Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Intelligence. Show all posts
Threat Intelligence
Crypto Crime Crypto Funds Cyber Crime India ISKP Threat Intelligence

Terror Ourfits Are Using Crypto Funds For Donations in India: TRM Labs

 

Transaction Monitoring (TRM) Labs, a blockchain intelligence firm based in San Francisco and recognised by the World Economic Forum, recently published a report revealing the links between the Islamic State Khorasan Province (ISKP) and ISIS-affiliated fund-collecting networks in India. ISKP, an Afghan terrorist outfit, is reportedly using the cryptocurrency Monero (XMR) to gather funds.

Following the departure of US soldiers from Afghanistan, the ISKP terrorist group garnered significant attention. The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on unlawful cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. 

The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on illicit cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. However, it also emphasises the evolving techniques employed by terrorist organisations. 

TRM Labs' report uncovered on-chain ties between ISKP-affiliated addresses and covert fundraising campaigns in India. The on-chain link is a component of the Chainlink network that runs directly on a blockchain, featuring smart contracts that handle data requests and connect to off-chain oracles. The TRM report states that the ISKP has begun receiving donations in Monero (XMR). 

News reports state that Voice of Khorasan, a periodical created by ISKP's media branch, al-Azaim, announced the commencement of the organization's first donation drive in support of Monero. Since then, Monero's fundraising activities have consistently included requests for donations. 

According to the report, ISKP and other terrorist organisations are favouring Monero more and more because of its blockchain anonymity capabilities. Monero is now worth ₹19,017.77. This powerful privacy tool aids in transaction concealment. However, the report emphasises that terrorist groups will choose more stable cryptocurrencies over Monero money for the foreseeable future due to its volatility and possible crackdowns. 

Furthermore, reliance on cryptocurrency mixers and unidentified wallets has risen. The primary venues for exchanging guidance on best practices and locating providers with the highest security requirements are now online forums. Fake proofs are being used by people to get over Know Your Customer (KYC) rules enforced by exchanges, which makes it challenging for law enforcement to follow the illicit transactions. 

In contrast to Bitcoin and other well-known digital assets, Monero gained attention for its sophisticated privacy features that make transactions trickier to identify. Because of this, they are a tempting option for people who engage in illicit financial activity.
Read more »
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
Threat Intelligence
Online Security Quantum Computers Security Breach Technology Threat Intelligence

Quantum Computers Threaten to Breach Online Security in Minutes

 

A perfect quantum computer could decrypt RSA-2048, our current strongest encryption, in 10 seconds. Quantum computing employs the principle of quantum physics to process information using quantum bits (qubits) rather than standard computer bits. Qubits can represent both states at the same time, unlike traditional computers, which employ bits that are either 0 or 1. This capacity makes quantum computers extremely effective in solving complicated problems, particularly in cryptography, artificial intelligence, and materials research. 

While this computational leap opens up incredible opportunities across businesses, it also raises serious security concerns. When quantum computers achieve their full capacity, they will be able to break through standard encryption methods used to safeguard our most sensitive data. While the timescale for commercial availability of fully working quantum computers is still uncertain, projections vary widely.

The Boston Consulting Group predicts a significant quantum advantage between 2030 and 2040, although Gartner believes that developments in quantum computing could begin to undermine present encryption approaches as early as 2029, with complete vulnerability by 2034. Regardless of the precise timetable, the conclusion is unanimous: the era of quantum computing is quickly approaching. 

Building quantum resilience 

To address this impending threat, organisations must: 

  • Adopt new cryptographic algorithms that are resistant against impending quantum attacks, such as post-quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) recently published its first set of PQC algorithm standards (FIPS 203, FIPS 204, and FIPS 205) to assist organisations in safeguarding their data from quantum attacks. 
  • Upgrades will be required across the infrastructure. Develop crypto agility to adapt to new cryptographic methods without requiring massive system overhauls as threats continue to evolve. 

This requires four essential steps: 

Discover and assess: Map out where your organisation utilises cryptography and evaluate the quantum threats to its assets. Identify the crown jewels and potential business consequences. 

Strategise: Determine the current cryptography inventory, asset lives against quantum threat timelines, quantum risk levels for essential business assets, and create an extensive PQC migration path. 

Modernise: Implement quantum-resilient algorithms while remaining consistent with overall company strategy.

Enhance: Maintain crypto agility by providing regular updates, asset assessments, modular procedures, continual education, and compliance monitoring. 

The urgency to act 

In the past, cryptographic migrations often took more than ten years to finish. Quantum-resistant encryption early adopters have noticed wide-ranging effects, such as interoperability issues, infrastructure rewrites, and other upgrading challenges, which have resulted in multi-year modernisation program delays. 

The lengthy implementation period makes getting started immediately crucial, even though the shift to PQC may be a practical challenge given its extensive and dispersed distribution throughout the digital infrastructure. Prioritising crypto agility will help organisations safeguard critical details before quantum threats materialise.
Read more »
Threat Intelligence
LLM OpenAI Tech Firms Technology Threat Intelligence

Big Tech's Interest in LLM Could Be Overkill

 

AI models are like babies: continuous growth spurts make them more fussy and needy. As the AI race heats up, frontrunners such as OpenAI, Google, and Microsoft are throwing billions at massive foundational AI models comprising hundreds of billions of parameters. However, they may be losing the plot. 

Size matters 

Big tech firms are constantly striving to make AI models bigger. OpenAI recently introduced GPT-4o, a huge multimodal model that "can reason across audio, vision, and text in real time." Meanwhile, Meta and Google both developed new and enhanced LLMs, while Microsoft built its own, known as MAI-1.

And these companies aren't cutting corners. Microsoft's capital investment increased to $14 billion in the most recent quarter, and the company expects that figure to rise further. Meta cautioned that its spending could exceed $40 billion. Google's concepts may be even more costly.

Demis Hassabis, CEO of Google DeepMind, has stated that the company plans to invest more than $100 billion in AI development over time. Many people are chasing the elusive dream of artificial generative intelligence (AGI), which allows an AI model to self-teach and perform jobs it wasn't prepared for. 

However, Nick Frosst, co-founder of AI firm Cohere, believes that such an achievement may not be attainable with a single high-powered chatbot.

“We don’t think AGI is achievable through (large language models) alone, and as importantly, we think it’s a distraction. The industry has lost sight of the end-user experience with the current trajectory of model development with some suggesting the next generation of models will cost billions to train,” Frosst stated. 

Aside from the cost, huge AI models pose security issues and require a significant amount of energy. Furthermore, after a given amount of growth, studies have shown that AI models might reach a point of diminishing returns.

However, Bob Rogers, PhD, co-founder of BeeKeeperAI and CEO of Oii.ai, told The Daily Upside that creating large, all-encompassing AI models is sometimes easier than creating smaller ones. Focussing on capability rather than efficiency is "the path of least resistance," he claims. 

Some tech businesses are already investigating the advantages of going small: Google and Microsoft both announced their own small language models earlier this year; however, they do not seem to be at the top of earnings call transcripts.
Read more »
Window Users
Cyber Attacks Mac NotLockBit Ransomware attack Threat Intelligence Window Users

New Alert: Windows and Mac Are the Target of a Self-Deleting Ransomware

 

The ransomware epidemic may have been stopped by recent law enforcement operations that disrupted attack infrastructure, led to the arrest of cybercriminals, and broke up some threat groups, but this would be wrong as well. A recent study on the cross-platform, self-deleting NotLockBit ransomware assault has confirmed that the threat is not only still present but is also evolving. Here's what Windows and macOS users should know. 

Pranita Pradeep Kulkarni, a senior engineer of threat research at Qualys, has revealed in a recently published technical deep dive into the NotLockBit ransomware assault family that the threat is not only cross-platform but also sophisticated in using a self-deleting mechanism to mask attacks.

The NotLockBit malware is named after the fact that it "actively mimics the behaviour and tactics of the well-known LockBit ransomware," according to Kulkarni. It targets macOS and Windows systems and illustrates "a high degree of sophistication while maintaining compatibility with both operating systems, highlighting its cross-platform capabilities." The latest investigation revealed that the current evolution of the NotLockBit ransomware has many advanced capabilities: targeted file encryption, data exfiltration and self-deletion mechanisms. 

NotLockBit encrypts files after stealing data and moving it to storage under the attacker's control so that it can be exploited for extortion, just like the majority of ransomware currently. Depending on how sensitive it is, such data can be sold to the highest criminal bidder or held hostage in exchange for publication on a leaked website. 

However, NotLockBit can delete itself to conceal any proof of the cyberattack, unlike other ransomware. According to Kulkarni, "the malware uses unlink activity to remove itself after it has finished operating; this is a self-removal mechanism designed to delete any evidence of its existence from the victim's system." 

Files with extensions like.csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, .vmsd, and .vbox are the main targets of NotLockBit, according to samples examined by Qualys, "because they frequently represent valuable or sensitive data typically found in personal or professional environments.” 

The investigation into NotLockBit ransomware exposed an increasingly sophisticated threat, the report concluded, and one that the researcher said, continues to evolve in order to maximize its impact. “It employs a combination of targeted encryption strategies, deceptive methods like mimicking well-known ransomware families,” Kulkarni concluded, “self-deletion mechanisms to minimize forensic traces.”
Read more »
WiFi Breach
Cyber Attacks Russian Hackers Threat Intelligence US Firm WiFi Breach

'Nearest Neighbour Attack': Russian Hackers Breach US Firm Wi-Fi

 

Russian state-sponsored hacking group APT28 (Fancy Bear/Forest Blizzard/Sofacy) has employed a novel "nearest neighbor attack" to breach enterprise WiFi networks from thousands of miles away. The attack, first detected on February 4, 2022, targeted a U.S. company in Washington, D.C., involved in Ukraine-related projects. Cybersecurity firm Volexity identified the intrusion, highlighting APT28’s innovative approach to bypass multi-factor authentication (MFA).

Details of the Attack

APT28 initiated the attack by breaching a nearby organization’s WiFi network, exploiting dual-home devices such as laptops or routers with both wired and wireless connections. These devices allowed the hackers to connect to the target’s WiFi network. By daisy-chaining access to multiple organizations, the hackers were able to connect to the victim's wireless network and move laterally across the system.

The hackers were able to bypass multi-factor authentication on the company’s WiFi network, despite being physically located thousands of miles away. Once within range, they compromised access to three wireless access points near the target’s conference room windows and used remote desktop protocol (RDP) from an unprivileged user to roam across the network.

Exfiltration and Data Theft

The attackers dumped Windows registry hives (SAM, Security, and System) using a script called servtask.bat, compressing them into a ZIP file for exfiltration. This process allowed APT28 to gather sensitive data without causing significant disruptions to the target network. The focus of the attack was on individuals and projects related to Ukraine, in line with Russia’s geopolitical interests.

Volexity's investigation revealed that APT28 was particularly interested in data from individuals with expertise in Ukraine-related projects. This highlights the targeted nature of the attack, aimed at collecting intelligence from a specific field of work.

Implications and Security Measures

The attack underscores the need for robust WiFi security and network segmentation. APT28’s ability to exploit physical proximity and dual-home devices highlights the growing sophistication of cyberattacks. Organizations should consider the following measures:

  • Enhance WiFi network encryption and authentication protocols.
  • Implement strict network segmentation to limit lateral movement.
  • Regularly audit devices with dual wired and wireless connections.
  • Monitor for unusual network activity and lateral movements.

APT28’s "nearest neighbor attack" serves as a reminder of the advanced techniques used by state-sponsored hackers. Vigilance, along with layered cybersecurity defenses, is crucial in defending against such sophisticated attacks.

Read more »
Threat Intelligence
Cyber Security FBI Security flaw Tech Firms Threat Intelligence

Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.
Read more »
Trustwave SpiderLabs
Cyber Threats Cybersecurity JPHP language malware Pronsis Loader Ransomware Spyware stealth malware Threat Intelligence Trustwave SpiderLabs

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Read more »
Subscribe to: Posts (Atom)