Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware.. Show all posts
Windows Bug
3CX Update APT attacks APT27 Chinese Government malware Malware. Software Supply Chain Attack VoIP Windows Bug

Supply Chain Attack Targets 3CX App: What You Need to Know

A recently discovered supply chain attack has targeted the 3CX desktop app, compromising the security of thousands of users. According to reports, the attackers exploited a 10-year-old Windows bug that had an opt-in fix to gain access to the 3CX software.

The attack was first reported by Bleeping Computer, which noted that the malware had been distributed through an update to the 3CX app. The malware allowed the attackers to steal sensitive data and execute arbitrary code on the affected systems.

As The Hacker News reported, the attack was highly targeted, with the attackers seeking to compromise specific organizations. The attack has been linked to the APT27 group, which is believed to have links to the Chinese government.

The 3CX app is widely used by businesses and organizations for VoIP communication, and the attack has raised concerns about the security of supply chains. As a TechTarget article pointed out, "Supply chain attacks have become a go-to tactic for cybercriminals seeking to gain access to highly secured environments."

The attack on the 3CX app serves as a reminder of the importance of supply chain security. As a cybersecurity expert, Dr. Kevin Curran noted, "Organizations must vet their suppliers and ensure that they are following secure coding practices."

The incident also highlights the importance of patch management, as the 10-year-old Windows bug exploited by the attackers had an opt-in fix. In this regard, Dr. Curran emphasized, "Organizations must ensure that all software and systems are regularly updated and patched to prevent known vulnerabilities from being exploited."

The supply chain attack on the 3CX app, in conclusion, serves as a clear reminder of the importance of strong supply chain security and efficient patch management. Organizations must be cautious and take preventive action to safeguard their systems and data as the possibility of supply chain assaults increases.
Read more »
VMware
Cyber Attacks IBM Security IBM Survey Malware. VMware

Responding to Cyberattacks Within 72 Hours is Essential to Taming the Chaos

 


Despite the widespread lack of breach preparedness and adequate incident response practices in organizations, cybersecurity professionals who are tasked with responding to attacks experience stress, burnout, and mental health issues which are aggravated by a lack of breach preparedness and inadequate incident response practices.

IBM Security has sponsored a study this week that has found that two-thirds (67%) of incident responders experience stress and anxiety at least sometimes during their engagements. In response to the Morning Consult survey conducted by Morning Consult, 44% of those surveyed sacrificed their relationships for their well-being and 42% suffer burnout. According to the survey, 68% of incident responders have been operating two or more incidents at the same time. This results in them being stressed every time they are working on incidents, according to the survey results.

In an organization where incident responders, employees, and executives of the company face a wide range of incidents, such as a fire, an explosion, or a major event, John Dwyer, head of IBM Security's X-Force response team, says that organizing and practicing how to handle such incidents can reduce the level of stress amongst incident responders, employees, and executives.

Organizers are failing to effectively establish their response strategies that are geared toward responding to emergencies with the responders in mind - "the response process does not have to be as stressful as it is today," he stressed. Responders often have to handle organizations during an incident. This is because these organizations are not prepared for the crisis that occurs when these kinds of attacks happen every single day. Therefore, the responders are usually responsible for managing those organizations.

The IBM Security-funded study underscores why cybersecurity organizations are increasingly focusing on the mental health of their members. About half (51%) of cybersecurity defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. According to cybersecurity executives, the threat of an attack affecting the community and companies' ability to retain skilled workers can have a significant impact.

A study sponsored by IBM Security provides support for why the cybersecurity community has been focusing increasingly on the mental health of its members as the field has evolved. It has been reported that about half of cybersecurity defenders have suffered burnout or extreme stress during the past year. This is according to a VMware survey released in August 2021 which surveyed 3,000 cybersecurity professionals. The issue of cybersecurity retention has also been highlighted by executives in the security field as one that impacts the whole community. This impacts providers' ability to attract and retain skilled workers.

Based on findings from the IBM survey of incident responders based in the US, it was found that 62% sought mental health assistance as a result of doing their job, but that 82% of US employers had put in place an adequate program and services to handle this situation.

"I've worked on some really big incidents in the past with clients who were very prepared, and I found that to be a very satisfying experience to do so," explains Dwyer about what he has done in the past. During the past few years, several incidents have occurred when the incident response processes of the company lacked the readiness to deal with these situations, which caused me to have to deal with a great deal of stress during these times."

The survey found that incident response professionals have three main reasons for choosing the profession, which may explain their decision to pursue it. A study by the American Management Association found that 36 percent of respondents indicated their motivation for joining the company was a sense of duty of protection. In addition, 19% said they were interested in solving problems. Furthermore, 19% said they joined because they wanted continuous learning opportunities.

As a result of the survey, half of those surveyed cited managing expectations from multiple stakeholders as a top-three stressor, and 48% cited their sense of responsibility toward their client or business as another top-three stressor. According to the survey, one of the most striking findings is that incident responders are very dedicated to their roles, with almost one-third (34%) working 13 or more hours a day in the most stressful periods of the incident response process, which in turn strengthens the dedication to their jobs.

According to Dwyer, the general public does not seem to realize how long these men and women are working to ensure that people's lives and businesses are not disrupted because they work long hours.
Read more »
Ryuk Ransomware
Black Cat Malware. RaaS Ransomware Ryuk Ransomware

Black Cat Ransomware Linked with Gangs DarkSide/BlackMatter

The Black Cat Ransomware gang, aka ALPHV, confirmed that they were earlier associated with the infamous BlackMatter/DarkSide ransomware campaign. ALPHV/Black Cat is the latest ransomware operation launched last year in November and built in the Rust programming language, which is rare for ransomware attacks. The ransomware can be customized, via different encryption methods and options that allow attacks on a variety of corporate organizations. 

The ransomware group identifies itself as ALPHV, however, MalwareHunterTeam, a cybersecurity firm, calls the ransomware as Black Cat, because a black cat image is shown on the target's Tor payment page. The ransomware campaigns often run as Ransomware as a Service (RaaS,) where the core team develops ransomware attacks and manages servers, and adverts ( affiliates) are hired to compromise corporate networks and organize attack campaigns. In this sort of assignment, the core team earns around 10-30% of ransomware payment, and the affiliate earns the rest. 

The earnings depend on how much ransom is brought by different affiliates in the campaign. The past has experienced many RaaS operations, where top-level hacking groups, when shut down by the government, resurface with a new name. These include- GandCrab to Revil, Maze to Egregor, and DarkSide to BlackMatter. Few believe that Conti resurfaced as Ruk, however, experts believe these two operate separately under the TrickBot group and are not affiliated with each other. 

Meanwhile few affiliates team up with a single RaaS campaign, it is also common for affiliates to work with multiple hacking groups. "While the BlackCat ransomware operators claim that they were only DarkSide/BlackMatter affiliates who launched their own ransomware operation, some security researchers are not buying it. Emsisoft threat analyst Brett Callow believes BlackMatter replaced their dev team after Emsisoft exploited a weakness allowing victims to recover their files for free and losing the ransomware gang millions of dollars in ransoms," reports Bleeping Computer.

Read more »
threat report
acronis Cyber Security Malware. phishing threat report

Acronis reports India to be third highest in terms of Malware attacks, after US and Japan

Acronis, a Switzerland based IT and cybersecurity company surveyed 3,400 IT managers from 17 countries across four continents: Australia, Bulgaria, Canada, France, Germany, India, Italy, Japan, Netherlands, Singapore, South Africa, Spain, Sweden, Switzerland, UAE, UK, and the US from both private and public sector. Their report investigates the increase/decrease of cyber attacks and cyber readiness of companies during covid-19 as in their own words, "the COVID-19 pandemic has crippled businesses worldwide".

According to their report, India was the third highest country in the number of malware attacks, after the U.S and Japan between the months' March to November. Of 1000 clients, 1168 attacks were detected in India in a month. 

 Acronis found that during the switch from office to remote work, weak points in cybersecurity were revealed, mainly 1) exposed servers (RDP, VPN, Citrix, DNS, etc.), 2) weak authentication techniques, and 3) insufficient monitoring.

 The companies increased their expenditure on IT (72% of organizations reported increases in their IT expenditure) but still faced difficulties with adjustments from office to remote work. 

 When it comes to security concerns vast vulnerabilities were noticed in monitoring phishing problems, lack of expertise in a cloud solution, and video conferencing attacks as the cybersecurity protocols placed are just up to par but not really updated with the latest threats and needs. 

 “The cyber threat landscape has changed dramatically during the past few years, and in the last six months in particular. Traditional stand-alone antivirus and backup solutions are unable to protect against modern cyberthreats,” said Serguei “SB” Beloussov, founder and CEO of Acronis. 

 Most of the attacks faced by organizations were phishing (53.4%), DDoS (44.9%), Video Conferencing (39.5%), and Malware (22.2%). The rate of phishing attacks, the reports say is because of the lack of active action taken against them as only 2% of organizations use URL filtering protocols, and India, Switzerland, Canada, and the UK were among the most affected by video conferencing attacks.
Read more »
Malware.
Adware Among Us app Gaming Malware.

Fake Among Us apps floating over the internet can deploy malware and adware in your device

There is an imposter among us, quite literally - the popular gaming app has attracted many flukes and malware carrying apps made to look like the legit gaming application or mod. These malicious apps can range from harmlessly annoying to quite dangerous.

Players looking for Among Us should be cautious as to use only trustworthy sources to install the app from and look into mods and their legitimacy before using them.

These "fake" apps range from mock among us intending to swindle off from the game's success to mods, which attracts young players in the lure of hacks but actually drops malware in the system or steal data from the device.
A report from TechRadar says that currently there are 60 fake imposter apps of Among Us including apps that can i) install adware or bloatware or ii) apps that deploy malware and iii) steal financial data. 

Why Among Us? 

Among Us, a multiplayer PC and mobile game suddenly became popular in 2020. Though it was released in 2018, did not gain much attention until gaming streamers started broadcasting the game. Developed by InnerSloth, a small studio in Redmond, Washington, Among Us has stayed top five on Apple’s U.S. App Store since Sept. 1, with more than 158 million installs worldwide across the App Store and Google Play. 

Word to mouth marketing and pandemic imposed lockdown made the game quickly catch up with young players which these miscreants exploited. A young player looking for hacks and mods would be easy to dupe and install a fake app that installs adwares or one that's more damaging. 

Precautions to avoid Among Us imposter apps:

It's smart to avoid any website that claims to offer hacks, resources, packs, and mods as people without much background in gaming and the cyber world won't be able to detect malicious content. 

 
Always install the app from a trusted source and after reading comments as they would tell you if anything is wrong with the app. 

As to find out the legitimacy of mods it's best to use the community. In themselves mods are harmless but as told before some of these fake ones could add codes into your device. Use legitimate mod websites and if going for a private website then do read comments as someone would probably write any suspicious behavior on the discourse. Also, mods developed by semi-public figures or among us content creators will usually be safe.
Read more »
Ransomware Attacks.
Customer Data data misuse Malware. Ransom Ransomware Ransomware Attacks.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

 Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.
Read more »
Remote Access Tool
Banking Phishing Cyber Crime Hacking Houdini Worm Malware. Remote Access Tool

Houdini Worm’s WSH Remote Access Tool (RAT) for Phishing Tactic




A fresh modified version of Houdini Worm is out in the market which goes by the name of WSH Remote Access Tool (RAT) and has commercial banking customers on its radar.


The authors who created the malware released it earlier this June and the HWorm has things tremendously in common with the njRAT and njWorm. (existed in 2013)

WSH RAT uses the legitimate applications that are used to execute scripts on the Windows one of which is Legitimate Windows Script Host.

The malware is being distributed via phishing email campaigns per usual.

The malicious attachment is stuck with the MHT file which is used by the threat operators the very way they use HTML files.

The MTH files contain an “href” link which guides the user to download the malicious .zip archive which releases the original version of WSH RAT.


Researchers report that when WSH RAT’s executed on an endpoint it behaves like an HWorm to the very use of mangled Base64 encoded data.

The WSH RAT uses the very same configuration structure for the above process as HWorm.

It also seeds an exact copy of the HWorm’s configuration including the default variable and WSH RAT command and control server URL structure in similar to that of HWorm.


Firstly WSH Rat communicates with C2 server and then calls out the new URL that releases the three payloads with the .tar.gz extension.
But, it’s actually PE32 executable files and the three payloads act as follows:
·       A Key logger
·       A mail credential viewer
·       A browser credential viewer

These components are extracted from a third party and do not originate from the WSH RAT itself.

The underground price of the WSH RAT was around $50 USD a month with a plethora of features including many automatic startup tactics and remote access, evasion and stealing capabilities.

It’s becoming evident by the hour that by way of simple investment in cheap commands really threatening malware services could be developed and could put any company under jeopardy.



Read more »
Malware.
Cyber Attacks HiddenWasp Linux Linux Security Linux Vulnerability Malware.

Undetected malware attacks Linux systems

A new sophisticated, unique Linux malware dubbed HiddenWasp used in targeted attacks against victim’s who are already under attack or gone through a heavy reconnaissance.

The malware is highly sophisticated and went undetected; the malware is still active and has a zero detection rate. The malware adopted a massive amount of codes from publically available malware such as Mirai and the Azazel rootkit.

Unlike Windows malware, Linux malware authors won’t concentrate much with evasion techniques, as the trend of using Anti-Virus solutions in Linux machine is very less when compared to other platforms.

However, the Intezer report shows “malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.” In the past, we saw many malware focussed on crypto-mining or DDoS activity, but the HiddenWasp is purely a targeted remote control attack.

The malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. Researchers spotted the files went undetected in VirusTotal and the malware hosted in servers of a hosting company ThinkDream located in Hong Kong.

While analyzing scripts, Intezer spotted a user named ‘sftp’ and hardcodes, which can be used for initial compromise and also the scripts has variable to clear the older versions from the compromised systems.

The scripts also include variables to determine server architecture of the compromised system and download components from the malicious server based on the compromised server architecture. Once the components installed, the trojan will get executed on the system.

“Within this script, we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit, and a deployment script for x86 and x86_64 builds accordingly.”
Read more »
Ransomware
hacker arrested Malware. Ransomware

Author of Three Critical Ransomware Families Arrested in Poland




A well-known cyber-criminal believed to be the author of the Polski, Vortex, and Flotera ransomware strains, Tomasz T. was arrested in Poland on Wednesday, but the announcement was made by the Polish Law Enforcement on Friday.

They had been tracking him for quite some time and were ready this time to go ahead with the arrest.
Tomasz T. a.k.a. Thomas or Armaged0n - a Polish citizen who lives permanently in Belgium is responsible for conducting cybercrime such as DDOS attacks, sending malicious software to compromise several computers and using ransomware to encrypt the files.

While working through Europol, the Polish police had alerted their Belgium counterparts, who thusly searched his house and seized the computer equipment, laptop and remote servers also including encryption keys.

 “Apparently, the suspect has been active since 2013, when he first started targeting users via a banking trojan that would replace bank account numbers in users' clipboards with one of his own, so to receive undeserved bank transfers.”
-          according to the Prosecutors.

He was able to spread this ransomware through the means of email by pretending to impersonate official correspondence from well-known companies such as DHL, Zara, Cinema City, PAY U, WizzAir and many more. While utilizing the Online portal, Tomasz operated under the epithet "Armaged0n," which he used on the infamous Hack Forums cybercrime portal too.

The Polish tech news site Zaufana Trzecia Strona (ZTS) was the first to draw the lines between the three ransomware strains to the Armaged0n persona and later tracked down an extensive email spear-phishing operation.

Armaged0n Hack forum profile

The police suspects that Tomasz infected thousands of users with ransomware and made over $145,000 from his criminal undertakings. ZTS, CERT Poland, security analysts, police, and the impersonated companies all worked together to track him down.

Polish Cybercriminal has been accused with various complaints such as accepting and transferring funds from crimes, infecting computer systems with malware such as the Polish Ransomware, Vortex or Floter and for influencing automatic data processing for financial benefits. All these ransomware’s Decryption keys have likewise been collected from his system.

The suspect, questioned by the prosecutor, conceded to the 181 different crimes that he was charged with.

Nonetheless, after performing the procedural steps, the prosecutor filed a motion to apply to him a temporary detention for a period of three months.

Read more »
NCSC
cyber espionage Hacking Malware. NCSC

Prevalent Cyber threat group targets UK

As of late a well-known hacking group attempted is as yet trying to focus on the UK with an updated version of malware intended to install itself into the compromised systems and stealthily conduct surveillance. Within the most recent year, the group seems to have been especially centered on diplomatic targets, including consulates and embassies. 

Both the Neuron and Nautilus malware variations have already been credited to the Turla advanced persistent threat group, which is known to routinely carry out cyber-espionage against a range of targets, including government, military, technology, energy, and other business associations and commercial organisations. 

It basically targets Windows mail servers and web servers; the Turla group conveys uniquely made phishing emails to trade off targets in attacks that deploy Neuron and Nautilus in conjunction with the Snake rootkit. By utilizing a combination of these tools, Turla can increase diligent system access on compromised systems, giving secretive access to sensitive data or the capacity to utilize the system as an entryway for carrying out further attacks. 

However the UK's National Cyber Security Centre (NCSC) - the cyber security arm of GCHQ - has issued a notice that Turla is conveying another variant of Neuron which has been altered to sidestep disclosure. 

Alterations to the dropper and loading mechanisms of Neuron have been composed in such a way so as to avoid the malware being detected, enabling its pernicious activities to proceed without being intruded. 

While the creators of Neuron have additionally attempted to change the encryption of the new version, now configuring various hardcoded keys as opposed to simply utilizing one. In the same way as other of alternate changes, it's probably that these have been carried out to make detection and decryption by network safeguards more troublesome. 

At all might be the situation it is believed that the National Cyber Security Centre doesn't point to work by Turla being related with a specific danger on-screen character - rather alluding to it as:
                                 "A predominant digital danger group focusing on the UK".

Read more »
Subscribe to: Posts (Atom)