Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Phishing emails. Show all posts
PowerShell
Advanced persistent threat (APT) Advanced Social Engineering Cyber Attacks cyber espionage espionage Fake Website Phishing emails PowerShell

ClickFix Attacks: North Korea, Iran, Russia APT Groups Exploit Social Engineering for Espionage

ClickFix attacks are rapidly becoming a favored tactic among advanced persistent threat (APT) groups from North Korea, Iran, and Russia, particularly in recent cyber-espionage operations. This technique involves malicious websites posing as legitimate software or document-sharing platforms. Targets are enticed through phishing emails or malicious advertising and then confronted with fake error messages claiming a failed document download or access issue. 


To resolve the supposed problem, users are instructed to click a “Fix” button that directs them to run a PowerShell or command-line script. Executing this script allows malware to infiltrate their systems. Microsoft’s Threat Intelligence division highlighted earlier this year that the North Korean group ‘Kimsuky’ utilized a similar approach through a fake “device registration” page. 

A new report from Proofpoint now confirms that Kimsuky, along with Iran’s MuddyWater, Russia’s APT28, and the UNK_RemoteRogue group, deployed ClickFix techniques between late 2024 and early 2025. Kimsuky’s campaign, conducted between January and February 2025, specifically targeted think tanks involved in North Korean policy research. The attackers initially contacted victims using spoofed emails designed to appear as if they were sent by Japanese diplomats. After gaining trust, they provided malicious PDF attachments leading to a counterfeit secure drive. Victims were then asked to manually run a PowerShell command, which triggered the download of a second script that established persistence with scheduled tasks and installed QuasarRAT, all while distracting the victim with a harmless-looking PDF. 

In mid-November 2024, Iran’s MuddyWater launched its campaign, targeting 39 organizations across the Middle East. Victims received phishing emails disguised as urgent Microsoft security alerts, prompting them to run PowerShell scripts with administrative rights. This led to the deployment of ‘Level,’ a remote monitoring and management (RMM) tool used to conduct espionage activities. Meanwhile, Russian group UNK_RemoteRogue focused on two organizations tied to a leading arms manufacturer in December 2024. Attackers used compromised Zimbra servers to send fake Microsoft Office messages. Clicking the embedded links directed victims to fraudulent Microsoft Word pages featuring Russian-language instructions and a video tutorial. 

Victims executing the provided script unknowingly triggered JavaScript that ran PowerShell commands, connecting their systems to a server managed through the Empire C2 framework. Proofpoint also found that APT28, an infamous Russian cyber-espionage unit, used ClickFix tactics as early as October 2024. In that instance, phishing emails mimicked Google Spreadsheet notifications, including a fake reCAPTCHA and a prompt to execute PowerShell commands. Running these commands enabled attackers to create an SSH tunnel and activate Metasploit, providing them with covert access to compromised machines. 

The growing use of ClickFix attacks by multiple state-sponsored groups underscores the method’s effectiveness, primarily due to the widespread lack of caution when executing unfamiliar commands. To avoid falling victim, users should be extremely wary of running scripts or commands they do not recognize, particularly when asked to use elevated privileges.
Read more »
Ransomware attack
Cyber Attacks data security Hacking Attack Internet Services Library Phishing emails Public Networks Ransomware attack

Delaware Libraries Hit by Ransomware Attack, Internet Services Disrupted

 

Last week, Delaware’s public libraries faced a cyberattack, causing widespread disruption to computer and internet access. Signs posted at libraries informed visitors that Wi-Fi and PCs were out of service, with officials confirming a ransomware attack took down all internet services. Despite the inconvenience, visitors can still check out books and use other library services. Ransomware attacks like this often start with phishing emails or social engineering, where users are tricked into actions that allow hackers access. 

Matt Barnett, CEO of cybersecurity firm Sevn-X, explained that attackers typically cast a wide net with phishing emails, waiting for a target to take the bait. He speculated that the hackers responsible for this attack are likely from Russia or Eastern Europe, suggesting they targeted Delaware not out of malice but simply because it was an easy opportunity. Hackers look for low-hanging fruit, making any vulnerable entity a potential target. Ransomware attacks usually demand payment in exchange for returning access to the compromised systems. 

In this instance, Delaware state officials have not confirmed if any personal information was stolen. However, the situation serves as a stark reminder of the importance of cybersecurity, even for community services like public libraries. Cybersecurity experts stress the need for vigilance and proactive measures to protect against such threats. Organizations should implement strong email security protocols, train employees to recognize phishing attempts, and regularly update software to patch vulnerabilities. Regular data backups are also essential, ensuring that in the event of an attack, systems can be restored without paying a ransom. 

While this attack has disrupted library services, it is also a learning opportunity. Public institutions, often seen as “soft targets,” must prioritize cybersecurity to protect their networks, systems, and the personal data of their users. By investing in robust cybersecurity measures, conducting employee training, and implementing multi-factor authentication, public services can better defend themselves against future attacks. 

This incident serves as a reminder that cyber threats are ever-present, and even seemingly small targets like public libraries are not immune. As ransomware attacks continue to rise, organizations of all sizes must take active steps to fortify their defenses and educate themselves about potential risks.
Read more »
User Security
Cyber Security Data Privacy Email Spoofing Phishing emails User Security

Google Strengthens Gmail Security, Blocks Spoofed Emails to Combat Phishing

 

Google has begun automatically blocking emails sent by bulk senders who do not satisfy tighter spam criteria and authenticating their messages in line with new requirements to strengthen defences against spam and phishing attacks. 

As announced in October, users who send more than 5,000 messages per day to Gmail accounts must now configure SPF/DKIM and DMARC email authentication for their domains. 

The updated regulations also mandate that bulk email senders refrain from delivering unsolicited or unwanted messages, offer a one-click unsubscribe option, and react to requests to unsubscribe within two working days. 

Additionally, spam rates must be kept at 0.3%, and "From" headers cannot act like to be from Gmail. Email delivery issues, such as emails being rejected or automatically directed to recipients' spam folders, may arise from noncompliance. 

"Bulk senders who don't meet our sender requirements will start getting temporary errors with error codes on a small portion of messages that don't meet the requirements," Google stated. "These temporary errors help senders identify email that doesn't meet our guidelines so senders can resolve issues that prevent compliance.” 

In April 2024, we will start rejecting non-compliant traffic. Rejection will be gradual, affecting solely non-compliant traffic. We strongly recommend senders to utilise the temporary failure enforcement period to make any necessary changes to become compliant, Google added. 

The company also intends to implement these regulations beginning in June, with an expedited timeline for domains used to send bulk emails starting January 1, 2024.

As Google said when the new guidelines were first released, its AI-powered defences can successfully filter roughly 15 billion unwelcome emails per day, avoiding more than 99.9% of spam, phishing attempts, and malware from reaching users' inboxes. 

"You shouldn't need to worry about the intricacies of email security standards, but you should be able to confidently rely on an email's source," noted Neil Kumaran, Group Product Manager for Gmail Security & Trust in October. "Ultimately, this will close loopholes exploited by attackers that threaten everyone who uses email.”
Read more »
US infrastructure
AsyncRAT command-and-control infrastructure Cybersecurity domain generation algorithm malware open-source trojan Phishing emails Threat Group US infrastructure

This Malware is Assaulting Critical US Infrastructure for Almost a Year

 

Over the course of the last 11 months, a threat group has actively engaged in a phishing campaign targeting employees across various companies, distributing an open-source trojan program named AsyncRAT. The victims of this campaign notably include companies responsible for managing critical infrastructure in the United States.

The cybersecurity division of AT&T, known as Alien Labs, has reported that the attackers employ a domain generation algorithm (DGA) within their command-and-control (C&C) infrastructure. This technique helps them rotate through a large number of domains, making it challenging to block traffic. In an effort to evade detection, the threat actors continually generate new samples of the malicious tool. Researchers have identified over 300 samples and 100 domains associated with this particular campaign.

AsyncRAT, an open-source remote access tool released in 2019 and still available on GitHub, serves as the attackers' weapon of choice. As a remote access trojan (RAT), AsyncRAT offers features such as keylogging, exfiltration techniques, and initial access staging for delivering the final payload.

It's not uncommon for even sophisticated threat actors to utilize open-source malware frameworks, providing advantages such as low development costs and plausible deniability. Interestingly, AsyncRAT had been previously employed in 2022 by an APT group known as Earth Berberoka or GamblingPuppet, as tracked by security firm Trend Micro.

The phishing emails, scrutinized by Alien Labs and other researchers, employ a thread hijacking technique to direct users to a phishing page, eventually dropping a JavaScript (.js) file on users' computers. This script, when opened in Notepad, contains numerous randomly commented-out English words, while variants using Sanskrit characters have also been reported in previous campaigns. The highly obfuscated script aims to download the second-stage payload from a URL encoded using a custom cipher and decimal values.

The second-stage payload is another encoded script in PowerShell, executed directly in memory without being saved to disk. The PowerShell script communicates with a rotating C&C server domain, sending information such as computer hostname and a variable indicating the likelihood of the computer being a virtual machine or sandbox.

If deemed a valid target, the C&C server deploys AsyncRAT. In the case of a potential virtual machine or sandbox, the server redirects the request to Google or launches a different PowerShell script that downloads and initiates a decoy RAT, designed to distract researchers investigating the campaign.

To further complicate detection, the attackers regularly randomize the script code and malware samples, and they rotate C&C domains weekly. Despite these efforts, Alien Lab researchers managed to reverse-engineer the domain generation algorithm, providing insights into historical samples and enabling the development of detection signatures for future infrastructure identification. The AT&T Alien Labs report includes detection signatures for the Suricata intrusion detection system and a list of indicators of compromise (IOC) for building detections on other systems.
Read more »
Phishing emails
Banks Cyber Security Data Breaches Phishing Attack Phishing Education Phishing emails

Tips for Banks to Prevent Data Breaches Through Phishing Education


Despite the roaring advancement in the field of technology, phishing remains one of the most common cybersecurity hazards. According to recent studies, phishing losses in the US alone were $52 million.

The lack of proper awareness in regards to cybersecurity could be one of the reasons why phishing attacks are escalating at a concerning rate. While many finance institutions are aware of the importance to cybersecurity, they fail to educate their employees of the same. 

Here, we are mentioning some ideas which might help banks to thwart phishing efforts and safeguard the information of their customers and employees:

Focus on Behavioral Change

The majority of banks use a similar approach for their cybersecurity training programs: they put all of their non-technical staff in a room, have their security team show a lecture with a few slides showing breach numbers, and attempt to scared them into acting accordingly.

It goes without saying that this strategy is ineffective. It is time for banks to start seeing their staff as a bulwark against phishing attempts rather than as a risk.

One way to do this is for banks to change their employees’ behaviors under stress, rather than threatening them by making them aware of the stressful situations. For example, instead of showing them the malicious emails, they must be educated on the right measure they must follow to identify such emails. 

A bank can also do this by running simulations of the situations, where an employee will be free to make mistakes and learn from those mistakes. This way, an employee can as well make judgements on their actions and even receive instant feedbacks in a safe environment. By doing so, an actual breach will not be the only time the employee is dealing with a feedback. 

Employees can view learning paths and review progress on simulation platforms. The skills of a technological employee will differ greatly from those of a non-technical person. The way forward is to provide positive feedback throughout and to customize learning routes.

Install Security as a Founding Principle

For most banks, the importance of security is communicated with a negative attitude. They draw attention to the possibility of a breach, the harm to the bank's reputation, and the possible consequences for an employee's career should they fall prey to phishing scams.

When a worker receives a phony email from someone posing as their manager, these intimidation techniques are ineffective. Because they trust the manager's persona, employees are unlikely to refuse a request from that organization. Rather, banks ought to embrace a proactive stance and integrate security into their overall brand.

For example, inducing fear among the employees into not clicking the malicious links, banks should instead introduce policies when an employee could quickly determine whether an email is a phishing attempt, rather than attempting to scare them into not clicking on harmful links. Giving them access to an automated tool or having a security guard on duty are excellent choices.

Policies like shredding and discarding important documents in secure bins to cybersecurity practices is essential. Employees must be reminded that the work they do is in fact critical and their actions do matter.

Set Communication Templates

Bank personnel utilize emails, which are rich in data, to communicate with a variety of stakeholders. This is used by malicious actors, who impersonate a different individual and deceive workers into downloading malware.

Informing staff members of appropriate communication styles and methods is one way to avoid situations like this one. Establishing a communication template, for example, will enable staff members to quickly spot emails that depart from the standard.

External actors are unlikely to be familiar with internal communications templates, thus they will likely send emails in a manner that is easily recognized by staff as being out of compliance. Although putting in place such a procedure may sound oppressive, it is the most effective technique to assist staff in overcoming the appearance of a false identity.

For instance, the majority of staff members will click on an email from the bank's CEO right away. They will overlook the fact that the email was sent by the CEO persona, though, if they see that the communication format is incorrect. With their minds thus occupied, kids are less likely to click on a link that could be harmful.

These templates are ingrained in the company's culture, and how banks convey their significance will determine a lot. Once more, a fear-based strategy rarely succeeds. Banks need to consider effective ways to enforce them.  

Read more »
Phishing emails
AI Threat AI-powered tool Artificial Intelligence ChatGPT Cyber Defender Data Breach Digital Age IBM X-Force OpenAI Phishing Attacks Phishing emails

AI-Generated Phishing Emails: A Growing Threat

The effectiveness of phishing emails created by artificial intelligence (AI) is quickly catching up to that of emails created by humans, according to disturbing new research. With artificial intelligence advancing so quickly, there is concern that there may be a rise in cyber dangers. One example of this is OpenAI's ChatGPT.

IBM's X-Force recently conducted a comprehensive study, pitting ChatGPT against human experts in the realm of phishing attacks. The results were eye-opening, demonstrating that ChatGPT was able to craft deceptive emails that were nearly indistinguishable from those composed by humans. This marks a significant milestone in the evolution of cyber threats, as AI now poses a formidable challenge to conventional cybersecurity measures.

One of the critical findings of the study was the sheer volume of phishing emails that ChatGPT was able to generate in a short span of time. This capability greatly amplifies the potential reach and impact of such attacks, as cybercriminals can now deploy a massive wave of convincing emails with unprecedented efficiency.

Furthermore, the study highlighted the adaptability of AI-powered phishing. ChatGPT demonstrated the ability to adjust its tactics in response to recipient interactions, enabling it to refine its approach and increase its chances of success. This level of sophistication raises concerns about the evolving nature of cyber threats and the need for adaptive cybersecurity strategies.

While AI-generated phishing is on the rise, it's important to note that human social engineers still maintain an edge in certain nuanced scenarios. Human intuition, emotional intelligence, and contextual understanding remain formidable obstacles for AI to completely overcome. However, as AI continues to advance, it's crucial for cybersecurity professionals to stay vigilant and proactive in their efforts to detect and mitigate evolving threats.

Cybersecurity measures need to be reevaluated in light of the growing competition between AI-generated phishing emails and human-crafted attacks. Defenders must adjust to this new reality as the landscape changes. Staying ahead of cyber threats in this quickly evolving digital age will require combining the strengths of human experience with cutting-edge technologies.

Read more »
VIPRE Security Group
AI Detection Chat-GPT Cloud Services cloud storage services generative AI tools hacker tactics malspam malware delivery Phishing emails phishing threats Spam Technology VIPRE Security Group

Rising Email Security Threats: Here’s All You Need to Know

 

A recent study highlights the heightened threat posed by spam and phishing emails due to the proliferation of generative artificial intelligence (AI) tools such as Chat-GPT and the growing popularity of cloud services.

According to a fresh report from VIPRE Security Group, the surge in cloud usage has correlated with an uptick in hacker activity. In this quarter, 58% of malicious emails were found to be delivering malware through links, while the remaining 42% relied on attachments.

Furthermore, cloud storage services have emerged as a prominent method for delivering malicious spam (malspam), accounting for 67% of such delivery in the quarter, as per VIPRE's findings. The remaining 33% utilized legitimate yet manipulated websites.

The integration of generative AI tools has made it significantly harder to detect spam and phishing emails. Traditionally, grammatical errors, misspellings, or unusual formatting were red flags that tipped off potential victims to the phishing attempt, enabling them to avoid downloading attachments or clicking on links.

However, with the advent of AI tools like Chat-GPT, hackers are now able to craft well-structured, linguistically sophisticated messages that are virtually indistinguishable from benign correspondence. This necessitates victims to adopt additional precautions to thwart the threat.

In the third quarter of this year alone, VIPRE's tools identified a staggering 233.9 million malicious emails. Among these, 110 million contained malicious content, while 118 million carried malicious attachments. Moreover, 150,000 emails displayed "previously unknown behaviors," indicating that hackers are continually innovating their strategies to optimize performance.

Phishing and spam persist as favored attack methods in the arsenal of every hacker. They are cost-effective to produce and deploy, and with a stroke of luck, can reach a wide audience of potential victims. Companies are advised to educate their staff about the risks associated with phishing and to meticulously scrutinize every incoming email, regardless of the sender's apparent legitimacy.
Read more »
Security research
AI AI bots Artificial Intelligence ChatGPT Check Point Cyber Security Google Bard keylogger Law Enforcement Phishing emails Security flaw Security research

Forget ChatGPT, Google Bard may Possess Some Serious Security Flaws


A latest research claims that Google’s AI chatbot, Google Bard may let its users to use it for creating phishing emails and other malicious content, unlike ChatGPT.

At one such instances, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code, by using the Redmond giant’s AI tool.

Using the AI tool of the Redmond behemoth, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code.

The researchers' report further noted how they set out to compare Bard's security to that of ChatGPT. From both sites, they attempted to obtain three things: phishing emails, malicious keyloggers, and some simple ransomware code.

The researchers described that simply asking the AI bots to create phishing emails yielded no results, however asking the Bard to provide ‘examples’ of the same provided them with plentiful phishing mails. ChatGPT, on the other hand, refused to comply, claiming that doing so would amount to engaging in fraudulent activity, which is illegal.

The researchers further create malware like keyloggers, to which the bots performed somewhat better. Here too, a direct question did not provide any result, but a tricky question as well yielded nothing since both the AI bots declined. However, answers for being asked to create keyloggers differed in both the platforms. While Bard simply said, “I’m not able to help with that, I’m only a language model,” ChatGPT gave a much detailed explanation.

Later, on being asked to provide a keylogger to log their keys, both ChatGPT and Bard ended up generating a malicious code. However, ChatGPT did provide a disclaimer before doing the aforementioned.

The researchers finally proceeded to asking Bard to run a basic ransomware script. While this was much trickier than getting the AI bot to generate phishing emails or keylogger, they finally managed to get Bard into the game.

“Bard’s anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT[…]Consequently, it is much easier to generate malicious content using Bard’s capabilities,” they concluded.

Why Does it Matter? 

The reason, in simpler terms is: Malicious use of any new technology is inevitable.

Here, one can conclude that these issues with the emerging generative AI technologies are much expected. AI, as an extremely developed tool has the potential to alter an entire cybersecurity script.

Cybersecurity experts and law enforcements have already been concerned for the same and have been warning against the AI technology for it can be well used in increasing the ongoing innovation in cybercrime tactics like convincing phishing emails, malware, and more. The development in technologies have made it accessible to users in such a way that now a cybercriminal can deploy a sophisticated cyberattack by only having minimal hand in coding.

While regulators and law enforcement are doing their best to impose limits on technology and ensure that it is utilized ethically, developers are working to do their bit by educating platforms to reject being used for criminal activity.

While generative AI market is decentralized, big companies will always be under the watch of regulatory bodies and law enforcements. However, smaller companies will remain in the radar of a potential cyberattack, especially the ones that are incapable to fight against or prevent the abuse.

Researchers and security experts suggests that the only way to improve the cybersecurity posture is to fight with full strength. Even though AI is already being used to identify suspicious network activity and other criminal conduct, it cannot be utilized to make entrance barriers as high as they once were. There is no closing the door ever again.

Read more »
Subscribe to: Posts (Atom)