Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Landscape. Show all posts
User Security
Artificial Intelligence Dark Patterns Generative AI Technology Threat Landscape User Security

AI-Powered Dark Patterns: What's Up Next?

 

The rapid growth of generative AI (artificial intelligence) highlights how urgent it is to address privacy and ethical issues related to the use of these technologies across a range of sectors. Over the past year, data protection conferences have repeatedly emphasised AI's expanding role in the privacy and data protection domains as well as the pressing necessity for Data Protection Officers (DPOs) to handle the issues it presents for their businesses. 

These issues include the creation of deepfakes and synthetic content that could sway public opinion or threaten specific individuals as well as the public at large, the leakage of sensitive personal information in model outputs, the inherent bias in generative algorithms, and the overestimation of AI capabilities that results in inaccurate output (also known as AI hallucinations), which often refer to real individuals. 

So, what are the AI-driven dark patterns? These are deceptive UI strategies that use AI to influence application users into making decisions that favour the company rather than the user. These designs employ user psychology and behaviour in more sophisticated ways than typical dark patterns. 

Imagine getting a video call from your bank manager (created by a deepfake) informing you of some suspicious activity on your account. The AI customises the call for your individual bank branch, your bank manager's vocal patterns, and even their look, making it quite convincing. This deepfake call could tempt you to disclose sensitive data or click on suspicious links. 

Another alarming example of AI-driven dark patterns may be hostile actors creating highly targeted social media profiles that exploit your child's flaws. The AI can analyse your child's online conduct and create fake friendships or relationships that could trick the child into disclosing personal information or even their location to these people. Thus, the question arises: what can we do now to minimise these ills? How do we prevent future scenarios in which cyber criminals and even ill-intentioned organisations contact us and our loved ones via technologies on which we have come to rely for daily activities? 

Unfortunately, the solution is not simple. Mitigating AI-driven dark patterns necessitates a multifaceted approach that includes consumers, developers, and regulatory organisations. The globally recognised privacy principles of data quality, data collection limitation, purpose specification, use limitation, security, transparency, accountability, and individual participation are universally applicable to all systems that handle personal data, including training algorithms and generative AI. We must now test these principles to discover if they can actually protect us from this new, and often thrilling, technology.

Prevention tips 

First and foremost, we must educate people on AI-driven dark trends and fraudulent techniques. This can be accomplished by public awareness campaigns, educational tools at all levels of the education system, and the incorporation of warnings into user interfaces, particularly on social media platforms popular with young people. Cigarette firms must disclose the risks of their products, as should AI-powered services to which our children are exposed.

We should also look for ways to encourage users, particularly young and vulnerable users, to be critical consumers of information they come across online, especially when dealing with AI systems. In the twenty-first century, our educational systems should train members of society to question (far more) the source and intent of AI-generated content. 

Give the younger generation, and even the older ones, the tools they need to control their data and customise their interactions with AI systems. This might include options that allow users or parents of young users to opt out of AI-powered suggestions or data collection. Governments and regulatory agencies play an important role to establish clear rules and regulations for AI development and use. The European Union plans to propose its first such law this summer. The long-awaited EU AI Act puts many of these data protection and ethical concerns into action. This is a positive start.
Read more »
Threat Landscape
BlueNoroff macOS malware North Korea Hackers Threat Landscape

North Korean Hackers Employ macOS Malware to Target Crypto Firms

 

BlueNoroff, a North Korean threat actor, has been attacking crypto firms with a new multistage malware for macOS systems. 

According to the researchers, the campaign is known as Hidden Risk, and it lures victims with emails that include fake data on the current activities in the cryptocurrency market.

The malware employed in these attacks depends on a novel persistence method on macOS that does not generate any alerts on the most recent versions of the operating system, allowing it to bypass detection. 

BlueNoroff is known for cryptocurrency theft and has previously targeted macOS with a payload malware called 'ObjCShellz' that opens remote shells on affected Macs. 

Infection chain 

The attacks begin with a phishing email containing crypto-related news and subjects, disguised as if forwarded by a bitcoin influencer to boost credibility. The mail includes a link to a PDF containing the information, but it actually points to the attackers' "delphidigital[.]org" domain. 

According to SentinelLabs experts, the "URL currently serves a benign form of the Bitcoin ETF document with titles that change over time," but it also serves the first step of a malicious application bundle known as 'Hidden Risk Behind New Surge of Bitcoin Price.app'. 

The researchers state that for the Hidden Risk campaign, the threat actor employed an original academic paper from the University of Texas. The first stage is a dropper software signed and notarised with a valid Apple Developer ID, "Avantis Regtech Private Limited (2S8XHJ7948)," which Apple has since revoked. 

When activated, the dropper gets a decoy PDF from a Google Drive link and opens it in the default PDF browser to distract the victim. In the background, however, the following stage payload is downloaded from "matuaner[.]com.”

Interestingly, the hackers have effectively circumvented Apple's App Transport Security standards by altering the app's 'Info. plist' file to permit unsafe HTTP connections to the attacker-controlled site. 

The "Hidden Risk" campaign, according to SentinelLabs, has been in operation for the past 12 months or more. It employs a more straightforward phishing strategy that excludes the customary "grooming" on social media that other DPRK hackers partake in. 

In order to get beyond macOS Gatekeeper, the researchers also point out that BlueNoroff has demonstrated a consistent capacity to find new Apple developer accounts and have their payloads notarised.
Read more »
Threat Landscape
APT36 Cyber Attacks Indian Organizations Pakistan Hacker Threat Landscape

Check Point Uncover Pakistan-Linked APT36’s New Malware Targeting Indian Systems

 

Pakistan's APT36 threat outfit has been deploying a new and upgraded version of its core ElizaRAT custom implant in what looks to be an increasing number of successful assaults on Indian government agencies, military entities, and diplomatic missions over the last year. 

Cybersecurity researchers at Check Point Research (CPR) identified that the latest ElizaRAT variant includes new evasion strategies, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it more difficult for defenders to spot the malware.

A new stealer payload known as ApoloStealer has been used by APT36 to collect specified file types from compromised systems, retain their metadata, and transport the data to the attacker's C2 server, therefore increasing the risk. 

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," stated Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal.”

The threat group's use of legitimate software, living off the land binaries (LoLBins), and lawful C2 communication services such as Telegram, Slack, and Google Drive complicates the situation. According to Shykevich, the adoption of these services has made it much more difficult to monitor malware transmissions in network traffic. 

APT36, also known as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard by security vendors, is a Pakistani threat group that has predominantly targeted Indian government and military entities in intelligence gathering operations from about 2013. Like many other tightly focused threat groups, APT36's attacks have occasionally targeted organisations in other nations, such as Europe, Australia, and the United States.

The malware that the threat actor now possesses comprises tools for infiltrating Android, Windows, and increasingly Linux devices. BlackBerry revealed earlier this year that in an APT36 campaign, ELF binaries (Linkable Executable and Linkable Format) accounted for 65% of the group's attacks against Maya OS, a Unix-like operating system created by India's defence ministry as a Windows substitute. Additionally, SentinelOne reported last year that APT36 was spreading the CopraRAT malware on Android devices owned by Indian military and diplomatic personnel by using romantic lures. 

ElizaRAT is malware that the threat actor included in their attack kit last September. The malware has been propagated using phishing emails that include links to malicious Control Panel files (CPL) hosted on Google Storage. When a user opens the CPL file, code is executed that starts the malware infection on their device, potentially granting the attacker remote access or control of the system. 

Over the last year, Check Point analysts detected APT36 operators using at least three different versions of ElizaRAT in three consecutive campaigns, all of which targeted Indian businesses. The first was an ElizaRAT variation that utilised Slack channels for C2 infrastructure. APT36 began employing that variation late last year, and approximately a month later began deploying ApoloStealer with it. 

Starting early this year, the threat group began using a dropper component to discreetly drop and unpack a compressed file carrying a new and enhanced version of ElizaRAT. The new variation, like its predecessor, initially checked to see if the machine's time zone was configured to Indian Standard Time before executing and engaging in malicious behaviour.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR noted in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.”
Read more »
User Security
Cyber Crime LAPSUS$ Teen Hackers Threat Landscape User Security

Advanced Persistent Teenagers: A Rising Security Threat

 

If you ask some of the field's top cybersecurity executives what their biggest concerns are, you might not expect bored teenagers to come up. However, in recent years, this totally new generation of money-motivated hackers has carried out some of the biggest hacks in history and shows no signs of slowing. 

Meet the "advanced persistent teenagers," as stated by the security community. These are skilled, financially motivated attackers, such as Lapsus$ and Scattered Spider, who have proven capable of digitally breaching into hotel companies, casinos, and tech behemoths.

The hackers can deceive unsuspecting employees into giving over their company passwords or network access by using strategies such as believable email lures and convincing phone calls posing as a company's support desk. 

These attacks are extremely effective, have resulted in massive data breaches impacting millions of individuals, and have resulted in large ransoms paid to make the hackers vanish. By displaying hacking capabilities previously limited to only a few nation states, the threat from idle teenagers has forced numerous companies to confront the reality that they don't know if the personnel on their networks are who they say they are, and not a sneaky hacker. Has the threat posed by idle teens been understated, according to two respected security veterans? 

“Maybe not for much longer,” noted Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues.”

Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands. “It’s a different motivation than the traditional adversaries that enterprises see.” Gruber has dealt with a few of these threats directly. There was no evidence of access to client systems or databases, however an intrusion at the end of 2023 in MongoDB resulted in the theft of certain metadata, such as customer contact information. 

According to Gruber, the attack mirrored Scattered Spider's strategies, and the vulnerability was reportedly minimal. "The attackers posed to be employees and used a phishing lure to get into MongoDB's internal network," he claimed.
Read more »
Threat Landscape
Linux malware Misconfiguration Security flaw Threat Landscape

Stealthy Malware Has Infected Thousands of Linux Systems Since 2021

 

Aqua Security researchers have raised concerns about a newly identified malware family that targets Linux-based machines in order to get persistent access and control resources for crypto mining. The malware, known as perfctl, purports to exploit over 20,000 different types of misconfigurations and known vulnerabilities and has been active for over three years. 

Aqua Security uncovered that perfctl uses a rootkit to hide itself on compromised systems, runs as a service in the background, is only active when the machine is idle, communicates via a Unix socket and Tor, installs a backdoor on the infected server, and attempts to escalate privileges. The malware's handlers have been detected deploying more reconnaissance tools, proxy-jacking software, and a cryptocurrency miner. 

The attack chain begins with the exploitation of a vulnerability or misconfiguration, followed by the deployment and execution of the payload from a remote HTTP server. Next, it copies itself to the temporary directory, terminates the old process, deletes the initial binary, and runs from the new location. 

The payload contains an attack for CVE-2021-4043, a medium-severity Null pointer dereference vulnerability in the open source multimedia framework Gpac, which it uses to get root access. The flaw was recently uploaded to CISA's Known Exploited Vulnerabilities database. 

In addition to the cryptominer, the malware was observed copying itself to numerous additional locations on the computers, dropping a rootkit and popular Linux applications modified to function as userland rootkits. It uses a Unix socket to handle local communications and the Tor anonymity network for external command-and-control (C&C). 

"All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defence mechanisms and hinder reverse engineering attempts," the company said. 

Furthermore, the malware monitors specific files and, if a user logs in, it suspends activities to conceal its presence. It also ensures that user-specific configurations are executed in Bash contexts, allowing the server to run normally. 

For persistence, perfctl alters a script such that it is executed before the server's legitimate workload. It also attempts to terminate the processes of any additional malware it detects on the infected PC. 

The deployed rootkit hooks into various functions and modifies their functionality, including changes that allow "unauthorised actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behaviour of authentication mechanisms," according to Aqua Security. 

The cybersecurity firm found three download servers linked to the attacks, as well as other websites that were likely hacked by the threat actors, resulting in the finding of artefacts used in the exploitation of vulnerable or misconfigured Linux servers. 

“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company added.
Read more »
User Security
Cyber Security Healthcare Industry Patient Data Threat Landscape User Security

Healthcare Cybersecurity: Taking a Proactive Route

 

Cyberattacks in healthcare are growing more common and can disrupt an organization's operations. Healthcare organisations handle a lot of sensitive data, including financial information, patient health records, and identifying data, making them prime targets for cybercriminals. 

This vulnerability is exacerbated by the sector's sophisticated systems and the widespread dissemination of electronic health records across networks. Healthcare's economic model, with large volumes and poor margins, makes it particularly susceptible to attacks. 

Furthermore, the stakes are especially high in healthcare, where a breach or hack can have serious ramifications ranging from compromising patient privacy to life-threatening disruptions in medical services. Cybercriminals can shut down a whole healthcare system for weeks or even months, delaying critical patient treatment. They're also employing new tools like generative AI to develop sophisticated and difficult-to-detect cyberattacks. 

In 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received a record 725 reports of large healthcare security breaches. Healthcare security breaches are twice as common as they were seven years ago, with two major breaches recorded each day on average in 2023. Cybercrime expenses (estimated by some to reach $8 trillion by 2025) are anticipated to rise, highlighting the growing financial risks. 

According to Accenture research, leaders across industries recognise the importance of cybersecurity, yet only a tiny minority believe they are adequately equipped to deal with cyberattacks. Healthcare organisations are acutely aware of the changing cyberthreat landscape and are concerned about their ability to prevent or mitigate harm from a cyberattack. 

Changing nature of cyber attacks 

Patient identity theft has long been a common target of hackers in healthcare. However, recent trends indicate a shift towards more complex techniques in which attackers attempt to paralyse operations in order to extract ransoms. Protecting patient data remains critical, and organisations must continue to improve data security and network segmentation to mitigate the risk. However, ensuring the continuity of operations is as critical. 

Online criminals are increasingly targeting healthcare organisations with hacks that encrypt critical operating data and systems, rendering them inaccessible to medical professionals. Interestingly, not all breaches result in instant attacks. Once cybercriminals have gained access to a healthcare system, they can choose when to launch an assault. 

Researchers believe traditional cybersecurity techniques, which mainly focus on perimeter defence, are no longer sufficient given the sophistication of attacks. The healthcare industry requires a more robust strategy. In addition to continuing to work to prevent breaches and secure data, researchers advise healthcare businesses to shift focus to continuity initiatives so that when an assault inevitably occurs, they can restore operations promptly to minimize downtime and disruption.
Read more »
Threat Landscape
Cyber Security Cybersecurity Agencies Iran hackers Spear Phishing Threat Landscape

UK and US Warn of Rising Iranian Spear Phishing Threat

 

The UK’s National Cyber Security Centre (NCSC) collaborated with government agencies across the Atlantic to issue a new alert regarding Iranian cyber-threats last week. 

The security advice, issued in collaboration with the FBI, US Cyber Command - Cyber National Mission Force (CNMF), and the Department of the Treasury (Treasury), claimed that Iran's Islamic Revolutionary Guard Corps (IRGC) was behind the spear phishing attack. 

The campaign is aimed at individuals "with a nexus to Iranian and Middle Eastern affairs," but it is also focused on US political campaigns, with the ultimate goal of expanding its information operations, the advice stated. Current or former top government officials, think tank personnel, journalists, activists, and lobbyists seem to be potential targets. 

Threat actors change their strategies according to the specific target, which could involve impersonating family members, professional contacts, prominent journalists, and/or email providers. The lure may be an interview, an invitation to a conference or embassy event, a speaking engagement, or another political or foreign policy dialogue. 

“The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials,” the report reads. 

“Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors. Victims sometimes gain access to the document but may receive a login error.” 

Prevention tips

The advisory advised readers to be suspicious of unsolicited contact, attempts to send links or files via social media and other online services, email messages flagging alerts for online accounts, emails purporting to be from legitimate services and shortened links. It also recommended enterprises to:

  • Implement a user training program for phishing awareness.
  • Recommend users only use work emails for official business, always keep software updated, switch on multi-factor authentication, and never click on links or open attachments in unsolicited emails.
  • Users are recommended to use advanced protection services and hardware security keys. 
  • Switch on anti-phishing and spoofing security features. 
  • Block automatic email forwarding to external addresses.
  • Monitor email servers for changes to configuration and custom rules.
Read more »
Threat Landscape
DcRAT HTML smuggling malware Microsoft Russian Users Threat Landscape

DCRat Malware Propagates via HTML Smuggling

 

Russian-speaking customers have been targeted in a new campaign aimed at distributing a commodity trojan known as DCRat (aka DarkCrystal RAT) using HTML smuggling. 

This is the first time the malware has been propagated via this technique, which differs from past delivery channels such as hijacked or bogus websites, phishing emails with PDF attachments, or macro-laced Microsoft Excel documents.

"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde stated in an analysis published last week. "The payload can be embedded within the HTML itself or retrieved from a remote resource.” 

The HTML file, in turn, can be distributed through fraudulent websites or malspam operations. When the file is launched from the victim's web browser, the hidden payload is decrypted and downloaded to the system. The assault subsequently relies on some form of social engineering to persuade the victim to open the malicious payload. 

Netskope claims to have identified HTML pages in Russian that, when opened in a web browser, automatically download a password-protected ZIP bundle to disc in an attempt to avoid discovery. The ZIP payload contains a nested RarSFX package, which eventually leads to the DCRat malware deployment. 

DCRat, which was first launched in 2018, can be used as a full-fledged backdoor and can be used with various plugins to expand its capabilities. It can run shell commands, record keystrokes, and exfiltrate data and credentials, among other things. Organisations should check HTTP and HTTPS traffic to verify that systems do not communicate with malicious domains. 

The development comes as Russian businesses have been targeted by a threat cluster known as Stone Wolf, which tried to infect them with Meduza Stealer by sending phishing emails posing as legitimate providers of industrial automation systems. 

"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE noted. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments.” 

It also comes after the rise of malicious campaigns that most likely used generative artificial intelligence (GenAI) to write VBScript and JavaScript code used to propagate AsyncRAT via HTML smuggling. 

"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security stated. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints.”
Read more »
UNC2970
Cyber Attacks Cyber-Espionage North Korean Hackers Threat Landscape UNC2970

North Korean Hackers Target Energy and Aerospace Industries in Novel Espionage Campaign

 

As per recent findings from Mandiant, companies operating in the energy and aerospace sectors are being targeted by a cyber-espionage campaign that has connections with North Korea.

The outfit behind the campaign, dubbed UNC2970, is most likely linked to North Korea and shares similarities with another Pyongyang-backed threat actor, TEMP.Hermit. Researchers at the Google-owned cybersecurity firm discovered UNC2970's latest campaign in June 2024 and published their findings on Tuesday. 

The group was initially identified in 2021, and it has since targeted victims in the United States, United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. 

According to the research, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for well-known companies. They eventually share a malware archive that claims to have a job description in PDF format.

The PDF file can only be read with a trojanized version of SumatraPDF, an actual open-source document viewer that installs a backdoor called Mistpen via the Burnbook launcher. Researchers revealed that the attackers updated the open-source code of an older version of SumatraPDF for this campaign, but that the SumatraPDF service itself was not compromised. UNC2970 uses real job description text to target victims, including those employed in critical infrastructure sectors in the United States. 

The Mistpen virus is a fork of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been upgraded over time with new features, including a network connectivity check, which complicates sample analysis, researchers noted. Although Mandiant does not name the specific victims of this attack, researchers believe the hackers are targeting senior or manager-level employees. 

"This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers stated. "The hackers also tailor their malicious messages to better align with the victim's profile."
Read more »
Threat Landscape
Business Security Cyber Security Decryptor Ransomware Attackers Threat Landscape

Ransomware Actors Refused to Provide Decryptor Even After Recieving Ransom Payment

 

For C-suite executives and security leaders, learning that your organisation has been infiltrated by network attackers, critical systems have been locked down, and data has been compromised, followed by a ransom demand, could be the worst day of their professional life. 

But, as some executives recently discovered who had contracted the Hazard ransomware, things can go far worse. The decryptor that was provided in exchange for paying the ransom to unlock the encrypted files did not function. 

Security researchers did not talk to the victim organization in this case – its executives declined to be interviewed about their experience – hence the specifics remain unknown. 

Still, researchers believe that deciding that paying the criminals was the best way out of the scenario - for concerns regarding customer and employee data privacy, to bring business operations back online, to minimise reputational damage, or simply because there were no backups (oops) - was a painful decision in and of itself. But what if you pay the extortionists and still are unable to recover the files? That's excruciating. 

"Ransomware as a whole is extremely stressful for the victim," stated Mark Lance, ransomware negotiator with GuidePoint Security. "Now in this circumstance, specifically, where they've made the payment and the decryption tools don't work," the stress levels ratcheted up several notches. 

"In this, and in a lot of situations like this one, they're relying heavily on those decryption capabilities working on certain systems so that they can recover operations," Lance added. "So the stress substantially increases because they're like, 'Hey, we made this large ransom payment amount with established terms that said if we paid we're going to get access.'” 

Following their initial failure to decrypt their files, the compromised organisation acquired a new decryptor version from the hackers; however, this was also not functioning. Following a call from a third party participating in the ransomware discussions, GuidePoint attempted to contact the perpetrators' "technical support" desk but was informed that a new version of the decryptor was required on behalf of the victim. 

Whatever the reason, the organisation was unable to access the encrypted files, and the Hazard ransomware gang vanished. Eventually, GuidePoint was able to patch the decryptor binary and then brute-force 16,777,216 potential values until some critical missing bytes in the cryptographic process were discovered, resulting in a functional tool for decrypting the files. It's a good reminder, though, that paying a ransom does not ensure data recovery.
Read more »
Threat Landscape
Chinese Actors Cyber Attacks Drone Makers Taiwan Threat Landscape

'TIDrone' Cybercriminals Target Taiwan's Drone Makers

 

A previously unknown threat actor with possible ties to Chinese-speaking groups has primarily targeted drone makers in Taiwan as part of a cyber attack operation that started in 2024. Trend Micro is tracking the adversary under the codename TIDRONE, claiming that the activity is espionage-driven due to the emphasis on military-related company chains. 

The specific initial access vector used to penetrate targets is currently unknown, although Trend Micro's study revealed the spread of unique malware such as CXCLNT and CLNTEND using remote desktop tools such as UltraVNC. An interesting feature identified across multiple victims is the use of the same enterprise resource planning (ERP) software, increasing the likelihood of a supply chain attack. 

After that, the attack chains move through three distinct phases that are intended to make it easier to escalate privileges through the use of credential dumping, security evasion by turning off antivirus software that is installed on the hosts, and User Account Control (UAC) bypass. 

Both backdoors are activated by sideloading a rogue DLL using the Microsoft Word application, allowing attackers to collect a wide range of confidential data. CXCLNT includes basic upload and download file capabilities, as well as facilities for removing traces, acquiring victim data such as file listings and device names, and downloading next-stage portable executable (PE) and DLL files for execution. 

CLNTEND, detected in April 2024, is a remote access tool (RAT) that supports a broader range of network communication protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su stated.
Read more »
Threat Landscape
Cyber Security CyberVolk Ransomware group Threat Landscape

CyberVolk Ransomware: A Rising Threat to Global Cybersecurity

 

The Indian hacker outfit CyberVolk, which is a relatively new player in the cybercrime arena, has made headlines with its sophisticated ransomware. CyberVolk Ransomware, discovered in July 2024, has quickly gained attention for its sophisticated features and quick progress. 

The group's most concerning weapon, ‘CyberVolk Ransomware,’ was recently analysed by ThreatMon and is gaining attention from cybersecurity experts due to its sophisticated capabilities and expanding nature. 

CyberVolk debuted in the shadows of the dark web, where it soon established a reputation through a series of successful attacks. The gang, which specialises in a wide range of cybercrimes such as DDoS assaults, data breaches, and website defacements, is known for its aggressive nature, with official accounts on platforms such as Telegram and X. 

Initially, CyberVolk Ransomware encrypted victims' files using the AES method. However, a VirusTotal leak exposed the ransomware's internal workings, leading the attackers to create a far more sophisticated version. This enhanced variant included better cryptographic algorithms like ChaCha20-Poly1305, AES, and even quantum-resistant technology. The changes make it nearly impossible to decrypt without paying the ransom, even for individuals who have quantum computing resources. 

ThreatMon's technical review of CyberVolk Ransomware uncovers numerous unique and concerning features. For example, when executed, the ransomware disables access to vital system utilities such as Task Manager, preventing users from terminating the encryption process. The ransomware encrypts entire data in minutes before approaching the victim with a $1,000 ransom demand. Victims are also given a strict deadline: failure to pay within five hours would result in the permanent loss of their data. 

Previous reports said that CyberVolk Ransomware only brought in $2,632, but in the last few months, their earnings have increased dramatically. According to ThreatMon, the group has made over $20,000 through ransomware assaults, indicating an alarming rise in the financial impact of its operations. 

The ransomware outfit poses a serious threat to both individuals and enterprises. It is an imminent threat because of its capacity to proliferate like a worm and its advanced evasion and encryption methods. However, the presence of vulnerabilities in its structure offers hope for effective countermeasures. 

To mitigate the threat of ransomware attacks, cybersecurity specialists suggest regular software updates, robust backup strategies, and cybersecurity hygiene education for employees.
Read more »
Threat Landscape
AI Risks Artificial Intelligence MIT Technology Threat Landscape

MIT Database Lists Hundreds of AI Dangers Impacting Human Lives

 

Artificial intelligence is present everywhere. If it isn't powering your online search results, it's just a click away with your AI-enabled mouse. If it's not helping you enhance your LinkedIn profile, it's benefiting you at work. As AIs become more intelligent, outspoken voices warn of the technology's potential risks. 

These range from literally replacing you at your job to even more terrifying end-of-the-world circumstances. The Massachusetts Institute of Technology is aware of these competing currents and has compiled a list of the ways it believes AI might pose challenges. 

AI threats

In an article supporting the research, MIT summarised the several ways AI could endanger society. Humans outperform artificial intelligence. Kind of. While 51% of the threats were attributed directly to AIs, 34% originated with humans using AI technology--there are some evil individuals out there, remember. 

However, approximately two thirds of the risks were identified after an AI had been trained and deployed, compared to 10% before that point. This provides significant support to AI regulatory initiatives, as it coincides with the announcement that OpenAI and Anthropic would submit their new, smartest AIs to the US AI Safety Institute for testing before releasing them to the public. 

So, what are the AI risks? A quick search of the database reveals some alarming category types. One scenario involves AI harm emerging as a "side effect of a primary goal like profit or influence," in which AI makers "wilfully allow it to cause widespread social damage like pollution, resource depletion, mental illness, misinformation, or injustice." Similarly, additional side effects occur when "one or more criminal entities" construct an AI to "intentionally inflict harm, such as for terrorism or combating law enforcement.” 

Other threats that MIT has identified feel more in line with current news reports, especially with regard to election misinformation, even though these seem more suited for science fiction dystopias: AIs could be harmful when "extensive data collection" in the models "brings toxic content and stereotypical bias into the training data." 

One of the other concerns is that AI systems have the potential to become "very invasive of people's privacy, controlling, for instance, the length of someone's last romantic relationship." This is a type of soft power control where society is steered by small adjustments; it is similar to some of the concerns raised by US authorities on the possible impact of TikTok's algorithm.
Read more »
Threat Landscape
Cyber crimes Cyber Extortion Sextortion Threat Landscape

Three Cyber Extortion Schemes Attackers Can Employ Against You

 

Cybercriminals appear to have an infinite repertoire of strategies at their disposal when it comes to forcefully extracting financial information from victims. They prefer specific methods over others, and extortion is one of them. 

Keep in mind that blackmailers will not just use one trick, but will use various types of extortion to force their victims to do their bidding, whether it is paying them a significant sum of money or performing tasks on their behalf.

Hack and extort

The term is rather self-explanatory, but to be sure, the extortionist will access your device or online accounts, search your files for any sensitive or valuable data, and steal it. Although it may resemble ransomware in some ways, the breaking and entering of your system is done manually, and the cybercriminal has to dedicate time and resources in doing so.

Unless your password was compromised in a large-scale data breach, in which case the job required is negligible. The successfully targeted individual is then sent an email in which the criminal attempts to force the intended victim into paying by threatening to expose this data and listing examples for added effect. To safeguard yourself, try encrypting your data and adequately protecting all of your accounts with a strong passphrase, as well as enabling two-factor authentication whenever possible. 

Sextortion

Sextortion is precisely what it sounds like: extortion carried out with the threat of exposing sexual material about the target. Sextortionists might approach the practice in a variety of ways. Until the criminal gains the victim's trust and persuades them to switch from the dating platform to a regular messaging service, it may begin as an apparent romantic dalliance through a dating platform. 

This is done in order to prevent setting off the security measures that dating apps employ to identify possible con artists. After the victim leaves the dating site, they will attempt to persuade them to share some explicit or risqué images or videos, which they will then use as leverage in a blackmail campaign. As an alternative, hackers can opt to break into a victim's computer and take control of their webcam in order to secretly monitor and even record explicit images or videos of them; American model and previous Miss Teen USA Cassidy Wolf was a victim of such sextortion. 

Sending risqué images to anyone is not advisable. Even if you trust someone, you can't rule out the possibility that their devices or accounts have been compromised, sensitive images have been exposed, or that your current level of trust in them has changed or is otherwise wrong. To mitigate your risks of getting hacked, keep your gadgets patched and updated, and utilise a respected security solution.

DDoS extortion 

Cybercriminals frequently use distributed denial of service (DDoS) attacks on enterprises in an attempt to completely disable their target's capacity to offer services. They frequently post their services on DDoS-for-hire marketplaces in an effort to increase their illicit revenue. Threat actors use a large number of machines arranged into a botnet to bombard a target with requests during these attacks. 

The goal is to overwhelm the target's systems to the point where they fail, so taking them offline. Attacker scans can cause this to continue for days at a time, costing some businesses hundreds of thousands of dollars in lost sales. For instance, a cybercrime collective recently threatened to use DDoS assaults against multiple organisations unless they paid ransoms ranging from US$57,000 to US$227,000 by adopting the garb of well-known shacking groups. 

Setting up a firewall to deny access to all unauthorised IP addresses and enrolling with a DDoS mitigation provider are just a few steps you can take to defend yourself from DDoS extortion attempts.
Read more »
Threat Landscape
Cyber Crime Data Leak Extortion Ransomware Threat Landscape

BlackByte Ransomware Outfit is Targeting More Orgs Than Previously Known

 

Researchers from Cisco have discovered that the BlackByte ransomware group is only disclosing a small portion of its successful attacks on its leak site this year. Talos, the company's cybersecurity department, believes the gang is creating extortion posts for only 20% to 30% of its successful attacks. 

The study of the ransomware outfit's leak site shows it posted 41 victims in 2023 but only three so far in 2024. BlackByte has been extremely active this year, but it's unclear why the group hasn't posted any further leaks. 

BlackByte has carried out high-profile assaults on local governments in Newburgh, New York, and Augusta, Georgia, as well as organisations such as the San Francisco 49ers and Yamaha. 

Researchers from Cisco Talos claimed that their involvement in a number of recent incident response investigations showed how quickly the organisation is evolving and how often it leads the way in exploiting vulnerabilities such as CVE-2024-37085, an ESXi software problem that Microsoft brought to light last month.

“Talos IR observed the threat actor leveraging this vulnerability, which initially received limited attention from the security community, within days of its publication,” the researchers stated. “This highlights the speed with which ransomware groups like BlackByte can adapt their [tactics, techniques and procedures] to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack.” 

The analysts believe the ransomware-as-a-service (RaaS) gang is an offshoot of the now-defunct Conti operation, which appeared in late 2021. According to Cisco Talos, BlackByte has a history of searching for and exploiting public-facing vulnerabilities. However, the RaaS model's flexibility "allows threat actors to quickly counter new defensive strategies developed by cybersecurity experts by iterating and updating its tooling.” 

Callie Guenther, a Critical Start cyberthreat researcher, stated that the exploitation of CVE-2024-37085 was notable since it targeted VMware ESXi hypervisors, which allow servers to operate many virtual machines and efficiently distribute computing resources. The focus on ESXi hypervisors by Ransomware outfits such as BlackByte is especially troubling because the technology is often vital for firms' IT infrastructure and critical business applications.

“The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts,” she added.
Read more »
Threat Landscape
Australia Cyber Security Energy sector IT Management Threat Landscape

Cyber Security: A Rising Threat to Australia’s Renewable Energy Campaign

 

Australia is striving to become a more energy-efficient nation. The Australian Renewable Energy Agency recently announced a $100 million effort to research and develop solar energy technologies. Further investments in energy storage, pumped hydro, and low-carbon systems may be equally substantial. 

However, the nation must also address an underlying issue: the integration of solid IT and software foundations into the OT systems that power the grids. Without these, Australia may struggle to fully meet its renewable energy goals.

Combination of IT and OT

OT refers to software and hardware that identifies or creates changes in the enterprise by directly monitoring and controlling physical devices, processes, and events. IT refers to the use of systems, particularly computers and telecommunications, to store, retrieve, and transmit information. 

Traditionally, these two types of technology have been kept segregated and controlled separately. However, the combination of OT and IT is critical for the modernisation of energy networks. According to IBM, the integration must be effective in four areas: 

Smart meters: It detects energy usage in real time at the consumer's end, delivering comprehensive consumption patterns to both the consumer and the energy provider. 

Sensors and automation devices: These are used across the grid to monitor voltage, current, and load capacity, among other metrics. They can automatically alter parameters to avoid overloads and long-term, large-scale outages.

Communication networks: As the backbone of any smart grid, communication networks enable data transmission between diverse components such as sensors, automated devices, and control centres. Transmission systems can be wired or wireless, and can use a variety of protocols and communication technologies, including Wi-Fi, Z-Wave, Zigbee, and 4G/5G. 

Software and analytics: Smart grids generate vast volumes of data. Utility companies use complex software and analytics technologies to handle, analyse, and interpret this data. This software, and the data it gives, can assist providers in predicting demand patterns, identifying potential concerns, and optimising the distribution network. 

Cyber threats 

Australia is at serious risk of facing cyber threats via OT technology, which will have an impact on the country's renewable energy aspirations. With 82% of organisations suffering cyber attacks via OT systems, there is an increasing risk being brought into Australia's electricity grid as it digitalises.

The country is also becoming more reliant on a highly decentralised energy approach, which increases the attack surface significantly. Rooftop solar, for example, consists of solar panels installed on individual homes and businesses that are then connected to the grid via IoT devices, software, and digital technologies. This has contributed to 40% of Australia's energy being supplied by renewable sources. 

Need to increase investment 

For Australia to sustainably harness renewable energy, it must lay solid IT foundations. The Australian Energy Sector Cyber Security Framework is a positive regulatory step that builds on successful frameworks like the U.S. Department of Energy's Electricity Subsector Cybersecurity Capability Maturing Model and aligns it with Australian-specific control references like the ACSC Essential 8. 

However, the IT channel, which includes IT professionals and service providers, as well as IT experts, must bring the skills and expertise required to manage and protect integrated energy systems. This includes knowing the particular issues of OT environments as well as how to effectively implement IT solutions. This strategy can help Australia achieve a renewable energy transition that is both successful and secure against an increasing number of cyber threats.
Read more »
Vulnerability management
Global Outage Tech Giant Technology Threat Landscape Vulnerability management

Are We Ready For The Next Major Global IT Outage? Here's All You Need to Know

 

Last Friday, a glitch in the tech firm led to a global disruption impacting cross-sector activities. Hospitals, health clinics, and banks were impacted; airlines grounded their planes; broadcasting firms were unable to broadcast (Sky News went off the air); emergency numbers such as 911 in the United States were unavailable; and MDA experienced several troubles in Israel. 

This incident had a significant impact in the United States, Australia, and Europe. Critical infrastructure and many corporate operations were brought to a halt. In Israel, citizens instantly linked the incident to warfare, namely the UAV that arrived from Yemen and exploded in Tel Aviv, presuming that Iran was attacking in the cyber dimension. 

What exactly happened? 

CrowdStrike, an American firm based in Texas that provides a cybersecurity protection system deployed in several companies across the world, announced on Friday morning that there was a glitch with the most recent version of their system given to customers. The issue caused Microsoft's operating system, Windows, not to load, resulting in a blue screen. As a result, any organisational systems that were installed and based on that operating system failed to load. In other words, the organisation had been paralysed. 

But the trouble didn't end there. During the company's repair actions, hackers "jumped on the bandwagon," impersonating as staff members and giving instructions that essentially involved installing malicious code into the company and erasing its databases. This was the second part of the incident. 

Importance of risk management 

Risk management is an organisational discipline. Within risk management processes, the organisation finds out and maps the threat and vulnerability portfolio in its activities, while also developing effective responses and controls to threats and risks. Threats can be "internal," such as an employee's human error, embezzlement, or a technical failure in a computer or server. Threats can also arise "externally" to the organisation, such as consumer or supplier fraud, a cyberattack, geopolitical threats in general, particularly war, or a pandemic, fire, or earthquake. 

It appears that the world has become far more global and technological than humans like to imagine or believe. And, certainly, a keyboard error made by one individual in one organisation can have global consequences, affecting all of our daily lives. This is the fact, and we should recognise it as soon as possible and start preparing for future incidents through systematic risk management methods.
Read more »
Threat Landscape
CISOs Cyber Security Dark Web Healthcare Industry Threat Landscape

Dark Web Intel Underutilized by CISOs, Diminishing Healthcare Industry

 

The healthcare industry faces challenges in keeping up with the rapidly evolving healthcare cybersecurity landscape. This is due in part to CISOs failing to take use of dark web intelligence, which leaves the industry with a weaker cyber posture than other sectors. Only 57% of healthcare CISOs have included dark web intelligence in their plans, according to a Searchlight Cyber Report. 

Researchers highlighted that the dark web acts as a hub for cybercriminal activity, with marketplaces for buying and selling malware, exploits, and stolen data. It also provides a forum for threat actors to share skills and discuss strategies. Furthermore, criminals use the dark web to host ransomware leak sites, threatening to reveal stolen data unless a ransom is paid. 

Collecting threat intelligence, pre-attack intelligence, and data from the dark web can help many organisations enhance their cybersecurity posture. This method, known as the "pre-attack phase," allows businesses to detect and mitigate cybersecurity risks before they enter their network. 

A poll titled "Proactive Defence: How Enterprises Are Using Dark Web Intelligence," performed between November 18, 2022, and January 16, 2023, gathered responses from 1,008 CISOs representing large enterprises with revenue in excess of $200 million and more than 2,000 employees. 

While the financial sector leads in the adoption of dark web intelligence, with 85 percent of organisations acquiring it, the healthcare industry lags behind. According to survey results, healthcare CISOs are 20 percentage points behind other industries in gathering data from the dark web, which is harming their cybersecurity posture. Most CISOs in the United States are confident in their ability to comprehend their adversaries' profiles. 

Specifically, 85 percent of US CISOs expressed confidence, while 80 percent of US firms reported acquiring threat intelligence. While researchers see this high level of dark web data awareness and uptake as promising, significant sector differences persist. The healthcare sector has demonstrated a lack of confidence in knowing the profiles of potential adversaries.

Researchers identified that, compared to the industry average of 77 percent, just 60 percent of healthcare CISOs feel confident in understanding their adversaries’ characteristics. A lack of awareness of data intelligence can limit their ability to detect and neutralise legitimate threats before they enter the network. 

In contrast, industries such as manufacturing, financial services, and professional services report higher security postures. Because of increased use of threat intelligence and dark web monitoring, these industries are more confident in recognising and responding to possible threats. 

Every week, millions of dollars in ransoms and protected health information (PHI) are stolen from secure systems and made available on the dark web. This regrettable pattern reveals the tragic fate of many exfiltrated patient data records, emphasising the critical need for the healthcare industry to address its security vulnerabilities and knowledge gaps.
Read more »
Vulnerability management
Cyber Security Ethical Hacker Financial Data Threat Landscape Vulnerability management

The Vital Role of Ethical Hacking in Cyber Security

 

The possibility of cyber attacks is a major issue, with the global average cost of a data breach expected to reach $4.45 million in 2023, a 15% increase over the previous three years, according to an IBM analysis. This stark figure highlights the growing financial and reputational threats companies face, emphasising the importance of ethical hacking in an increasingly interconnected world. 

Ethical hackers are the first line of defence, utilising their knowledge to replicate cyber attacks under controlled conditions. These individuals play an important role in averting potentially disastrous data breaches, financial loss, and reputational harm caused by cyber attacks by proactively fixing security vulnerabilities before they are exploited. 

This article explores the importance of ethical hacking, the tactics used by ethical hackers, and how to pursue a career in this vital sector of cyber security. 

What is ethical hacking? 

Ethical hacking, commonly referred to as penetration testing or white-hat hacking, is a technique for testing computer systems, networks, or online applications for security flaws. Unlike criminal hackers, who attempt to make money from vulnerabilities, ethical hackers utilise their expertise to uncover and patch them before they are exploited. 

They utilise their expertise with authorization, hoping to improve security posture before a real hacker exploits vulnerabilities. This preemptive strike against possible breaches is an important part of modern cyber security tactics and a technique of protecting against the most dangerous cyber security threats. Ethical hacking adheres to a fixed code of ethics and legal restrictions. 

Ethical hackers must have clear permission to explore systems and ensure that their actions do not stray into illegal territory. Respect for privacy, data integrity, and the lawful exploitation of uncovered vulnerabilities is critical. 

Methodologies of Ethical Hacking 

Ethical hackers employ a variety of methodologies to assess the security of information systems. These include: 

Risk assessment: Scanning systems and networks to identify known vulnerabilities. 

Penetration testing: Simulating cyber attacks to evaluate the effectiveness of security measures. 

Social engineering: Testing the human element of security through phishing simulations and other tactics. 

Security auditing: Examining the adherence of systems and policies to security standards and best practices. 

Process of ethical hacking

Step 1: Reconnaissance - The ethical hacker collects as much information about the target system or network as possible utilising techniques such as WHOIS databases, search engines, and social media to obtain publically available information. 
 
Step 2: Scanning – They look for live hosts, open ports, services running on those hosts, and vulnerabilities connected with them. Nmap may be used to scan ports, while Nessus or OpenVAS can be used to check for vulnerabilities that can be exploited. 

Step 3: Gaining Access – They use the identified vulnerabilities to gain unauthorised access to the system or network. Metasploit is commonly used to exploit vulnerabilities. Other tools include SQL injection tools for database attacks, as well as password cracking programmes such as John the Ripper or Hydra. 

Step 4: Maintaining Access – Ensure continued access to the target for further exploration and analysis without being detected. Tools like backdoors and trojans are used to maintain access, while ensuring to operate stealthily to avoid detection by security systems.

Step 5: Covering Tracks – Delete evidence of the hacking process to avoid detection by system administrators or security software. Log tampering and the use of tools to clear or modify entries in system logs. Tools such as CCleaner can also be used to erase footprints.
Read more »
Subscribe to: Posts (Atom)