Santander has recognised that their data was stolen but has neglected to name the account from which it was taken.

However, a local media outlet has confirmed that it was a Snowflake account; the stolen data included bank account information for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about employees, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also confirmed that they could possibly be victims of this campaign.

In a notice published earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged that organisations follow Snowflake's recommendations to look for signals of odd behaviour and take precautions to prevent unauthorised access. A similar advice issued by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned of "successful compromises of several companies using Snowflake environments.”

Fraudulent Browser Updates Are Propagating BitRAT and Lumma Stealer Malware



 

malware

BitRAT Fake Browser Fake Sites Malicious Campaign malware

Fraudulent Browser Updates Are Propagating BitRAT and Lumma Stealer Malware

Fake web browser updates are being used to spread remote access trojans (RATs) and information stealer malware like BitRAT and Lumma Stealer (aka LummaC2).

"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,"cybersecurity company eSentire stated in a recent research. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.”

The attack chain begins when potential targets visit a fake website with JavaScript code that redirects them to a fraudulent browser update page ("chatgpt-app[.]cloud"). The redirected web page includes a download link to a ZIP archive file ("Update.zip") located on Discord that is automatically downloaded to the victim's device.

It's worth noting that threat actors frequently use Discord as an attack vector, with Bitdefender's recent study revealing more than 50,000 unsecured connections propagating malware, phishing campaigns, and spam during the past six months.

Another JavaScript file ("Update.js") is included in the ZIP archive file, and it executes PowerShell scripts responsible for downloading further payloads, such as BitRAT and Lumma Stealer, from a remote server in the form of PNG image files.

This method also retrieves PowerShell scripts for persistence and a.NET-based loader, which is generally used to start the final-stage malware. According to eSentire, the loader is most likely represented as a "malware delivery service" because it is used to spread both BitRAT and Lumma Stealer.

BitRAT is a feature-rich RAT that enables attackers to collect data, mine cryptocurrency, download additional malware, and remotely control infected systems. Lumma Stealer, a commodity stealer malware offered for $250 to $1,000 per month since August 2022, can take data from online browsers, cryptocurrency wallets, and other sensitive information.

"The fake browser update lure has become common amongst attackers as a means of entry to a device or network," the company noted, adding it "displays the operator's ability to leverage trusted names to maximize reach and impact.”

While such attacks typically employ drive-by downloads and malvertising techniques, ReliaQuest reported last week that it identified a new variant of the ClearFake campaign that tricked consumers into copying, pasting, and manually executing malicious PowerShell code under the guise of a browser update.

Specifically, the malicious website claims that "something went wrong while displaying this webpage" and instructs the site visitor to install a root certificate to resolve the issue by following a series of steps that include copying and pasting obfuscated PowerShell code into a PowerShell terminal.

"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing 'LummaC2' malware," the company added.

Hackers Employ Malicious PDF Files To Kickstart Infection Chain



 

Targeted Attack

Cyber Attacks EU Diplomats Malicious Campaign PDF Exploits Targeted Attack

Hackers Employ Malicious PDF Files To Kickstart Infection Chain

Fine wine is a cultural trait that Europeans are renowned for, but attackers behind a recent threat campaign have exploited this to their advantage. By luring European Union (EU) diplomats with a fake wine-tasting event, the cyber operation aimed to deliver a unique backdoor.

In a blog post published on February 27, researchers at Zscaler's ThreatLabz reported that they had found the campaign, which especially targeted officials from EU nations with diplomatic posts in India. The actor, dubbed "SpikedWine," used a PDF file in emails that pretended to be an invitation letter from India's embassy, inviting diplomats to a wine-tasting event on February 2.

"We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack," Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay explained in the post.

The campaign's payload is a backdoor known as "WineLoader," which has a modular design and uses tactics designed to avoid detection. These include re-encryption and zeroing out memory buffers, which serve to safeguard sensitive data in memory while evading memory forensics tools, the researchers stated.

SpikedWine employed compromised websites for command-and-control (C2) at different phases of the attack chain, which started with a victim clicking on a link in the PDF and ended with the modular distribution of WineLoader. Overall, the cyber attackers exhibited a high degree of expertise, both in the creative design of the socially engineered campaign and in the delivery of the malware.

Zscaler ThreatLabz found the PDF file, which was uploaded to VirusTotal from Latvia on January 30. The attackers meticulously built the contents to imitate India's ambassador, and the invitation contains a malicious link to a false questionnaire that must be completed in order to participate.

Clicking on the link takes users to a hacked site where they can download a zip archive containing a file named "wine.hta." The downloaded file contains obfuscated JavaScript code that triggers the next stage of the attack.

Eventually, the file runs sqlwriter.exe from the directory C:\Windows\Tasks\ to initiate the WineLoader backdoor infection chain by loading a malicious DLL called vcruntime140.dll. This, in turn, calls an exported method set_se_translator, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before running it.

Protection and detection

Zscaler ThreatLabz warned contacts at India's National Informatics Centre (NIC) about the attack's usage of Indian official themes.

The C2 server used in the assault only replies to specific types of queries at specific times, therefore automated analysis systems cannot acquire C2 responses and modular payloads for detection and analysis, according to the researchers. To assist defenders, they offered a list of indicators of compromise (IoCs) and URLs related to the attack in their blog post.

A multilayered cloud security platform should detect IoCs linked to WineLoader at multiple levels, including any files containing the threat name Win64.Downloader.WineLoader, the researchers concluded.

Novel Crytpojacking Campaign is Targeting Docker APIs Across the Internet



 

Malicious Campaign

Cryptojacking Campaign Cyber Attacks Docker API Malicious Campaign

Novel Crytpojacking Campaign is Targeting Docker APIs Across the Internet

Cado security researchers recently identified a sophisticated cryptojacking campaign that exploits exposed Docker API endpoints over the internet.

The campaign, called “Commando Cat”, has been operating since early 2024, the researchers noted, claiming that this was the second such effort to be identified in only two months. The first container, created with the Commando open-source tool, seems innocent, but it allows the criminals to escape and launch several payloads on the Docker host itself.

The payloads delivered are determined by the campaign's short-term targets, which include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and activating cryptocurrency miners, according to the researchers. This campaign's cryptocurrency miner is the famed XMRig, a popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that is nearly impossible to track.

Cado Security's researchers added that Commando cat temporarily stores stolen files in a separate folder, implying that this is done as an evasion tactic. Indeed, this complicates forensic analysis.

At press time, the researchers had no idea who the threat actors behind Commando Cat were, although they did detect resemblance in shell scripts and C2 IP addresses with another cryptojacking outfit dubbed TeamTNT. Cado, however, does not believe TeamTNT is behind this particular effort and instead suspects a copycat organisation.

The researchers advised that users should upgrade their Docker instances and install necessary security measures to safeguard themselves from such attacks.

Last month, the same cybersecurity team uncovered a similar campaign that used insecure Docker hosts to install both XMRig and the 9Hits Viewer software. 9hits is an online traffic exchange platform that allows users to drive traffic to each other.

When a user installs 9hits, their device visits the websites of other members using a headless Chrome instance. In exchange, the user earns credits, which may subsequently be used to attract traffic to their own websites. Installing 9hits on compromised Docker instances generates more credits, which the attackers can then use to buy more traffic.

Watch Out For These ChatGPT and AI Scams



 

Phishing scam

AI Phishing AI Scams ChatGPT Cyber Fraud Malicious Campaign Phishing scam

Watch Out For These ChatGPT and AI Scams

Since ChatGPT's inception in November of last year, it has consistently shown to be helpful, with people all around the world coming up with new ways to use the technology every day. The strength of AI tools, however, means that they may also be employed for sinister purposes like creating malware programmes and phishing emails.

Over the past six to eight months, hackers have been observed exploiting the trend to defraud individuals of their money and information by creating false investment opportunities and scam applications. They have also been observed using artificial intelligence to plan scams.

AI scams are some of the hardest to spot, and many people don't use technologies like Surfshark antivirus, which alerts users before they visit dubious websites or download dubious apps. As a result, we have compiled a list of all the prevalent strategies that have lately been seen in the wild.

Phishing scams with AI assistance

Phishing scams have been around for a long time. Scammers can send you emails or texts pretending to be from a trustworthy organisation, like Microsoft, in an effort to trick you into clicking a link that will take you to a dangerous website.

A threat actor can then use that location to spread malware or steal sensitive data like passwords from your device. Spelling and grammar mistakes, which a prominent corporation like Microsoft would never make in a business email to its clients, have historically been one of the simplest ways to identify them.

However, in 2023 ChatGPT will be able to produce clear, fluid copy that is free of typos with just a brief suggestion. This makes it far more difficult to differentiate between authentic letters and phishing attacks.

Voice clone AI scams

In recent months, frauds utilising artificial intelligence (AI) have gained attention. 10% of respondents to a recent global McAfee study said they have already been personally targeted by an AI voice scam. 15% more people claimed to be acquainted with a victim.

AI voice scams use text-to-speech software to create new content that mimics the original audio by stealing audio files from a target's social network account. These kinds of programmes have valid, non-nefarious functions and are accessible online for free.

The con artist will record a voicemail or voice message in which they portray their target as distressed and in need of money desperately. In the hopes that their family members won't be able to tell the difference between their loved one's voice and an AI-generated one, this will then be transmitted to them.

Scams with AI investments

Scammers are using the hype surrounding AI, as well as the technology itself, in a manner similar to how they did with cryptocurrencies, to create phoney investment possibilities that look real.

Both "TeslaCoin" and "TruthGPT Coin" have been utilised in fraud schemes, capitalising on the attention that Elon Musk and ChatGPT have received in the media and positioning themselves as hip investment prospects.

According to California's Department of Financial Protection & Innovation, Maxpread Technologies fabricated an AI-generated CEO and programmed it with a script enticing potential investors to make investments. An order to cease and desist has been given to the corporation.

The DFPI claims that Harvest Keeper, another investment firm, collapsed back in March. According to Forbes, Harvest Keeper employed an actor to pose as their CEO in an effort to calm irate clients. This demonstrates the lengths some con artists will go to make sure their sales spiel is plausible enough.

Way forward

Consumers in the US lost a staggering $8.8 billion to scammers in 2022, and 2023 is not expected to be any different. Periods of financial instability frequently coincide with rises in fraud, and many nations worldwide are experiencing difficulties.

Artificial intelligence is currently a goldmine for con artists. Although everyone is talking about it, relatively few people are actually knowledgeable about it, and businesses of all sizes are rushing AI products to market.

Keeping up with the most recent scams is crucial, and now that AI has made them much more difficult to detect, it's even more crucial. Following them on social media for the most recent information is strongly encouraged because the FTC, FBI, and other federal agencies frequently issue warnings.

Security professionals advised buying a VPN that detects spyware, such NordVPN or Surfshark. In addition to alerting you to dubious websites hidden on Google Search results pages, they both will disguise your IP address like a conventional VPN. It's crucial to arm oneself with technology like this if you want to be safe online.

Bangladeshi Hacker Group Targets Multiple Indian News Agencies



 

Media Outlets

Bangladeshi hackers Cyber Attacks Fake news Indian Media Hack Malicious Campaign Media Outlets

Bangladeshi Hacker Group Targets Multiple Indian News Agencies

An update regarding the cyberattack on Alt News has brought up cybersecurity news in Indian media once more. After focusing on Indian news agency ANI News for a few hours, the threat actor group "Mysterious Team Bangladesh" has now listed the well-known Indian fact-checking website "Alt News" as its latest victim.

The hacktivist group claims that the purported ANI News and Alt News cyberattacks are a part of their ongoing OpIndia23 campaign against the Indian media for allegedly inciting hatred and false information.

ANI News is a news organisation with its main office in New Delhi. Mohammed Zubair and Pratik Sinha, two former IT engineers, launched the fact-checking website Alt News, a non-profit organisation in India.

Both organisations' websites were reachable at the time of writing. A number of cyberattacks on international targets included the claimed Alt News hack.

Mysterious Team shared the hashtags "opindia23," "counterattack," and "OpTerrorismCountry" along with the Telegram message. The group has accounts on several social media networks and has 1,283 Telegram subscribers.

The bio for the gang on its Twitter account, where they frequently discuss the specifics of their attacks and victims, reads, "We are cyber warriors of Bangladesh."

Along with articles on hacking and cyberattacks, the group also publishes the names of other hackers. A name that came up was "_barbby," who according to his biography is a journalist and a human rights advocate. There were two hashtags on the profile: OpIsrael and FreePalestine.

In the bio of another hacker, YourAnonRiots, it was said, "Our mission is global peace." The profile's hashtag was HackThePlanet, which appears to be the case in light of the hacking attacks on numerous government and other organisation websites. Your Anon Story, MCA Ops, and Saudi Exile were the other hackers that had been identified.

In the past 24 hours, the Mysterious Team Bangladesh group has also listed TV7 Israel News, Uniurdu, an Urdu-language news website, and Univarta, a Hindi-language news website, as victims. Furthermore, the hacktivist group also targeted the website of The Press Trust of India.

Along with saying "Expect Us," the organisation also declared that it had attacked the Indian Computer Emergency Response Team.

The Mysterious Team appears to be a sizable group made up of numerous hackers that use system weaknesses to get access. But nothing is known about their method of attack other than the fact that they effectively shut down the systems and publish screenshots of their hacks on their various social media platforms.

How AI is Helping Threat Actors to Launch Cyber Attacks



 

User Security

AI Tool Artificial Intelligence Malicious Campaign Online Crime Technology User Security

How AI is Helping Threat Actors to Launch Cyber Attacks

Artificial intelligence offers great promise, and while many tech enthusiasts are enthusiastic about it, hackers are also looking to this technology to aid their illicit activities. The field of artificial intelligence is interesting, but it may also make us nervous. Therefore, how might AI support online criminals?

Social engineering

Every week, social engineering, a form of cybercrime, claims countless victims and is a big issue worldwide. In this technique, the victim is coerced into complying with the attacker's demands through manipulation, frequently without being aware that they are the target.

By creating the text that appears in fraudulent communications like phishing emails and SMS, AI could aid in social engineering attempts. It wouldn't be impossible, even with today's level of AI development, to instruct a chatbot to create a compelling or persuasive script, which the cybercriminal could then employ against their victims. People have taken notice of this threat and are already worried about the dangers that lie ahead.

In this way, by correcting typos and grammatical errors, AI might potentially assist in making hostile communications appear more formal and professional. Therefore, it might be advantageous for cybercriminals if they can write their social engineering content more clearly and effectively. Such errors are frequently described as potential indicators of malicious activity.

Analysing stolen data

Data is worth as much as gold. Sensitive information is currently regularly sold on dark web markets, and some dangerous actors are willing to pay a very high price for the information if it is sufficiently valuable.

But data must first be stolen in order for it to appear on these marketplaces. Small-scale data theft is undoubtedly possible, particularly when an attacker targets single victims. However, larger hacks may lead to the theft of sizable databases. The cybercriminal must now decide whatever information in this database is worthwhile.

A malicious actor would spend less time deciding what is worthwhile to sell or, on the other hand, directly exploit by hand if the process of identifying valuable information were to be expedited with AI. Since learning is the foundation of artificial intelligence, it might someday be simple to use an AI-powered tool to detect sensitive information that is valuable.

Malware writing

Some people would not be surprised to learn that malware can be created using artificial intelligence because this is a sophisticated form of technology. A combination of the words "malicious" and "software," malware refers to the various types of malicious software used in hacking.

Malware must first be written, though, in order to be used. Cybercriminals aren't all skilled programmers; others just don't want to spend the time learning how to write new programmes. AI may prove useful in this situation.

It was discovered that ChatGPT might be used to create malware for nefarious activities in the early 2023. An AI infrastructure supports OpenAI's wildly popular ChatGPT. Despite the fact that this chatbot is being used by hackers, it can perform many important tasks.

In one particular instance, a user claimed in a forum for hackers that ChatGPT had been used to write a Python-based malware programme. Writing malicious software could be efficiently automated with ChatGPT. This makes it easier for novice cybercriminals with limited technical knowledge to operate.

Instead of writing sophisticated code that poses serious hazards, ChatGPT (or at least its most recent version) is only capable of producing simple, occasionally problematic malware programmes. This does not preclude the employment of AI to create malicious software, either. Given that a modern AI chatbot is already capable of writing simple malicious programmes, it might not be long before we start to notice more heinous malware coming from AI systems.

Bottom line

Artificial intelligence has been and will continue to be abused by cybercriminals, as is the case with the majority of technological advancements. It's absolutely impossible to predict how hackers will be able to progress their attacks utilising this technology in the near future given that AI already has certain dubious skills. Cybersecurity companies may also use AI more frequently to combat similar threats, but only time will tell how this one develops.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Fake Wedding Invitation Malware Targets Android Users

Cybercriminals Exploit PDFs in Novel Mishing Campaign

Hackers Employ Fake Mac Homebrew Google Ads in Novel Malicious Campaign

New “Double-Clickjacking” Threat Revealed: Security Settings at Risk

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

Malware Campaign Expands Its Use of Fraudulent CAPTCHAs

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations

New Tool Circumvents Google Chrome's New Cookie Encryption System

Microsoft Issues New Warnings For Windows Users

BT Uncovers 2,000 Potential Cyberattacks Signals Every Second

Pro-Houthi Group Deploys Android Spyware to Target Yemeni Humanitarian Orgs