Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label URL. Show all posts
Yahoo
Astaroth Phishing Authentication Cyber Attacks CyberCrime Cybersecurity CyberThreat Dark Web Gmail PHaas Telegram URL Yahoo

2FA Under Attack as Astaroth Phishing Kit Spreads

 


Astaroth is the latest phishing tool discovered by cybercriminals. It has advanced capabilities that allow it to circumvent security measures such as two-factor authentication (2FA) when used against it. In January 2025, Astaroth made its public debut across multiple platforms, including Gmail, Yahoo, and Office 365, with sophisticated technologies such as session hijacking and real-time credentials interceptions, which compromise user accounts across multiple platforms. 

SlashNext researchers claim Astaroth makes use of a reverse proxy called an evilginx-style proxy to place itself between legitimate login pages and users. As a result, the tool is capable of intercepting and capturing sensitive credentials, such as usernames, passwords, 2FA tokens, and session cookies, without triggering security alerts, thereby making the tool effective. 

It has been demonstrated that attackers who have obtained these session cookies will be able to hijack authenticated sessions, bypass additional security protocols, and gain unauthorized access to user accounts once they have acquired these cookies. Astaroth demonstrates the evolution of cyber threats and the sophistication of phishing techniques that compromise online security. This development highlights how cybercriminals have been evolving their methods of phishing over the years.

Clearly, Astaroth highlights how cybercriminals' tactics have evolved over the last decade, as phishing has evolved into a lucrative business. The sophistication of sophisticated attacks has now reached a point where it is now marketed like commercial software products, with regular updates, customer support, and testing guarantees attached to them. 

The attacker can intercept real-time credentials and use reverse proxy techniques in order to hijack authenticated sessions in order to bypass even the most robust phishing defences, such as Multi Factor Authentication (MFA), which are designed to protect against phishing attacks. Due to the widespread availability of phishing kits such as Astaroth, which significantly reduces the barrier to entry, less experienced cybercriminals are now capable of conducting highly effective attacks given that the barriers to entry have been significantly lowered. 

The key to mitigating these threats is to adopt a comprehensive, multilayered security strategy that is both comprehensive and multifaceted. It must have a password manager, endpoint security controls, real-time threat monitoring, and ongoing employee training to ensure that employees are aware of cybersecurity threats in real time. 

As an additional consideration, implementing Privillege Access Management (PAM) is equally vital, since it prevents unauthorized access to critical systems, even if login credentials are compromised, through the use of PAM. Business owners remain vulnerable to increasingly sophisticated phishing techniques that can circumvent the traditional defenses of their organisations without appropriate proactive security measures. 

The Astaroth phishing kit has been developed to enable a more effective method of bypassing multi-factor authentication (MFA). By using an evilginx reverse proxy, it intercepts authentication processes in real time as they are happening. By using Astaroth, attackers will be able to steal authenticated sessions and hack them seamlessly with no technical knowledge. Astaroth is different from traditional phishing tools, which capture only static credentials; instead, it dynamically retrieves authorization tokens, 2FA tokens, and session cookies. This tool is a man-in-the-middle attack that renders conventional anti-phishing defenses and multi-factor authentication protections ineffective by acting as an intermediary. 

Discovered by SlashNext Threat Researchers on cybercrime marketplaces, Astaroth is marketed as a tool that can be used easily. It is a 2-in-1 solution that sells for $2000 and includes six months of continuous updates, which includes the newest bypass techniques, as well as pre-purchase testing to demonstrate its effectiveness in real-world attacks if the buyer wants to establish credibility within cybercriminal networks. There is no doubt that the sophistication of phishing kits such as Astaroth, as well as the implementation of behaviour-based authentication, endpoint security controls, and continuous threat monitoring, are critical to organizations in order to defend themselves from these ever-evolving cyber threats that are continually evolving. 

As a means of expanding the company's customer base, Astaroth's developers have publicly revealed the methodologies they use to bypass security measures, such as reCAPTCHA or BotGuard, as a way of demonstrating the kit's effectiveness at circumventing automatic security measures. Cybercriminals in cybercrime forums and underground marketplaces are actively promoting Astaroth among their communities and are primarily distributing it through Telegram, leading to its widespread adoption among cybercriminals world-wide. 

There are several advantages to using these platforms, the most important of which is their accessibility, along with the anonymity they provide. This makes monitoring, tracking, and disrupting the sale and distribution of phishing kits very challenging for law enforcement agencies. There is a particular application known as Telegram which is commonly used by cybercriminals to communicate and to distribute their illicit activities due to its end-to-end encryption, private groups, and minimal oversight. This makes it very difficult for law enforcement to trace illicit activities on Telegram. 

It may not only facilitate the proliferation of Astaroth on the dark web, but also on underground marketplaces - both of which allow threat actors to engage in peer-to-peer transactions without disclosing their identities to each other. The fact that these platforms are decentralized, along with the fact that cryptocurrency payments are used in conjunction with them, adds more layers of protection for cybercriminals, making it even more difficult for authorities to take enforcement action against them. Astaroth continue to be embraced by cybercriminal communities and is lowering the barrier to entry for less-experienced attackers, which in turn is promoting phishing-as-a-service (PhaaS) models which are becoming more prevalent as a consequence. 

Due to the complexities posed by sophisticated phishing kits like Astaroth, security professionals emphasize the need for proactive security measures, which include real-time threat intelligence, endpoint detection, and multi-layered authentication strategies, as well as real-time threat intelligence. Aside from offering custom hosting solutions, Astaroth also offers bulletproof hosting, which will make Astaroth more resilient against legal authorities’ efforts to take down its websites. 

Cybercriminals are able to conduct attacks with minimal disruption in jurisdictions with weak regulatory oversight when using the phishing kit since it operates in jurisdictions that lack regulatory oversight. As a Field CTO of SlashNext, J Stephen Kowski believes that the emergence of Astaroth with regards to authentication is one of the most important implication that could be borne out by the fact that even the most robust authentication systems can be compromised if the attackers obtain the two-factor authentication (2FA) codes and session information during the authentication process in real time. 

Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, has emphasized the sophistication and severity of the Astaroth phishing kit. According to Richards, this phishing kit demonstrates an advanced level of complexity, making it increasingly difficult for users to identify and avoid such attacks. "Traditional security awareness training often instructs users to recognize phishing attempts by looking for red flags such as suspicious URLs, grammatical errors, or lack of SSL certification. 

However, Astaroth’s highly sophisticated approach significantly reduces these indicators, making detection far more challenging," Richards stated. Furthermore, the infrastructure supporting these attacks is often hosted by providers that do not cooperate with law enforcement agencies, complicating efforts to dismantle these operations. In response to this growing threat, the United States and several European nations have imposed sanctions on countries that provide bulletproof hosting services, which are frequently exploited by cybercriminals to evade legal action. 

Richards advises users to exercise extreme caution when receiving emails that appear to originate from legitimate organizations and contain urgent requests for immediate action. Rather than clicking on embedded links, users should manually navigate to the official website to verify the authenticity of any alerts or account-related issues. This proactive approach is essential in mitigating the risks posed by advanced phishing campaigns like Astaroth. 

Organizations must implement advanced security measures beyond traditional login protections in order to protect themselves from these threats. According to Thomas Richards, a Principal Consultant and Network and Red Team Practice Director for Black Duck, a Burlington-based company that provides applications security solutions, Astaroth's phishing kit is sophisticated and quite severe. As Richards points out, this phishing kit shows a remarkable degree of complexity, which makes it increasingly difficult for users to identify and avoid attacks such as these as they run across them. 

It has always been taught to users during traditional security awareness training to look for red flags, such as suspicious URLs, grammatical errors, or a lack of SSL certification, so they can identify phishing attempts. Although these indicators are largely reduced by Astaroth's highly sophisticated approach, Richards noted that the detection of them is much more challenging as a result. The infrastructure that supports these malicious attacks is typically hosted by providers who do not cooperate with law enforcement agencies, which complicates the process of dismantling these attacks.

Several European countries and the United States have increased sanctions in response to its growing threat, increasing the chance that these countries (including the United States) will use defenseless host hosting services, which are regularly exploited by cybercriminals to avoid legal action and avoid repercussions for their crimes. 

The American scientist Richards urges users to exercise extreme caution if they receive an email that appears to be coming from a legitimate organization and contains urgent requests for action that need to be taken immediately. As a precaution, users should not click on embedded links in emails, but instead should visit the official site to verify the authenticity of any alerts they receive or account-related issues. Taking a proactive approach effectively mitigates the threats posed by advanced phishing campaigns such as Astaroth.
Read more »
URL
CloudFlare Cyber Attacks CyberCrime CyberThreat Phishing URL R2 URL

Phishing URL Blocking Failure Leads to Cloudflare Service Disruptions

 


Yesterday, Cloudflare attempted to block an unintentional phishing URL within its R2 object storage platform, causing an outage that affected multiple services for nearly an hour. The outage was caused by an attempt to prevent spammers from accessing the URL. Its scalable and cost-efficient object storage service is comparable to Amazon's S3 and offers seamless integration into Cloudflare's ecosystem. 

As an S3-compatible storage service, the platform enables users to store their data across multiple locations, ensures data availability and reliability, and offers cost-free data retrievals, ensuring users can access their data without worries. A Cloudflare employee responded to an abuse report regarding a phishing URL hosted on its R2 platform, which caused the outage which occurred during the blackout. 

Inadvertently, the employee disabled the entire R2 Gateway service instead of restricting access to the specific endpoint, resulting in a significant service disruption. To prevent phishing URLs on the R2 platform, it accidentally resulted in a widespread outage of several Cloudflare services for almost an hour due to an attempt to block a phishing URL on the platform. 

Object storage solution Cloudflare R2 is no-egress-fee and has the same functionality as Amazon S3 and enables free data retrieval as well as S3 compatibility, replication, and seamless integration with other Cloudflare services to ensure efficiency and scalability in the storage of objects. In the incident which occurred late last week, Cloudflare employees responded to a complaint regarding a phishing URL hosted on the R2 platform.

However, the mitigation attempt resulted in an unintended disruption of service availability, which negatively impacted the operations of the platform. In the primary incident window of Cloudflare R2, all users were experiencing 100% failure rates when accessing their buckets and objects within the platform. Specifically, services that relied on R2 were experiencing higher error rates and operational failures as a result of their particular usage of the platform, as explained in the table below. 

Cloudflare R2 Object Storage and several related services were affected by an incident which took place from 08:10 to 09:09 UTC and lasted for 59 minutes. As a result of the impacted service failures, Stream experienced an entirely complete failure in video uploads and streaming, whereas Images experienced a 100% failure rate in uploads and downloads of images. During the week, Cache Reserve was completely down, raising origin requests to an all-time high. 

It has been observed that Vectorize experienced 75% failure rates for queries and failed to accomplish inserts, upserts, and deletes. It also experienced a 100% failure rate for insert, upsert, and delete operations. Log Delivery suffered delays and data loss, with up to 13.6% of all logs for R2-related jobs and up to 4.5% for non-R2 delivery jobs. Furthermore, the Key Transparency Auditor's signature publishing and reading operations were completely inoperable. Several other services were indirectly affected, experiencing partial disruptions, but they were not directly impacted. 

The error rates at Durable Objects increased by 0.9% following a service restoration due to reconnections, whereas Cache Purge experienced 1.8% more HTTP 5xx errors, as well as a tenfold increase in latency, as well as Workers & Pages experiencing a deployment failure rate of 0.002%, which was specifically affecting R2 projects only. As a consequence of the outage, all operations involving the R2 platform failed between 08:14 UTC and 09:13 UTC, meaning that 100% of operations involving R2 encountered errors. 

Services reliant on the R2 platform also saw an increase in the failure rate for operations that depend on it. During the period between 09:13 and 09:36 UTC, when R2 systems had recovered, and client connections had been restored, a backlog of requests caused a temporary increase in the operational load on the metadata layer of R2 based on Durable Objects. In North America, it was observed that there was only a 0.09% increase in error rates observed during this period, indicating that the impact was less severe. 

According to CloudFlare, the incident was primarily caused by human error and the absence of critical safeguards, such as validation checks for high-impact actions. The company has taken immediate corrective measures in response to the issue. These include removing the capability of disabling systems from the abuse review interface and limiting access to the Admin API so that internal accounts can no longer shut down services. 

Cloudflare's provisioning processes will be improved to reduce the risk of recurrence in the future, and stricter access controls will be enforced further to mitigate the risk of repeat incidents in the future. Additionally, two-party approval systems will be implemented for high-risk actions to further mitigate risk. The measures are intended to ensure the integrity of the system and prevent unintended interruptions of service as a result of these actions.
Read more »
Web Community
Cyber Attacks CyberCrime Cybersecurity efvt Malware attacks Microsoft Office Netskope Phishing Attacks QR code Quishing Quishing Campaign URL Web Community

Quishing Scams Exploit Microsoft Sway Platform

 


It has been discovered that a new phishing campaign is being run using Microsoft Sway, which has been found by researchers. A series of attacks have been called the "Quishing" campaign to describe what is happening. The practice of "squishing" is a form of phishing that uses QR codes to lead people to malicious websites. An example of Quishing is embedding malicious URLs into a QR code to commit phishing. 

A few groups of victims in Asia and North America are primarily focusing on the campaign. In late December, researchers noticed that an unexpected spike in traffic to unique Microsoft Sway phishing pages arose as a result of a campaign called "quishing," which targeted Microsoft Office credentials.  As defined by Netskope Threat Labs, quishing is essentially phishing to trick users into opening malicious pages by presenting them with QR codes, which are commonly used in many forms of phishing. 

According to a spokesperson for the campaign, the campaign mainly targets victims in Asia and North America, across multiple industries such as the technology, manufacturing, and finance sectors. A researcher from the University of California, Davis, reported that "attackers instruct their victims to scan QR codes with their mobile devices, in the hope that these portable devices do not possess the strict security measures found on corporate-issued devices," according to an article written by the researchers. 

This QR phishing campaign utilizes two techniques that have been discussed in previous articles: transparent phishing in conjunction with Cloudflare Turnstile" Those who operate phishing websites use Cloudflare Turnstile to ensure that their malicious websites are protected from static analysis tools so that they can hide their malicious payloads, prevent web filtering providers from blocking their domains, and maintain a clean reputation among the web community. 

This is known as an attack-in-the-middle phishing technique, which is more sophisticated than traditional phishing techniques. The attackers not only attempt to gain access to the victims' credentials but also attempt to log them into the legitimate service using those credentials, bypassing multi-factor authentication, so they can steal sensitive tokens or cookies which can be used to gain further unauthorized access to the system. 

This is a massive QR code phishing campaign, which abused Microsoft Sway, a cloud-based tool for creating presentations online, to create landing pages that scammed Microsoft 365 users into handing over their credentials in exchange for money. According to Netskope Threat Labs, these attacks were spotted in July 2024 after detecting an increase of 2,000-fold in attacks exploiting Microsoft Sway to host phishing pages that allegedly steal access credentials for Microsoft 365 accounts. 

Interestingly, this surge of activity dates back to the first half of the year when minimal activity was reported. So, it comes as no surprise that this campaign has been so widespread. Essentially, they were interested in targeting users in Asia and North America, concentrating primarily on the technology, manufacturing, and finance sectors, which were the most likely to present themselves to them. A free application, called Sway, is available in Microsoft 365 for anyone with a Microsoft account who has a Microsoft account. 

Attackers, however, utilize this open access as an opportunity to fool users by misrepresenting them as legitimate cloud applications, thus defrauding them of the money they are paid to use them. Furthermore, Sway is accessed once an individual logs into their Microsoft 365 account, adding a layer of legitimacy to the attack, since it is accessible once the victim has already logged into the account, thus increasing the chances of them opening malicious links. 

Netskope Threat Labs identified a new QR code phishing campaign in July 2024, marking a significant development in cyber threats. This campaign primarily targets victims in Asia and North America, affecting various sectors, including manufacturing, technology, and finance. Cybercriminals employ diverse sharing methods, such as email, links, and social media platforms like Twitter, to direct users to phishing pages hosted on the sway. cloud.Microsoft domain. 

Once on these pages, victims are prompted to scan QR codes that subsequently lead them to malicious websites. Microsoft Sway, a platform known for its versatility, has been exploited in the past for phishing activities. Notably, five years ago, the PerSwaysion phishing campaign leveraged Microsoft Sway to target Office 365 login credentials. This campaign, driven by a phishing kit offered through a malware-as-a-service (MaaS) operation, was uncovered by Group-IB security researchers.

The attacks deceived at least 156 high-ranking individuals within small and medium-sized financial services companies, law firms, and real estate groups. The compromised accounts included those of executives, presidents, and managing directors across the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore. This escalation in phishing tactics highlights the ongoing battle between cybercriminals and cybersecurity professionals, where each defensive measure is met with a corresponding offensive innovation. 

The need for a comprehensive approach to cybersecurity has never been more apparent, as malicious actors continue to exploit seemingly innocuous technologies for nefarious purposes. With the rising popularity of Unicode QR code phishing techniques, security experts emphasize the importance of enhancing detection capabilities to analyze not just images but also text-based codes and other unconventional formats used to deceive users and infiltrate systems. This sophisticated phishing method underscores the continuous vigilance required to safeguard digital environments against increasingly cunning cyber threats.
Read more »
URL
APT Cyber Attacks fake Iranian Malicious Camapign Proofpoint Threat actor URL

Iranian Threat Actor TA453 Targets Jewish Figure with Fake Podcast Invite in Malicious Campaign

 

A recent cyber campaign by the Iranian threat actor TA453 has drawn significant attention following their targeting of a prominent Jewish religious figure with a fake podcast interview invitation. The campaign, which began in July 2024, involved a series of deceptive emails promoting a supposed podcast titled “Exploring Jewish Life in the Muslim World.” The attackers masqueraded as representatives of the Institute for the Study of War (ISW), a legitimate American non-profit think tank focused on military and foreign affairs research. 

On July 22, 2024, TA453 initiated contact with the target by sending an email from an address claiming to represent ISW’s Research Director. The email invited the recipient to participate in the podcast, a lure that successfully engaged the target. After initial correspondence, TA453 sent a DocSend URL containing a password-protected text file with a legitimate ISW podcast link. Researchers from Proofpoint believe this initial interaction was intended to build trust with the target, making them more likely to click on malicious links in future communications. 

Following the initial lure, TA453 escalated their attack by sending a Google Drive URL that led to a ZIP archive. This archive contained a malicious LNK file, which, when opened, deployed the BlackSmith toolset, including the AnvilEcho PowerShell trojan. AnvilEcho is a sophisticated malware capable of intelligence gathering and data exfiltration. It employs encryption and network communication techniques to evade detection, integrating multiple capabilities within a single PowerShell script. The trojan’s command-and-control (C2) infrastructure is hosted on a domain linked to previous TA453 operations. 

AnvilEcho continuously fetches and executes commands from the remote server via its “Do-It” function, which handles various tasks, including network connectivity, file manipulation, screenshot capture, and audio recording. The “Redo-It” function, located at the end of the malware’s code, orchestrates these commands while also collecting system reconnaissance data such as antivirus status, operating system details, and user information. According to researchers, the activities of TA453 are likely aimed at supporting intelligence collection for the Iranian government, specifically the Islamic Revolutionary Guard Corps’ Intelligence Organization. 

The tactics employed in this campaign bear a strong resemblance to those used by the Charming Kitten advanced persistent threat (APT) group, another Iranian cyber espionage unit. This operation is a classic example of multi-persona impersonation, where threat actors leverage legitimate links to build trust with victims before launching more harmful attacks.
Read more »
Websites
Black hat malware Online Security URL Websites

Cybercriminals Exploit Web Hosting Platforms to Spread Malware


 

Cybersecurity researchers at Zscaler ThreatLabz have uncovered a concerning trend in which cybercriminals are exploiting popular web hosting and blogging platforms to disseminate malware and steal sensitive data. This sophisticated tactic, known as SEO poisoning within the realm of Black Hat SEO techniques, has been employed to manipulate search engine results, pushing fraudulent websites to the forefront of users' search queries, thereby increasing the risk of unwittingly accessing malicious content.


How They Operate

The cybercriminals orchestrating these operations have devised intricate strategies to evade detection and entice unsuspecting users into downloading malware. They fabricate fraudulent websites spanning a wide array of topics, ranging from pirated software to culinary recipes, often hosted on well-established platforms such as Weebly. By adopting the guise of legitimate sites, complete with endorsements like "Powered by Weebly," they exploit users' trust in reputable services to perpetrate their malicious activities.


The process commences with cybercriminals setting up sham sites on web hosting services, adeptly avoiding detection by both hosting providers and users. When individuals search for relevant content and click on links from search results, they unknowingly find themselves on these malevolent sites. To circumvent scrutiny from security researchers, the perpetrators implement evasion techniques, including scrutinising referral URLs. Should a user access the site directly, indicating a potential analysis, the site tactfully sidesteps redirection to preserve its cloak of invisibility.


The Payload Delivery System

Malicious payloads are secretly delivered through multi-layered zipped files concealed within seemingly innocuous content. For instance, an individual seeking cracked software may inadvertently download malware instead of the anticipated content. Upon execution, the malware puts together a sequence of activities, encompassing process hollowing and DLL sideloading, aimed at downloading additional malware and establishing communication with command-and-control servers.


Tricks to Avoid Detection

To further complicate their activities, threat actors employ techniques, including string concatenation, mathematical manipulation, and the utilisation of password-protected ZIP archives. These tactics serve to confound security measures, rendering the malicious code arduous to decipher and bolstering the malware's ability to slightly pass over detection.


Data Theft and Deceptive Tactics

Once ensconced within a system, the malware embarks on an mission to harvest extensive troves of data, encompassing system information, browser data, credentials, and browsing history. Additionally, it sets its sights on emails pertaining to cryptocurrency exchanges, adeptly modifying email content and intercepting one-time authentication codes to facilitate unauthorised access.


How To Protect Yourself?

Keeping in mind such campaigns, users are advised to exercise utmost caution when procuring software from unfamiliar sources and to prioritise visiting reputable websites. Staying abreast of emerging cybersecurity threats and securing defences with robust protocols can substantially mitigate the risk of succumbing to potential infections.



Read more »
URL Shortener
CERT Critical Flaw cyber security agency DHS DNS attacks Domain Malicious actor Phising Attacks unauthorised access URL URL Shortener

PUMA Network: Unmasking a Cybercrime Empire

A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.

Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.

Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.

Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.

The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.

Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:

  • Be wary of clicking on links in emails, social media posts, and other messages from unknown senders.
  • If you are unsure whether a link is safe, hover over it with your mouse to see the full URL. If the URL looks suspicious, do not click on it.
  • Use a security solution that can detect and block malicious links.
  • Keep your web browser and operating system up to date with the latest security patches.

The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.

Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.

The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.

Read more »
virus
Advanced Encryption Standard Android Phone CERT-In Cyber Attacks CyberCrime Cybersecurity Daam Government Hacked SMS URL virus

Android Phone Hacked by 'Daam' Virus, Government Warns

 


It has been announced by the central government that 'Daam' malware is infecting Android devices, and the government has issued an advisory regarding the same. CERT-IN, the national cyber security agency of the Indian government, released an advisory informing the public about the possibility of hackers hacking your calls, contacts, history, and camera due to this virus.

The virus' ability to bypass anti-virus programs and deploy ransomware on targeted devices makes it very dangerous, according to the Indian Computer Emergency Response Team or CERT-In, which provided the information. 

As quoted by the PTI news agency, the Android botnet is distributed primarily through third-party websites or apps downloaded from untrusted or unknown sources, according to the Federal Bureau of Investigation. 

The malware is coded to operate on the victim's device using an encryption algorithm known as AES (advanced encryption standard). The advisory reports that the other files are then removed from local storage, leaving only the files that have the extension of ".enc" and a readme file, "readme_now.txt", that contain the ransom note. 

To prevent attacks by such viruses and malware, the central agency has suggested several do's and don'ts. 

The CERT-IN recommends that you avoid browsing "untrusted websites" or clicking "untrusted links" when they do not seem trustworthy. It is advisable to exercise caution when clicking on links contained within unsolicited emails and SMS messages, the organization stated. Specifically, the report recommends updating your anti-virus and anti-spyware software regularly and keeping it up to date.

Once the malware has been installed, it tries to bypass the device's security system. In the case it succeeds in stealing sensitive data, as well as permissions to read history and bookmarks, kill background processing, and read call logs, it will attempt to steal sensitive information of the user. 

"Daam" is also capable of hacking phone calls, contacts, images, and videos on the camera, changing passwords on the device, taking screenshots, stealing text messages, downloading and uploading files, etc. 

In the Sender Information field of a genuine SMS message received from a bank, the Sender ID (abbreviation of the bank) is typically mentioned instead of the phone number, according to the report. 

A cautionary note was provided to users warning them to be aware of shortcut URLs (Uniform Resource Locators) such as the websites 'bitly' and 'tinyurl', which are both URLs pointing to web addresses such as "http://bit.ly/" "nbit.ly" and "tinyurl.com" "/". 

To see the full domain of the website the user is visiting, it is recommended that they hover over the shortened URL displayed. As suggested in the consultation, they may also be able to use a URL checker that allows them to enter both a shortened URL and the complete URL when completing the check. 

This is being viewed as a serious warning by the government to Android phone users throughout the world to remain vigilant and to take all necessary precautions to protect their mobile devices.

The Central Government strives to educate citizens about "Daam" malware, as well as its potential impacts, so citizens can take proactive measures to protect their Android devices and stay safe from cyber threats in the ever-evolving environment we live in today.
Read more »
URL
APT Backdoor Botnet Chinese Hackers Data Breach Sensitive Information Software URL

Chinese APT Group Hijacks Software Updates for Malware Delivery

An advanced persistent threat (APT) group from China, known as Evasive Panda, has been discovered to be hijacking legitimate software update channels of Chinese-developed applications to deliver custom malware to individuals in China and Nigeria for cyber-espionage purposes. Researchers from Eset discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses. The modular malware allows Evasive Panda to spy on victims and enhance its capabilities on the go.

The APT group's activity was fairly easy to attribute to Evasive Panda as researchers have never observed any other threat actors using the MgBot backdoor. The attacks have been ongoing for two years, and the primary goal is to steal credentials and data for espionage purposes. This is another example of state-sponsored actors' increasing sophistication and persistence in cyberspace.

Using legitimate software update channels is a clever technique employed by the group to avoid detection by traditional security measures. Once the malware is delivered through the update, it can operate in the background undetected, and the APT group can exfiltrate sensitive information from the victim's device.

This discovery highlights the importance of maintaining a secure software supply chain and the need for constant vigilance in monitoring the activity of state-sponsored threat actors. Organizations and individuals should always keep their software up to date, maintain robust security measures, and be wary of any suspicious activity or unexpected system changes.

The Eset researchers noted that the MgBot malware has been specifically customized for each victim, suggesting a high degree of sophistication and customization by the APT group. This type of advanced malware is difficult to detect and defend against, making it imperative for individuals and organizations to be proactive in their cybersecurity measures.
Read more »
Subscribe to: Posts (Atom)