Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Intelligence. Show all posts
Threat Intelligence
Cyber Security FBI Security flaw Tech Firms Threat Intelligence

Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.
Read more »
Trustwave SpiderLabs
Cyber Threats Cybersecurity JPHP language malware Pronsis Loader Ransomware Spyware stealth malware Threat Intelligence Trustwave SpiderLabs

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Read more »
Threat Intelligence
Cyber Security Dutch Police FBI Infostealer Threat Intelligence

Redline And Meta Infostealers Targeted in Operation Magnus

 

The Dutch National Police claimed on Monday that they had secured "full access" to all servers employed by the Redline and Meta infostealers, two of the most common cybercrime tools on the internet.

Infostealer malware is a major cybersecurity issue that is frequently sold as a malware-as-a-service tool. It infects users' devices and harvests information such as credit card numbers and autofill password data. 

Cybercriminals who use the infostealer then bundle the information into logs, which are sold on credential marketplaces to fraudsters and other criminals looking to breach any organisations whose login information has been compromised.

Earlier this week on Monday, the Dutch National Police, in collaboration with the FBI and other partner agencies in the United States, Australia, and the United Kingdom, announced the disruption of these two infostealers on a website for "Operation Magnus," which includes a timer promising "more news" counting down to noon on Tuesday, Dutch local time. 

A video on the site that mimics the criminals' own marketing claims that the police have supplied a "final update" for both the Redline and Meta infostealer strains, adding that the multinational operation "gained full access to all Redline and Meta servers." The video shows the depth of this access, including many administrator panels, the malware source code, and what appears to be a large number of usernames for people who use the malware-as-a-service tool. 

“Involved parties will be notified, and legal actions are underway,” reads the site, while the video adds, alongside a graphic of cuffed hands: “Thank you for installing this update. We’re looking forward to seeing you soon.” 

Cybercriminals find ways

In conjunction with the disruption operations, the US Justice Department unsealed charges against Maxim Rudometov, one of RedLine's developers and administrators.

According to the Attorney's Office for the Western District of Texas, Rudometov may face a maximum sentence of 35 years if convicted of access device fraud, conspiracy to commit computer intrusion, and money laundering. This follows a series of operations by law enforcement agencies aimed at disrupting the activities of high-profile cybercrime groups around the world.

In December 2023, US officials seized the leak site of ALPHV/BlackCat, one of the most prolific ransomware collectives in recent years, in what was regarded as a severe blow to the outfit.
Read more »
Threat Intelligence
AES-256 Cyber Security Quantum Hack Shanghai University Threat Intelligence

Security Experts Downplay the Significance of the Chinese Quantum "Hack"

 

Security experts have recommended caution following a series of doom-laden reports in recent days claiming that Chinese researchers have cracked military-grade encryption via quantum computing technology.

The reports, which first appeared in the South China Morning Post last week, are based on a study published in a Chinese journal called Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage. 

Shanghai University researchers employed a D-Wave Advantage quantum computer to study Substitution-Permutation Network (SPN) algorithms, notably the Present, Gift-64, and Rectangle algorithms, which are fundamental to Advanced Encryption Standard (AES) cryptography. 

AES-256 is regarded as a nearly unbreakable symmetric encryption method employed by banks, governments, and the military to safeguard data, prompting the research team to reportedly claim that their findings prove quantum poses a "real and substantial threat" to current encryption. 

However, Avesta Hojjati, DigiCert's chief of R&D, has criticised some of the media coverage of the research, stating that it sensationalised the findings in order to instill fear, uncertainty, and doubt in readers. 

“While the research shows quantum computing's potential threat to classical encryption, the attack was executed on a 22-bit key – far shorter than the 2048 or 4096-bit keys commonly used in practice today. The suggestion that this poses an imminent risk to widely used encryption standards is misleading,” he argued. “This research, while intriguing, does not equate to an immediate quantum apocalypse.” 

Indeed, even the initial study apparently warned that a real quantum threat to the symmetric encryption currently in use is still some time off due to environmental interference and immature hardware. The difficulties of creating a single algorithm that could be used to reveal several encryption schemes was also mentioned. 

"We are still far from a practical attack that can threaten real-world encryption systems, especially with the current state of quantum computing,” Hojjati aded. “The [media] coverage may serve as a cautionary tale, but it exaggerates the timeline and feasibility of quantum threats to make for a more dramatic story. While the research advances discussion on quantum readiness, we should remain cautious but not alarmist.”
Read more »
Threat Intelligence
Cyber Security Law Enforcement Ransomware ransomware attacks Threat Intelligence

Law Enforcement From Thirty Nine Nations Team Up to Tackle Ransomware Attacks

 

Ransomware continues to pose significant issues for businesses and organisations around the world, and with attacks on the rise, the UK and 38 other nations have joined forces with international cyber insurance authorities to create new guidelines aimed at bolstering resilience and providing help to victims.

The new guidance will advise ransomware victims to carefully evaluate all options before making payments, as data restoration and malware eradication are not guaranteed even if the ransom is paid, and hackers are just encouraged to continue. 

Instead, firms are advised to create a thorough response architecture in the case of an attack, that includes regulations and contingency plans. If an organisation is targeted, the policy suggests reporting the attack to law police and consulting with security professionals. 

Global crackdown 

With an expected $1 billion lost to ransomware attacks in 2023, ransomware is a lucrative business for criminals. But the new regulations aim to undercut the ransomware playbook and, if at all possible, stop future attacks by removing the incentive for attackers. 

“Cyber criminality does not recognize borders. That is why international co-operation is vital to tackle the shared threat of ransomware attacks. This guidance will hit the wallets of cyber criminals, and ultimately help to protect businesses in the UK and around the world”, stated Security Minister Dan Jarvis.

The United Kingdom is eager to lead the collaborative approach to combating cybercrime, so three major UK insurance bodies (the Association of British Insurers, the British Insurance Brokers' Association, and the International Underwriting Association) have joined forces to launch co-sponsored guidance for businesses. 

The UK National Crime Agency recently sanctioned 16 members of the 'Evil Corp' cybercriminal outfit, which is responsible for stealing more than $300 million from critical infrastructure, healthcare, and government organisations worldwide.

“Ransomware remains an urgent threat and organisations should act now to boost resilience," noted Jonathon Ellison, NCSC Director for National Resilience. “The endorsement of this best practice guidance by both nations and international cyber insurance bodies represents a powerful push for organisations to upgrade their defences and enhance their cyber readiness. "

“This collective approach, guided by last year’s CRI statement denouncing ransomware and built on guidelines from the NCSC and UK insurance associations earlier this year, reflects a growing global commitment to tackling the ransomware threat.”
Read more »
Windows User
Cyber Security Fake Captcha Malicious Campaign Threat Intelligence Windows User

Microsoft Issues New Warnings For Windows Users

 

As we approach the weekend, a new warning has been issued that a "global attack" is now targeting Windows users in multiple nations worldwide. The campaign is surprisingly basic, but it highlights the risk for the hundreds of millions of Windows 10 customers who will be without security upgrades in a year. 

Palo Alto Networks' Unit 42 warned about the risks of fake new CAPTCHAs last month. Although it didn't receive much attention at the time, researcher John Hammond's video on X helped spread the word. McAfee researchers have recently released a fresh alert regarding these fraudulent CAPTCHA popups that are currently circulating. 

These assaults should be easy to detect—but they’re designed to be casually effective. The fake challenges are designed to distribute Lumma Stealer. “These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use zip archives that don't appear to be inherently malicious on their own,” researchers explained. In its latest research, McAfee cautions that the ClickFix infection chain operates by tricking people into clicking on buttons like Verify you are a human' or 'I am not a robot.'" 

When clicked, a malicious script is copied to the user's clipboard. Users are then tricked into pasting the script after pressing the Windows key + R, unknowingly launching the malware. This technique speeds up the infection process, allowing attackers to easily deploy malware. 

The pattern is apparent to you. The crypto wallets and your account credentials are the main targets of the information-stealing malware that will be installed on your device. It doesn't appear to be a typical CAPTCHA, even if they are evolving and becoming more difficult to figure out. However, if, at that moment, copying and pasting isn't making you feel uneasy, turn off your computer and perhaps take a break. 

Furthermore, McAfee identifies two deviously created lures, one aimed at consumers ready to download illegally copied games and the other at software developers concerned about a security flaw in code they wrote and distributed. 

Users searching online for illegal copies of games are likely to have their guard up in any case; yet, the team warns that "they may encounter online forums, community posts, or public repositories that redirect them to malicious links.” 

The second target group is even more sneaky. Users get phishing emails that frequently target GitHub contributors, pushing them to fix a fake security flaw. These emails provide links to the same fraudulent CAPTCHA pages. 

This fake CAPTCHA campaign is starting to propagate; be cautious and take a moment to look for any signs of compromise when faced with one. It won't always be as clear as it is in this instance. These attacks will change and become more difficult to identify. It goes without saying that you should never, ever copy and paste and then execute from within a CAPTCHA. 

This serves as another timely reminder to Windows 10 users that discontinuing support should not be one of their actions between now and October of next year. You'll need to switch to Windows 11 if Microsoft doesn't offer reasonably priced extension alternatives and workarounds aren't sufficient to close the gap.
Read more »
Threat Intelligence
Business Security CISOs Cyber Criminals Cyber Security Threat Intelligence

Here's Why Attackers Have a Upper Hand Against CISOs

 

Security experts have an in-depth knowledge of the technical tactics, techniques, and procedures (TTPs) that attackers employ to launch cyberattacks. They are also knowledgeable about critical defensive methods, such as prioritising patching based on risk and creating a zero-trust policy. 

However, the world for business security appears to be one step behind hackers, who successfully launch an increasing number of attacks year after year. Here's one reason: many CISOs underappreciate, overlook, and sometimes underestimate all of the knowledge that hackers bring to the table — the nontechnical insights that they use to gain an advantage. 

“Hackers know that the average CISO has a lot on their plates and they don’t have enough [resources] to get everything done. So CISOs really have to pay attention to what hackers are doing and what they know so they can best defend against them,” stated Stephanie “Snow” Carruthers, chief people hacker at IBM.

So, what do hackers know that may not be credible? According to security researchers, these are three main hacking tactics that may go unnoticed by CISOs. 

Hackers know business schedule 

It's not a coincidence that many attacks occur during the most challenging times. Hackers do boost their attacks on weekends and holidays when security teams are understaffed. They're also more likely to strike just before lunchtime and at the end of the day, when employees are rushed thereby less aware of red indicators indicating a phishing attack or fraudulent behaviour.

“Hackers typically deploy their attacks during those times because they’re less likely to be noticed,” stated Melissa DeOrio, global threat intelligence lead at S-RM, a global intelligence and cybersecurity consultancy.

DeOrio agrees that many hackers are based in regions where daytime working hours overlap with non working hours in the Americas and Western Europe. However, she claims that research suggests that hackers exploit this disparity by timing their attacks. 

Furthermore, Tomer Bar, vice president of security research at SafeBreach, adds that threat actors seek out moments of organisational upheaval (e.g., mergers, acquisitions, layoffs, etc.) to exploit. "Threat actors will try to launch an attack at the most difficult time for the CISO and the blue team.” 

To counter this hacking technique, long-time security leaders encourage CISOs to include it into their own defence strategies. They should use third-party services during off-business hours to supplement the security team's work schedule, increase automation to improve staff efficiency at all hours, add extra layers of security such as more monitoring or tighter filters at times of increased risk, ensure priority security work is completed before busy times such as holidays, and educate all employees about the heightened risks that exist during such times. 

Gathering insights on organisations 

The attackers actively gather open-source intelligence (OSINT) in order to plan attacks. It's hardly unexpected that hackers seek out information on transformative events such as large layoffs, mergers, and the like, she says. However, CISOs, their teams, and other executives may be astonished to hear that hackers hunt for news about seemingly innocuous activities such as technology installations, new alliances, hiring sprees, and CEO schedules that show when they are away from the office. 

To counter this, CISOs can monitor OSINT about their organisations, collaborate with other executives on announcements and their timing, and run simulations on how such announcements play out from a business perspective. All of this allows CISOs and their teams to see what hackers see, better understand their thinking, and prepare for potential targeted attacks. 

Ignorant corporate culture 

Security awareness training typically demands employees to take time to review emails or think through requests to help determine whether a request is legitimate or suspicious. Yet workplace culture today generally works against that approach, Huffman notes. “We praise ourselves for putting ourselves in an emotional hot state,” he says, pointing to job postings that use phrases such as “fast-paced,” “dynamic” and “high-intensity” to describe the workplace culture as evidence. 

According to Huffman, Employees do not have — nor are they encouraged to take — extra time to review incoming messages (whether via email, phone, video, text, or other means). "And that's why hackers are successful: they catch us in constant emotional hot states when you're clicking through 1,000 emails.”
Read more »
Threat Intelligence
Corporate Cyber Security Organization security Risk Assessment Threat Intelligence

Beyond Prioritization: Security Journey for Organizations

Prioritization tools typically rely on factors like severity, exploitability, and potential impact. While these criteria are valuable, they don't provide the full picture.

Organizations face an overwhelming number of vulnerabilities, and deciding which ones to address first can be a challenge for many. However, it's essential to recognize that prioritization is merely the beginning of a more comprehensive security journey.

The Limitations of Prioritization

Prioritization tools typically rely on factors like severity, exploitability, and potential impact. While these criteria are valuable, they don't provide the full picture. Here are some limitations:
  1. Context Matters: Prioritization tools often lack context. They don't consider an organization's unique environment, business processes, or specific threats. A high-severity vulnerability might be less critical if it doesn't align with an organization's risk profile.
  2. Dynamic Threat Landscape: Threats evolve rapidly. A vulnerability that seems low-risk today could become a weaponized exploit tomorrow. Prioritization models need to account for this dynamic nature.
  3. Resource Constraints: Organizations have finite resources—time, budget, and personnel. Prioritization doesn't address how to allocate these resources effectively.

The Holistic Approach

To move beyond prioritization, consider the following steps:
  • Risk Assessment: Start by understanding your organization's risk appetite. Conduct a risk assessment that considers business impact, regulatory compliance, and threat intelligence. This assessment informs your vulnerability management strategy.
  • Asset Inventory: Create a comprehensive asset inventory. Knowing what you're protecting allows you to prioritize vulnerabilities based on critical assets. Not all systems are equal; some are more vital to your operations.
  • Threat Intelligence: Stay informed about emerging threats. Collaborate with industry peers, subscribe to threat feeds, and monitor security forums. Threat intelligence helps you contextualize vulnerabilities.
  • Attack Surface Reduction: Minimize your attack surface. Remove unnecessary services, close unused ports, and segment your network. Fewer entry points mean fewer vulnerabilities to manage.
  • Patch Management: Prioritize patching based on risk. Critical systems should receive immediate attention, while less critical ones can follow a staggered schedule.
  • Security Hygiene: Regularly review configurations, permissions, and access controls. Misconfigurations often lead to vulnerabilities. Implement security baselines and automate hygiene checks.
  • Incident Response Readiness: Prepare for incidents. Develop an incident response plan, conduct tabletop exercises, and ensure your team knows how to respond effectively.

Transparency and Communication

Transparency is crucial. Communicate with stakeholders—executives, IT teams, and end-users. Explain the rationale behind vulnerability management decisions. Transparency builds trust and ensures everyone understands the risks.

Vulnerability prioritization is essential, but it's not the destination—it's the starting point. Embrace a holistic approach that considers context, risk, and resource constraints. By navigating the security journey with diligence and transparency, organizations can better protect their digital assets.
Read more »
Water Hydra APT
Cyber Security SmartScreen Bypass Threat Intelligence Vulnerability Analysis Water Hydra APT

DarkMe RAT: Microsoft SmartScreen Vulnerability Explored

Microsoft SmartScreen Vulnerability Explored

In recent months, cybersecurity researchers have detected a surge in the exploitation of a critical vulnerability known as CVE-2024-21412. This vulnerability specifically targets Microsoft SmartScreen, a security feature designed to protect users from malicious websites and downloads. 

In this blog post, we’ll delve into the details of CVE-2024-21412, its impact, and the tactics employed by threat actors to bypass SmartScreen.

The Basics: What Is CVE-2024-21412?

CVE-2024-21412 is a security flaw that affects Microsoft SmartScreen, a component integrated into various Microsoft products, including Windows Defender and Microsoft Edge. SmartScreen analyzes URLs and files to determine their safety and warns users if they attempt to access potentially harmful content. However, this vulnerability allows attackers to evade SmartScreen’s protective measures.

Exploitation Techniques

1. Internet Shortcuts (URL Files)

The primary vector for exploiting CVE-2024-21412 is through internet shortcuts (URL files). These files contain references to websites and are commonly used for creating desktop shortcuts or bookmarks. By crafting a malicious URL file, threat actors can trick SmartScreen into allowing access to dangerous sites or downloads.

2. Water Hydra APT Group

The Water Hydra advanced persistent threat (APT) group is at the forefront of exploiting this vulnerability. Their sophisticated techniques involve creating specially crafted URL files that appear harmless to SmartScreen. Once a victim clicks on the shortcut, the associated website delivers a payload—often the DarkMe remote access trojan (RAT).

3. Bypassing Patched Vulnerabilities

Interestingly, CVE-2024-21412 emerged as a result of bypassing a previously patched SmartScreen vulnerability (CVE-2023-36025). This highlights the cat-and-mouse game between security researchers and threat actors. Even after a patch is released, attackers continue to explore new attack vectors, rendering the patch ineffective.

Geographical Targets

The Water Hydra group’s campaign exploiting CVE-2024-21412 has primarily targeted regions such as Spain, the United States, and Australia. Their choice of targets suggests a deliberate strategy to compromise high-value systems and organizations.

Mitigation and Recommendations

1. Keep Software Updated

Ensure that your operating system and security software are up to date. Regularly check for patches and apply them promptly.

2. Exercise Caution with URL Files

Be cautious when opening internet shortcuts (URL files). Verify the source and destination before clicking on any links.

3. Educate Users

Educate users about the risks associated with SmartScreen bypass vulnerabilities. Awareness is crucial in preventing successful attacks.

Read more »
Threat Intelligence
AI Firms Artificial Intelligence Open AI Technology Threat Intelligence

Employees Claim OpenAI and Google DeepMind Are Hiding Dangers From the Public

 

A number of current and former OpenAI and Google DeepMind employees have claimed that AI businesses "possess substantial non-public data regarding the capabilities and limitations of their systems" that they cannot be expected to share voluntarily.

The claim was made in a widely publicised open letter in which the group emphasised what they called "serious risks" posed by AI. These risks include the entrenchment of existing inequities, manipulation and misinformation, and the loss of control over autonomous AI systems, which could lead to "human extinction." They bemoaned the absence of effective oversight and advocated for stronger whistleblower protections. 

The letter’s authors said they believe AI can bring unprecedented benefits to society and that the risks they highlighted can be reduced with the involvement of scientists, policymakers, and the general public. However, they said that AI companies have financial incentives to avoid effective oversight. 

Claiming that AI firms are aware of the risk levels of different kinds of harm and the adequacy of their protective measures, the group of employees stated that the companies have only weak requirements to communicate this information with governments "and none with civil society." They further stated that strict confidentiality agreements prevented them from publicly voicing their concerns. 

“Ordinary whistleblower protections are insufficient because they focus on illegal activity, whereas many of the risks we are concerned about are not yet regulated,” they wrote.

Vox revealed in May that former OpenAI employees are barred from criticising their former employer for the rest of their life. If they refuse to sign the agreement, they risk losing all of their vested stock gained while working for the company. OpenAI CEO Sam Altman later said on X that the standard exit paperwork would be altered.

In reaction to the open letter, an OpenAI representative told The New York Times that the company is proud of its track record of developing the most powerful and safe AI systems, as well as its scientific approach to risk management.

Such open letters are not uncommon in the field of artificial intelligence. Most famously, the Future of Life Institute published an open letter signed by Elon Musk and Steve Wozniak calling for a 6-month moratorium in AI development, which was disregarded.
Read more »
Threat Intelligence
Cracked Software Illegal Sites malware pirated software Threat Intelligence

Pirated Microsoft Office Distributes a Malware Cocktail to Infiltrates Systems

 

The hackers are distributing a malware cocktail via cracked versions of Microsoft Office marketed on torrent websites. Malware distributed to customers includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs. 

The AhnLab Security Intelligence Centre (ASEC) has recognised the ongoing attempt and warns against the risks of downloading unauthorised software. Korean researchers identified that the attackers employ a variety of lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea. 

MS Office to malware 

The cracked Microsoft Office installer has a well-designed UI that allows users to choose the version they wish to install, the language, and whether to use 32- or 64-bit versions. 

However, in the background, the installer launches an obfuscated.NET malware that contacts a Telegram or Mastodon channel to obtain a valid download URL from which it will download other components. The URL refers to Google Drive or GitHub, both of which are reliable websites that are unlikely to trigger AV warnings. 

The malware component 'Updater' registers tasks in the Windows Task Scheduler to make sure they persist between system reboots. According to ASEC, the malware installs the following forms of malware on the compromised system: 

Orcus RAT: Provides extensive remote control, such as keylogging, webcam access, screen capture, and system modification for data exfiltration. 

XMRig: It is a cryptocurrency miner that exploits system resources to mine Monero. It halts mining during periods of high resource demand, such as while the victim is gaming, to avoid detection. 

3Proxy: Turns infected systems into proxy servers by opening port 3306 and inserting it into normal processes, allowing attackers to redirect malicious traffic. 

Even if the user detects and wipes any of the aforementioned malware, the 'Updater' module, which runs at system launch, will reintroduce it. Users should exercise caution when installing files downloaded from suspicious sources, and they should avoid using pirated/cracked software. 

Similar advertisements have been used to promote the STOP ransomware, which is the most active ransomware operation targeting consumers. Because these files are not digitally signed and users are willing to disregard antivirus warnings when launching them, they are frequently used to infect systems with malware, in this case a whole set.
Read more »
XDR Tools
Artificial Intelligence Cyber Security SOC Threat Intelligence XDR Tools

Invest in Future-Proofing Your Cybersecurity AI Plan

 

With the ongoing barrage of new attacks and emerging dangers, one might argue that every day is an exciting day in the security operations centre (SOC). However, today's SOC teams are experiencing one of the most compelling and transformative changes in how we detect and respond to cybersecurity threats. Innovative security organisations are attempting to modernise SOCs with extended detection and response (XDR) platforms that incorporate the most recent developments in artificial intelligence (AI) into the defensive effort. 

XDR systems combine security telemetry from several domains, such as identities, endpoints, software-as-a-service apps, email, and cloud workloads, to provide detection and response features in a single platform. As a result, security teams employing XDR have greater visibility across the company than ever before. But that's only half the tale. The combination of this unprecedented insight and an AI-powered SOC aid can allow security teams to operate at the pace required to turn the tables on potential attackers. 

Innovative security organisations need to have a strategic implementation plan that considers the future in order to effectively leverage today's AI capabilities and provide the foundation for tomorrow's breakthroughs. This is because the industry is evolving rapidly. 

XDR breadth matters 

Unlike traditional automated detection and blocking solutions, which frequently rely on a single indicator of compromise, XDR platforms employ AI to correlate cross-domain security signals that analyse a full attack and identify threats with high confidence. AI's greater fidelity improves the signal-to-noise ratio, resulting in fewer false positives for manual investigation and triage. Notably, the larger the dataset on which the AI is operating, the more effective it will be; therefore, XDR's inherent breadth is critical. 

An effective XDR strategy should identify and account for high-risk regions, cybersecurity maturity, modern architecture and technologies, and budgetary limits, among other things. While adoption should be gradual to minimise operational impact, organisations must also examine how to acquire the broadest XDR coverage possible in order to make the most of AI's capabilities. 

Create AI-Confident teams

The purpose of AI is not to replace humans in your SOC, but to enable them. If your team lacks faith in the tools they use they will be unable to fully realise the platform's potential. As previously noted, minimising false positives will help increase user trust over time, but it is also critical to provide operational transparency so that everyone understands where data is coming from and what actions have been taken. 

XDR platforms must provide SOC teams with complete control over investigating, remediating, and bringing assets back online when they are required. Tightly integrating threat detection and automatic attack disruption capabilities into existing workflows will speed up triage and provide a clear view of threats and remedial operations across the infrastructure. 

Stay vigilant 

The indicators of attack and compromise are continually evolving. An effective, long-term XDR plan will meet the ongoing requirement for rapid analysis and continuous vetting of the most recent threat intelligence. Implementation roadmaps should address how to facilitate the incorporation of timely threat intelligence and include flexibility to grow or augment teams when complex incidents demand additional expertise or support. 

As more organisations look to engage in XDR and AI to improve their security operations, taking a careful, future-focused approach to deployment will allow them to better use today's AI capabilities while also being prepared for tomorrow's breakthroughs. After all, successful organisations will not rely solely on artificial intelligence to stay ahead of attackers. They will plan AI investments to keep them relevant.
Read more »
User Privacy
Cyber Fraud Cyber Scammers Threat Intelligence User Privacy

Have You Been Defrauded? This Scam Survival Toolkit Can Help You Recover

 

Wondering what to do in the aftermath of a fraud can be extremely difficult. The Better Business Bureau's (BBB) new fraud Survival Toolkit helps fraud survivors navigate the recovery process.

Fraudsters target people from many walks of life. BBB frequently shares tips on how to avoid scammers, but you may still be at risk immediately after a scam happens. 

Scams not only cause financial harm, but they also have an emotional impact on victims. Survivors of scams often experience feelings of shame, guilt, or wrath, even if it is not their fault they were victimised.

Scammers capitalise on strong emotions, and emotions are high in the days following a scam, putting survivors at risk. According to the BBB's 2023 Scam Tracker Risk Report, 10% of respondents were victims of three or more frauds. 

The first step following a scam is to protect oneself from further harm. Everyone's situation is unique, but the methods below can help you secure your money, credit, or identity. 

Prevention tips 

Secure your finances: If you have lost money or bank information to a scammer, contact your financial institution. They may be able to initiate a fraud inquiry or cancel the transactions. If your credit card information has been hacked, they can cancel it and provide you a new one.

Protect your credit: If you lose personal or credit card information, it could be exploited to steal your identity; thus, place a fraud warning on your credit reports or freeze your credit. Consider acquiring a free credit report to keep track of any suspicious activities.

Change your password: If a specific account has been compromised, notify the company and change your password. Follow the BBB's password-creation instructions and consider using multifactor authentication to protect your account. Keep an eye out for any unusual behaviour on your other accounts.

Keep an eye out for recovery scams: Some scammers strike after a fraud has occurred, offering phoney credit repair or tech assistance services that steal money or information from susceptible people. 

Report the scam: Once you've taken steps to safeguard yourself, report the scam to BBB Scam Tracker to assist others. Last year, 36.6% of customers who visited BBB fraud Tracker reported that it helped them prevent fraud.
Read more »
Threat Intelligence
Cyber Attacks ESET Global Security North Korea Threat Intelligence

Defending Digital Frontiers: Strategies for Organizations in an Unstable World

Global Stability Issues Alter Cyber Threat Landscape

An overview

  • Geopolitical Tensions: Regional stability issues, such as political conflicts and economic tensions, have a direct impact on cyber threats. As geopolitical events unfold, threat actors adapt their strategies to exploit vulnerabilities.
  • Attack Trends: While no groundbreaking attack methods have emerged, existing techniques continue to evolve. Advanced Persistent Threat (APT) groups remain active, targeting government entities, critical infrastructure, and private organizations.
  • Leading Actors: ESET’s research identifies Russia-aligned APT groups as the most prolific attackers. Their sophisticated campaigns target various sectors, including energy, finance, and defense. China-aligned actors follow closely, focusing on espionage and intellectual property theft.

The current landscape

A recent analysis from threat intelligence analysts ESET claims that threat actors are increasing their attacks worldwide, with geographic events determining which locations are most heavily targeted. The principal author of the research recommends that CISOs to intensify their protection plans in light of the activity, even if he claims that no new attack techniques have been discovered.

The director of threat research at ESET, Jean-Ian Boutin said  that current attack methods "still work well." Thus, attackers don't always need to use innovative vectors. According to Boutin, CISOs are defending against these attacks properly; they only need to fortify themselves even more.

Impact on regional stability

The researchers claim that because the primary worldwide assault trends that ESET has identified have been directly impacted by regional stability difficulties, these challenges are also affecting the cyber sphere. The report focuses on activities of specific advanced persistent threat (APT) groups from October 2023 to March 2024, the experts said in the report.

Researchers from ESET also observed that organizations connected with Russia were concentrating on espionage activities throughout the European Union in addition to assaults against Ukraine.

Along with operations against Ukraine, ESET researchers also saw that entities connected with Russia were concentrating on espionage across the European Union. However, the researchers noted that several threat actors with ties to China took use of flaws in software and public-facing hardware, including firewalls and VPNs, as well as Confluence and Microsoft Exchange Server, to gain first access to targets across a variety of sectors.

Analysis of attacks

Using emotions to keep the assault from being disclosed is one of the more recent strategies ESET is witnessing in North Korea; this will probably increase the tactic's usefulness and duration. According to Boutin, the method has been used for years, but North Korean APT organizations are making a small adjustment.

Under the guise of a job application, the hack targets programmers and other technical talent at numerous significant US corporations. The victim is exposed to the malware and the trap is set when the attacker poses as a recruiter for such companies and requests that the victims complete an online test to demonstrate their technical proficiency.

Implications for CISOs

  • Defense Strategies: Organizations must strengthen their defense mechanisms. Proactive threat intelligence, robust network security, and employee training are essential. Zero-day vulnerabilities and supply chain attacks require constant vigilance.
  • Threat Attribution: Understanding threat actors’ motivations and affiliations is crucial. Attribution helps tailor defenses and prioritize resources effectively. Collaboration among security professionals and law enforcement agencies is vital.
  • Risk Assessment: Organizations should assess their risk exposure based on geopolitical events. Consider the impact of regional instability on critical assets and operations. Regular risk assessments inform decision-making.

Read more »
Threat Intelligence
Accountability Automation collaboration Cyber Security Cybersecurity executives Microsoft organizational changes Secure Future Initiative security governance Threat Intelligence

Microsoft to Enforce Executive Accountability for Cybersecurity

 

Microsoft is undergoing organizational adjustments to enhance cybersecurity measures throughout its products and services, focusing on holding senior leadership directly responsible. Charlie Bell, Microsoft's executive vice president of security, outlined these changes in a recent blog post aimed at reassuring customers and the US government of the company's dedication to bolstering cybersecurity amidst evolving threats.

One key aspect of this initiative involves tying a portion of the compensation for the company's Senior Leadership Team to the progress made in fulfilling security plans and milestones. Additionally, Microsoft is implementing significant changes to elevate security governance, including organizational restructuring, enhanced oversight, controls, and reporting mechanisms.

These measures encompass appointing a deputy Chief Information Security Officer (CISO) to each product team, ensuring direct reporting of the company's threat intelligence team to the enterprise CISO, and fostering collaboration among engineering teams across Microsoft Azure, Windows, Microsoft 365, and security groups to prioritize security.

Bell's announcement follows a recent assessment by the US Department of Homeland Security's Cyber Safety Review Board (CSRB), highlighting the need for strategic and cultural improvements in Microsoft's cybersecurity practices. The CSRB identified areas where Microsoft could have prevented a notable cyber incident involving a breach of its Exchange Online environment by the Chinese cyber-espionage group Storm-0558, which compromised user emails from various organizations, including government agencies.

Microsoft previously launched the Secure Future Initiative (SFI) to address emerging threats, incorporating measures such as automation, artificial intelligence (AI), and enhanced threat modelling throughout the development lifecycle of its products. The initiative also aims to integrate more secure default settings across Microsoft's product portfolio and strengthen identity protection while enhancing cloud vulnerability response and mitigation times.

Bell's update provided further details on Microsoft's approach, emphasizing six key pillars: protecting identities and secrets, safeguarding cloud tenants and production systems, securing networks, fortifying engineering systems, monitoring and detecting threats, and expediting response and remediation efforts.

To achieve these goals, Microsoft plans to implement various measures, such as automatic rotation of signing and platform keys, continuous enforcement of least privileged access, and network isolation and segmentation. Efforts will also focus on inventory management of software assets and implementing zero-trust access to source code and infrastructure.

While the full impact of these changes may take time to materialize, Microsoft remains a prominent target for cyberattacks. Despite ongoing challenges, industry experts like Tom Corn, chief product officer at Ontinue, acknowledge the ambitious scope of Microsoft's Secure Future Initiative and its potential to streamline operationalization for broader benefit.
Read more »
Windows Vulnerability
AI technology APT28 Backdoors CVE-2022-38028 Fancy Bear Forest Blizzard GooseEgg Microsoft Network Security Russian Hackers Threat Intelligence Windows Vulnerability

Microsoft Alerts Users as Russian Hackers Target Windows Systems

 

As advancements in AI technology continue to unfold, the specter of cybercrime looms larger each day. Among the chorus of cautionary voices, Microsoft, the eminent IT behemoth, adds its warning to the fray.

Microsoft's Threat Intelligence researchers have issued a stark advisory to Windows users regarding the targeted assaults orchestrated by Russian state-sponsored hackers wielding a sophisticated tool.

These hackers, known in some circles as APT28 or Fancy Bear, but tracked by Microsoft under the moniker Forest Blizzard, have close ties to Russia's GRU military intelligence agency.

GooseEgg, a tool wielded with the aim of siphoning data and surreptitiously establishing backdoors within computer systems. Forest Blizzard, alias APT28, has deployed GooseEgg in a series of calculated strikes targeting governmental entities, educational institutions, and transportation firms across the United States, Western Europe, and Ukraine.

Their modus operandi centers predominantly on the strategic acquisition of intelligence. Evidence suggests that the utilization of GooseEgg may have commenced as early as June 2020, with the possibility of earlier incursions dating back to April 2019.

In response to the threat landscape, a patch addressing a vulnerability identified as CVE-2022-38028 was released by Microsoft in October 2022. GooseEgg, the nefarious tool in the hackers' arsenal, exploits this particular weakness within the Windows Print Spooler service.

Despite its deceptively simple appearance, the GooseEgg program poses an outsized threat, granting attackers elevated permissions and enabling a litany of malicious activities. From the remote execution of malware to the surreptitious installation of backdoors and the seamless traversal of compromised networks, the ramifications are profound and far-reaching.
Read more »
User Security
Artificial Intelligence ChatGPT Technology Threat Intelligence User Security

Is ChatGPT Secure? Risks, Data Safety, and Chatbot Privacy Explained

 

You've employed ChatGPT to make your life easier when drafting an essay or doing research. Indeed, the chatbot's ability to accept massive volumes of data, break down it in seconds, and answer in natural language is incredibly valuable. But does convenience come at a cost, and can you rely on ChatGPT to safeguard your secrets? It's a significant topic to ask because many of us lose our guard around chatbots and computers in general. So, in this article, we will ask and answer a simple question: Is ChatGPT safe?

Is ChatGPT safe to use?

Yes, ChatGPT is safe because it will not bring any direct harm to you or your laptop. Sandboxing is a safety system used by both online browsers and smartphone operating systems, such as iOS. This means ChatGPT can't access the rest of your device. You don't have to worry about your system being hacked or infected with malware when you use the official ChatGPT app or website. 

Having said that, ChatGPT has the potential to be harmful in other ways, such as privacy and secrecy. We'll go into more detail about this in the next section, but for now, remember that your conversations with the chatbot aren't private, even if they only surface when you log into your account. 

The final aspect of safety worth analysing is the overall existence of ChatGPT. Several IT giants have criticised modern chatbots and their developers for aggressively advancing without contemplating the potential risks of AI. Computers can now replicate human speech and creativity so perfectly that it's nearly impossible to tell the difference. For example, AI image generators may already generate deceptive visuals that have the potential to instigate violence and political unrest. Does this imply that you shouldn't use ChatGPT? Not necessarily, but it's an unsettling insight into what the future may hold. 

How to safely use ChatGPT

Even though OpenAI claims to store user data on American soil, we can't presume their systems are secure. We've seen higher-profile organisations suffer security breaches, regardless of their location or affiliations. So, how can you use ChatGPT safely? We've compiled a short list of tips: 

Don't share any private information that you don't want the world to know about. This includes trade secrets, proprietary code from the company for which you work, credit card data, and addresses. Some organisations, like Samsung, have prohibited their staff from using the chatbot for this reason. 

Avoid using third-party apps and instead download the official ChatGPT app from the App Store or Play Store. Alternatively, you can access the chatbot through a web browser. 

If you do not want OpenAI to utilise your talks for training, you may turn off data collection by toggling a toggle in Settings > Data controls > Improve the model for everyone. 

Set a strong password for your OpenAI account so that others cannot see your ChatGPT chat history. Periodically delete your conversation history. In this manner, even if someone tries to break into your account, they will be unable to view any of your previous chats.

Assuming you follow these guidelines, you should not be concerned about utilising ChatGPT to assist with everyday, tedious tasks. After all, the chatbot enjoys the backing of major industry companies such as Microsoft, and its core language model supports competing chatbots such as Microsoft Copilot.
Read more »
Threat Landscape
Business Security Cyber Security Multi-Layer Security Threat Intelligence Threat Landscape

Defense-in-Depth: A Layered Approach for Modern Cybersecurity

 

The cybersecurity landscape has shifted dramatically in recent years. Malware, phishing attempts, and data breaches have grown in frequency and scope, prompting organisations to invest more time and money into enhancing their cybersecurity strategies. Organisations should be aware of the shifting threat landscape, asking themselves what issues they face today and what specific steps they can take to mitigate the risks of cybercrime

This was the topic of discussion between cybersecurity expert Jon Bernstein and John Shier, field CTO commercial at Sophos, as they analysed how the security landscape is moving with increasingly sophisticated crime and what this implies for the future of business security. 

Shier highlighted multiple critical takeaways, including the evolution of cybercrime professionalisation and specialisation. Firewalls and multilayering defences, such as multi-factor authentication (MFA), have become critical additions to current organisational security layers in order to react to changing hacker techniques.

“We are getting better at detection, and are able to catch these people in the act sooner, but they know that. They know we’re better at detection, we have better tools and services, to aid in this quest of detecting them sooner and so they move faster, naturally,” noted Shier. “The faster we attack, the more we start to prevent these attacks, then the faster we can break their cadence and get in the way.” 

Shier also reviewed Sophos' recent research, 'Stopping Active Adversaries,' which identifies the most prevalent and emerging ways hackers infiltrate organisations. The study, which is based on an evaluation of 232 large cyber incidents managed by Sophos X-Ops incident responders, provides helpful suggestions for security strategy. 

Among its primary results are that compromised credentials and exploited vulnerabilities remain the most common entry points, and attacks are becoming faster. Ransomware dwell duration was reduced to five days in 2023, down from larger levels in previous years, and 91% of ransomware assaults occurred outside of business hours, highlighting the necessity for organisations to invest in round-the-clock protection.

Three steps to enhance security 

Shier highlights the need of three elements for organisations in combating these threats: security, monitoring, and response. "Securing means increasing friction wherever possible, using strong levels of multifactor authentication. "That is critical, and it should be applied wherever possible," Shier added. 

Shier warns that cybercriminals will only adapt when absolutely necessary. He suggests raising the bar so high that some cybercriminals' tactics "won't be worth it anymore," but reminds businesses that they no longer need to navigate their cybersecurity journey alone, and can rely on beneficial partnerships to maintain airtight security for their organisation and employees.

“Getting security right can be difficult and time-consuming, it’s resource-consuming and expensive,” Shier added. “When you find yourself in a situation where you think, I’m having trouble doing this on my own, go ask for help. There are plenty of organisations out there, whether it’s people you can partner with for your IT infrastructure or vendors that can help you, ask for help, we’re here to help, and we’ve got the experience to keep you safe.” 

During this extensive discussion, Shier offere more insightful details and recommendations to help organisations create a thorough cybersecurity plan. The dynamic landscape of cybercrime and security underscores the significance of implementing multi-layered defences and the necessity for constant protection. Businesses can keep their digital assets safe and remain ahead of cyber threats by taking proactive measures to secure, monitor, and respond.
Read more »
Threat Intelligence
APT Group Cyber Attacks Data Leak Telecom Firm Threat Intelligence

ToddyCat APT Is Siphoning Data on 'Industrial Scale'

 

ToddyCat, an advanced persistent threat (APT) gang that targets the government and defence industries, has been seen collecting stolen data "on an industrial scale" from victim organisations in Asia-Pacific. 

Kaspersky researchers first disclosed details regarding the elusive gang's actions in 2022, despite the fact that it has been functioning since December 2020. ToddyCat is believed to be a Chinese-speaking gang, though its origins and ties are unknown.

Initially, the threat group targeted only certain organisations in Taiwan and Vietnam. When the ProxyLogon vulnerabilities in Microsoft Exchange Server were discovered in early 2021, it broadened the scope of its operations, now targeting multiple European and Asian organisations. 

ToddyCat upgraded its tools and strategies in 2023, and launched a long-running attack against government entities and telecom providers in multiple Asian countries. 

In Kaspersky's most recent review of the group, published last week, researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova explained the techniques the gang had lately been seen employing to exfiltrate massive volumes of data. 

“During the observation period, we noted that this group stole data on an industrial scale,” researchers explained. “To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack.”

One of the group's attacks was its predilection for creating many tunnels with various tools to gain access to the infrastructure of the organisations it targeted. This allowed the gang to continue using the compromised systems even after one of the tunnels was identified and eliminated, according to the experts.

ToddyCat used reverse SSH tunnels to get access to remote network services. The gang also employed SoftEther VPN, an open-source tool that allows for the establishment of VPN connections using a variety of popular protocols.

“In virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected system,” the researchers added. “To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources, and downloaded files from remote resources using the curl utility.” 

To protect against the gang, the researchers advised defenders to add the resources and IP addresses of cloud providers that allow traffic tunnelling to their firewall deny lists. The researchers also recommended limiting the tools administrators can use to remotely access hosts.
Read more »
Subscribe to: Posts (Atom)