Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber threat. Show all posts
Data Theft
Cyber Security cyber threat Data Security Breach Data Theft

U.S. Soldier Who Hacked AT&T and Verizon Sought to Sell Stolen Data to Foreign Intelligence, Prosecutors Say


A U.S. soldier who pleaded guilty to hacking AT&T and Verizon attempted to sell stolen data to what he believed was a foreign military intelligence service, according to newly filed court records reviewed by Media. 

The documents also reveal that the soldier, Cameron John Wagenius, searched online for “U.S. military personnel defecting to Russia” and “can hacking be treason.” Wagenius, who operated under the online aliases “kiberphant0m” and “cyb3rph4nt0m,” unlawfully obtained and transferred confidential phone records, including those of high-ranking public officials. 

Prosecutors allege that he posted these records for sale in November 2024 and demanded $500,000 from AT&T in exchange for deleting the stolen information, all while on active duty at Fort Cavazos. His activities were part of a larger cyberattack against multiple Snowflake customers during the summer of 2024, impacting at least ten organizations, including Live Nation Entertainment Inc. and Advance Auto Parts Inc. 

Court documents state that hackers linked to the AT&T breach targeted records associated with prominent figures, including former First Lady Melania Trump, Ivanka Trump, Vice President Kamala Harris, and the wife of Senator Marco Rubio. However, it remains unclear what specific data Wagenius attempted to sell to the foreign intelligence service.  
Prosecutors have described the extortion attempt as “only a small part of Wagenius’ malicious activity.” According to a government memorandum filed Wednesday, Wagenius allegedly communicated with an email address he believed was linked to a foreign intelligence agency and, days later, searched for information about countries that do not extradite to the U.S. 

The memorandum states, “Wagenius conducted online searches about how to defect to countries that do not extradite to the United States and that he previously attempted to sell hacked information to at least one foreign intelligence service.” Authorities have also uncovered thousands of stolen identification documents, including passports and driver’s licenses, on Wagenius’ devices, along with access to large amounts of cryptocurrency. 

Additionally, he researched the Russian embassy in Washington, D.C., raising further concerns about his intentions. Wagenius’ co-conspirator, Connor Moucka, a Canadian citizen, is set to face an extradition hearing in Canada on charges of stealing AT&T and Snowflake customer data. Another alleged accomplice, John Binns, an American living in Turkey, was reportedly fearful of being tracked by U.S. intelligence agencies. 

The extensive hacking operation, which prosecutors say resulted in millions of dollars in ransom payments, has prompted warnings from the FBI about potential risks to national security. The agency has cautioned that the breach could compromise communications between FBI agents and confidential sources.
Read more »
TRAI
COAI Cybeattacks Cyber Crime cyber threat CyberCrime Cyberhackers Cyberscam Cybersecurity TCCCPR Telecom TRAI

TRAI Enforces Stricter Regulations to Combat Telemarketing Spam Calls

 


There has been a significant shift in the Telecom Regulatory Authority of India (TRAI)'s efforts to curb spam calls and unsolicited commercial communications (UCC) as part of its effort to improve consumer protection, as TRAI has introduced stringent regulations. These amendments will take effect on February 12, 2025, and prohibit the use of 10-digit mobile numbers for telemarketing purposes, addressing the growing concern that mobile users have with fraudulent and intrusive messages.

To ensure greater transparency in telemarketing practices, the Telecom Regulatory Authority of India (TRAI) has enforced several measures that aim to ensure communication integrity while increasing the intelligence of telemarketers. A comprehensive consultation process was undertaken by the Telecom Regulatory Authority of India (TRAI), which involved a comprehensive stakeholder consultation process for the approval of changes to the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, as a result of which significant changes have been made. This revision is intended to protect consumers against unsolicited commercial communications (UCCs) as well as to enhance compliance requirements for the providers of telecom services. 

Cellular Operators Association of India (COAI,) however, has expressed its concern over the updated regulation, especially about the penalties imposed on service providers as a result of it. The second amendment to the TCCCPR allows consumers to lodge complaints up to seven days after receiving the call or message, allowing them greater flexibility in reporting spam calls and messages for the second amendment. Furthermore, because of the new regulations, individuals are now able to lodge complaints without the need to first register their preferences for communication. 

Additionally, telecom operators are required to respond to complaints within five business days, a substantial reduction from the previous deadline of 30 days. A new set of stricter enforcement measures imposed by the law mandates that senders who receive five complaints within ten days must be held accountable for the complaint. To further safeguard consumer interests, telecom service providers will now be required to provide users with the option of opting out of all promotional emails. 

TRAI has also mandated a standard messaging format, which requires message headers to contain specific codes that indicate that they are promotional, service-related, transactional, or government-related. This structured labelling system aims to enhance transparency and help users distinguish between different types of communication by adding a structured llabellingsystem to their communication systems. 

As a part of the regulatory framework implemented by the Telecom Regulatory Authority of India (TRAI) to improve transparency and curb unsolicited commercial communications (UCCs), 10-digit mobile numbers will no longer be allowed to be used for commercial purposes. A telemarketer is required to use a series of designated numbers for promotional and service calls, ensuring that the two are clearly distinguished.

It is expected that the existing ‘140’ series will remain available for promotional purposes while the newly launched ‘1600’ series will be used for transactional and service-related communications. TRAI has also removed the requirement for the consumer to pre-register their communication preferences in advance of lodging a complaint against spam messages and unwanted phone calls from unregistered senders as part of its anti-spam practices.

In addition to simplifying the complaint process, TRAI has also expanded the reporting period from three days to seven days to improve user convenience in reporting violations, providing consumers with more flexibility in reporting complaints with essential details. To further strengthen consumer protection, TRAI has extended the complaint reporting window from three days to seven days, thus creating an environment of greater flexibility for users. 

There has been a significant reduction in the timeframe for telecom operators to respond to UCC complaints, which was previously 30 days, down to five days now. Further, the threshold for penalizing senders has been lowered as well, with only five complaints within ten days instead of the earlier benchmark of ten complaints within seven days, requiring penalties to be imposed. To improve accessibility and foster consumer engagement, the government is now requiring that mobile applications and official websites of telecom service providers prominently display complaint registration options as a means of promoting consumer engagement. 

Several regulatory initiatives have been taken to improve the accountability, transparency, and consumer-friendly nature of the telecommunications sector while also making sure the anti-spam directives are strictly followed. A stringent series of measures has been introduced by the Telecom Regulatory Authority of India (TRAI) to counter the rising threat of spam calls and to prevent malicious entities from misusing SMS headers and content templates to forward fraudulent or deceptive messages to subscribers. 

Several initiatives are being implemented by the TRAI that will ensure that consumer interests are protected and a safer and more transparent messaging environment is established. To ensure compliance with telemarketing regulations, TRAI has mandated strict penalties for entities making unauthorized promotional calls that violate telemarketing regulations. A violation of these terms can result in severe consequences such as the disconnection of all telecommunications resources for a period of up to two years, a blacklisting for up to two years, and a prohibition on acquiring any new telecommunications resources during the period of blacklisting. 

More than 800 entities and individuals have been blacklisted as a result of these measures, and over 1.8 million SIP DIDs, mobile numbers, and other telecommunications resources have been deactivated as a consequence. As a consequence, fraudulent commercial communications have been eliminated in large part. TRAI's directives call for access providers to list URLs, APKs, and links to OTTs within SMS content, and we have implemented this requirement with effect from October 1, 2024, to further enhance consumers' protection.

In an attempt to ensure consumer safety, a regulation moving forward will limit the use of links in text messages that have been verified and authorized by the user, thereby reducing the risk of consumers being exposed to harmful websites, fraudulent software, and other online risks. The '140xx' numbering series is further enhanced by migrating all telemarketing calls that originate from this series of numbers to the Distributed Ledger Platform (Blockchain) platform. In this way, the surveillance and control of telemarketing activities can be improved. 

There have also been advances in technical solutions being deployed by access providers to improve traceability to ensure that every entity involved in the message transmission, from the initial sender through to the final recipient, is accounted for within the chain of communication. Any traffic containing messages that omit a clearly defined chain of telemarketers and can be vverifiedor deviate from the pre-registered framework will be automatically rejected as of December 1, 2024. Several significant advancements are being made in regulatory oversight in the telecom sector as a result of these measures. Consumer protection is reinforced,d and accountability is enhanced within the industry as a result of these measures. 

To ensure that consumers have an easier and more convenient way to report unsolicited commercial communications violations, telecom service providers are required to prominently display complaint registration options on their official websites and mobile applications, making the complaint system more user-friendly and accessible for them. As part of this initiative, consumers will have the opportunity to easily flag non-compliant telemarketing practices, allowing the complaint process to be streamlined. Furthermore, service providers must provide consumers with a mandatory ‘opt-out’ option within all promotional messages to give them greater control over how they want to communicate. 

The new Consumer Rights Rule establishes a mandatory 90-day waiting period before marketers can re-engage users who have previously opted out of receiving marketing communication from a brand before re-initiating a consent request for them. By implementing this regulatory measure, the telecom industry will be able to protect consumers, eliminate aggressive advertising tactics, and develop a more consumer-centric approach to commercial messaging within its infrastructure.

It was announced yesterday that the Telecom Regulatory Authority of India (TRAI) has introduced stringent compliance requirements for access providers to make sure unsolicited commercial communications (UCC) are curbed more effectively. This new set of guidelines requires telecom companies to comply with stricter reporting standards, with financial penalties imposed on those companies that fail to accurately report UCC violations. 

According to the punishment structure, the initial fine of 2 lakh rupees for a first offence is followed by a fine of 5 lakhs for the second offence and a fine of 10 lakhs for subsequent violations. There has been a move by access providers to further enhance the level of regulatory compliance by mandating that telemarketers place security deposits that will be forfeited if any violation of telemarketing regulations occurs. A telecom operator may also be required by law to enter into legally binding agreements with telemarketers and commercial enterprises, which will explicitly define and specify their compliance obligations, as well as enumerating the repercussions of non-compliance. 

This means that reducing spam levels will be a major benefit for businesses while ensuring that they can communicate through authorized, transparent, and compliant channels, leading to a significant reduction in spam levels. TRAI aims to increase the consumer safety and security of the telecommunications ecosystem by enforcing these stringent requirements while simultaneously balancing regulatory oversight with legitimate business needs to engage with customers by the means approved by TRAI.
Read more »
Ransomwares
Cyber Security cyber threat Data Hackers Data Theft Huntress SMB Report Ransomware threats Ransomwares

Ransomware Tactics Evolve as Hackers Shift Focus to Data Theft

 

Ransomware groups are adapting their strategies to outsmart stronger cybersecurity defenses and increasing law enforcement pressure, according to the Huntress 2025 Cyber Threat Report. The findings reveal that attackers are moving beyond traditional encryption-based ransomware, instead focusing on data theft and extortion to bypass modern protections. 

In 2024, 75% of ransomware cases Huntress investigated involved remote access Trojans (RATs), allowing hackers to infiltrate systems discreetly. Additionally, 17.3% of incidents featured the misuse of legitimate remote management tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn. This shift reflects a growing reliance on “living off the land” techniques, where attackers use trusted administrative tools to avoid detection. 

A significant trend noted in the report is that sophisticated tactics once reserved for targeting large enterprises are now common across businesses of all sizes. Huntress observed that cybercriminals are increasingly disabling or tampering with security software to maintain access and avoid detection, effectively closing the gap between attacks on major corporations and smaller organizations.  

Huntress’ analysis of over 3 million endpoints also revealed that nearly 24% of ransomware incidents in 2024 involved infostealer malware, while malicious scripts designed to automate attacks and evade security tools appeared in 22% of cases. Greg Linares, principal threat intelligence analyst at Huntress, states that ransomware groups must constantly evolve to survive in the competitive cybercrime landscape.

“If malware isn’t staying ahead of detection techniques, it becomes obsolete fast,” Linares explained. Another key insight from the report was the speed of modern ransomware campaigns. On average, the time from initial access to the delivery of a ransom demand — known as time-to-ransom (TTR) — was just 17 hours. Some groups, including Play, Akira, and Dharma/Crysis, were even faster, with TTRs averaging around six hours.  

Interestingly, Huntress noted a clear shift in ransomware tactics: rather than encrypting data, many attackers now opt to exfiltrate sensitive information and threaten to leak it unless a ransom is paid. This change is seen as a direct response to stronger ransomware defenses and increased law enforcement efforts, which led to the takedown of major groups like Lockbit. 

However, this shift presents new challenges for companies. While endpoint detection and ransomware protections have improved, the report points out that data loss prevention (DLP) measures remain underdeveloped. Linares noted that DLP solutions are often overlooked, especially in organizations with remote work and bring-your-own-device (BYOD) policies. These environments, he said, often lack the comprehensive monitoring and control needed to prevent data exfiltration. 

To stay ahead of these evolving threats, Huntress recommends that businesses not only strengthen their ransomware defenses but also implement more robust DLP strategies to protect sensitive data. As ransomware gangs continue to adapt, companies must be proactive in addressing both encryption and data theft risks.
Read more »
VPN
Bishop Fox cyber threat Cyberattacks Cybersecurity firewall exploits Hijacking SonicWall VPN

Urgent Patch Needed for SonicWall Firewall Exploit Enabling VPN Hijacking

 


Bishop Fox cybersecurity researchers have discovered a critical security flaw in approximately 4,500 SonicWall firewalls that are exposed to the Internet as a result of a critical security breach. The flaw, CVE-2024-53704, is a high-severity authentication bypass vulnerability within SonicOS SSLVPN. Threat actors could exploit this flaw to gain unauthorized access to your VPN sessions, compromising the privacy of your sensitive data and the security of your network. 

SonicWall has issued a patch to address this issue, but unpatched systems remain at immediate risk. Due to this discovery, it is imperative that organizations relying on SonicWall firewalls immediately update those firewalls to mitigate the threat of cyberattacks leveraging this exploit and mitigate the amount of damage they will incur.

In its security bulletin dated January 7, 2025, SonicWall issued a warning about the high likelihood of an exploit resulting from a recently identified authentication bypass vulnerability within its SonicOS SSLVPN application that has been released to alert customers. There was a strong recommendation the company sent out to administrators to upgrade their SonicOS firewall firmware immediately so that they could mitigate the risk of unauthorized access and potentially dangerous cyberattacks. 

The SonicWall security company sent an email notification to all its customers about this critical vulnerability. In the email warning, SonicWall reiterated that the vulnerability poses an immediate threat to organizations that have SSL VPNs or SSH management enabled in their systems. This vendor stressed the importance of immediately updating firmware to protect networks and prevent malicious actors from exploiting them. 

In the latest research, SonicWall's SonicOS SSLVPN application was discovered to have an authentication bypass vulnerability, which has been rated at high risk with a CVSS score of 8.2. In this particular case, the problem affects several versions of SonicOS, specifically versions 7.1.x (all versions up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, which are widely utilized across both Generation 6 and Generation 7 SonicWall firewalls. 

Bishop Fox's cybersecurity team performed a thorough analysis of the vulnerability and successfully demonstrated exploitation scenarios to demonstrate the possibility of unauthenticated, remote attackers bypassing security mechanisms and hijacking active VPN sessions if they can bypass authentication mechanisms. To exploit this vulnerability, a specially crafted session cookie is sent to the SSL VPN endpoint's endpoint (/cgi-bin/sslvpnclient) that contains a base64-encoded string of null bytes. 

The misuse of this method can allow threat actors to gain access to authenticated VPN sessions without requiring valid credentials from the users, which poses a significant risk to organizations that use SonicWall firewall products as part of their security measures. The Cyber Security Research Lab has determined that as of February 7, 2025, approximately 4,500 SonicWall SSL VPN servers that connect to the internet remain unpatched and are vulnerable to exploitation by hackers. 

Initially, SonicWall published a security advisory on January 7, 2025, urging organizations to immediately update their firewall firmware to mitigate the risks associated with this high-severity vulnerability that allows authentication bypass. Several SonicOS firewall applications, which are affected by this flaw, have had firmware patches issued to address the problem. These include SonicOS 6.5.5.1-6n or later for Gen 6 firewalls, SonicOS 7.1.3-7015 or later for Gen 7 firewalls, and SonicOS 8.0.0-8037 or later for TZ80 firewalls, which have all been updated with these firmware patches. 

To mitigate the risks associated with these updates, organizations unable to implement these updates are strongly recommended to temporarily disable SSL VPN access or to restrict it only to trusted IP addresses. Despite the simplicity of the exploit, the risk it poses to corporate networks is significant; this is because it opens the door for widespread abuse from threat actors seeking to gain access to corporate networks to espionage, data exfiltration, or ransomware attacks. 

As soon as an adversary is inside a compromised environment, they will be able to escalate privileges, perform lateral movements, and further infiltrate critical systems. To combat these threats, administrators must immediately implement several key security measures that can help prevent these threats from happening. 

Too achieve this, all affected devices need to be updated with the latest firmware, SSL VPN and SSH management access should be restricted to trusted IP ranges, firewall logs should be monitored for anomalies, such as repeat session terminations or unauthorized login attempts, and multi-factor authentication (MFA) should be implemented on all devices. 

MFA, while ineffective in combating this specific exploit, remains a critical security measure that can be used against other types of cyberattacks as well. Since the risks associated with active exploitation are high, organizations should prioritize the security of their SonicWall firewalls to prevent unauthorized access to their networks, possible data breaches, and long-term network compromises.
Read more »
Ransomware Gangs
Corporate Cyber Security cyber threat data security Ransomware Ransomware Gangs

Ransomware Gangs Targeting CEOs with Stolen Data

Ransomware Gangs Targeting CEOs with Stolen Data

Ransomware gangs are now employing a terrifying tactic—using stolen data to coerce and threaten CEOs. 

Understanding Ransomware Attacks

Ransomware is a type of malicious software that encrypts the victim's data, rendering it inaccessible until a ransom is paid. Over the years, ransomware tactics have evolved, becoming more sophisticated and damaging. Originally, ransomware attacks were more indiscriminate, targeting individuals and organizations alike. However, cybercriminals have become more strategic, now focusing on high-value targets.

The Rise of CEO Extortion

Ransomware gangs have discovered that targeting CEOs can yield higher returns. By threatening to release sensitive data, they put immense pressure on CEOs to comply with their demands. This method of extortion not only threatens the individual's reputation but also jeopardizes the entire organization's security and financial stability.

Why They Rarely Get Caught

Anonymity: Cybercriminals use encryption and the dark web to hide their identities, making it challenging for law enforcement agencies to trace them.

Jurisdictional Challenges: Ransomware attacks are often transnational, complicating legal processes. Different countries have varying laws and levels of cooperation with international authorities.

Sophisticated Techniques: These criminals are adept at covering their tracks, using advanced encryption, and frequently changing their digital footprints to evade detection.

Resource Limitations: Law enforcement agencies often lack the resources and specialized knowledge required to effectively tackle these sophisticated cybercrimes.

The consequences of a ransomware attack can be devastating. For CEOs, the personal and professional stakes are incredibly high. They face potential damage to their reputation, legal ramifications, and significant financial loss. For the organization, it can result in operational disruption, loss of sensitive data, and a breach of trust with customers and stakeholders.

Combating the Threat

  • Regularly update software, use advanced firewalls, and employ comprehensive security solutions to protect against ransomware attacks.
  • Conduct regular cybersecurity training for employees to recognize phishing attempts and other common tactics used by cybercriminals.
  • Ensure that all critical data is backed up regularly and stored securely. This can help recover data without paying the ransom.
  • Have a well-defined plan in place for responding to ransomware attacks, including steps to isolate affected systems and communicate with stakeholders.
  • Report ransomware incidents to law enforcement agencies to help track and apprehend cybercriminals.

Read more »
Ransomware attack
CMIT Cyber Crime cyber threat CyberCrime Cybersecurity Dark Web Data Ransomware attack

Ransomware Attack on the Washington Times Leads to a Dark Web Data Auction

 


In a countdown clock that showed that the auction would begin in seven days, the Rhysida cartel promoted an online auction that promised to sell Washington Times' unique data. The auction was set to start within seven days of the date of the notice. As a result of observing an unidentified criminal group deploying a new utility designed to terminate endpoint detection and response (EDR) tools, it appears that it is part of an attempt by the group to attack an organization with ransomware, RansomHub. 

As a result of this news, many security professionals began to express concern because RansomHub is used in many prominent hacks, including those against Change Healthcare, Frontier Communications, and Christie's auction house. The hacker group who attacked Columbus last week dumped over three terabytes of stolen data, including files belonging to employees, on the dark web early Thursday morning after their efforts to auction off the data failed to attract or satisfy buyers.

A few hours after a lengthy auction ended on the dark web, the Rhysida ransomware group started leaking the data after it had disappeared from the encryption site, according to Ohio State assistant professor Carter Yagemann, CMIT Solutions' Daniel Maldet, and other cybersecurity experts who have observed the onion site. As much as the hackers claimed that they had 6.5 terabytes of data at their disposal, only a portion of that data has been uploaded online, including databases that are backed up for dozens of city employees, and SQL backup files for entire databases that contain personal information. 

Since the files are so large, it is difficult to make out what exactly has been contained in them due to the size of the files. It is what NBC4 found, however, that Rhysida's leak not only included a list of employees' names from a company database but also a list of contractors and former employees who left the company in 2021, making it clear that the leak did not just cover current employees.

In a bid to sell off the massive amount of data it allegedly stole as a result of a city ransomware attack, a group claiming to have carried out the hack claims responsibility for several bank accounts being hacked by the thieves. According to the hacking gang Rhysida, who originally hacked into the City of Columbus servers to steal sensitive information, they have managed to steal 6.5 terabytes' worth of data. It was reported by multiple cybersecurity watchdogs, including Dark Web Intelligence and Ransom Look, that Rhysida is offering a service which can only be accessed using the specialized internet browser Tor, which has become synonymous with the dark web. 

The fine details about this treasure trove of compromised data have emerged after Columbus Mayor Andrew Ginther announced some of the city's online services had been shut down due to a ransomware attack that occurred on July 18. It is fair to say that the mayor has given credit to the city's IT department for cutting off access before any data from the city was encrypted by the hackers. However, he added that they are investigating how much of the data was stolen. 

In addition to not naming Rhysida or any other suspected hacking group on Monday, Corbett said the attack had been carried out by an "established and sophisticated threat actor working from overseas." It is stated on the group's website that the price for the data is 5 bitcoins, which are currently worth $295,198.50 at the time of this writing. This group does not specify what the data supposedly consists of in the post, but a screenshot that is attached to the post appears to show many scans of official documents, including an identification card and a Texas driver's license. 

Previously, cybersecurity analyst Dominic Alvier told a story on the Daily Dot that based on the screenshot, it didn't appear that the hackers had accessed any critical information other than your personal information, which could be linked to someone in your organization. The Daily Dot contacted Rhysida for information regarding the alleged breach but has not received a response to the inquiry. In addition, it remains unclear if there have been any negotiations between the hacking group and the outlet itself. As of Wednesday afternoon, the Washington Times had not made any public statements regarding the alleged cyberattack that targeted its systems. 

Despite attempts to seek clarification, the publication did not respond to an email inquiry from the Daily Dot at the time of their report. The incident drew attention to the Rhysida ransomware group, which has been recognized by U.S. government advisories as a significant cyber threat. Rhysida operates under a subscription-based model known as Ransomware as a Service (RaaS), where it leases its ransomware tools to cybercriminals. This model has facilitated attacks across various sectors, including education, healthcare, manufacturing, information technology, and government, since Rhysida's emergence in May 2023. 

Earlier this month, Rhysida gained widespread attention after successfully hacking a law enforcement agency in a Florida county. The group threatened to expose sensitive data, including scanned driver’s licenses and fingerprints, highlighting the severity of the breach. Cybersecurity experts have noted that while the identities of those behind Rhysida remain unknown, the group's operational patterns are reminiscent of cybercriminals based in Russia, Belarus, and Kazakhstan. 

Rafe Pilling, Director of Threat Research at Secureworks, has emphasized that Rhysida exhibits behaviours common to criminal organizations in these regions. Since its inception, the Rhysida group has claimed responsibility for 114 cyberattacks, a fact evidenced by the list of victims published on its dark web blog. This list underscores the group's approach of targeting "targets of opportunity," as it has infiltrated multiple sectors, including education, healthcare, manufacturing, and local government entities. 

An updated profile by the U.S. Defense Department in November 2023 corroborates these findings. Rhysida's operations are further characterized by their use of double extortion tactics. In this approach, even after victims have paid the initial ransom to receive a decryption key, the group threatens to leak the stolen data unless a second payment is made. This strategy adds another layer of pressure on the victims, exacerbating the impact of the attacks. This year, Rhysida took responsibility for breaches at the British Library, the world’s largest repository of historical knowledge, and the Anne & Robert H. Lurie Children’s Hospital in Chicago. 

These incidents further demonstrate the group’s willingness to target prestigious and vulnerable institutions. The growing list of Rhysida’s victims serves as a stark reminder of the pervasive and escalating nature of ransomware threats in today’s digital landscape. The recent incident involving The Washington Times is yet another example of the significant damage cyberattacks can inflict, particularly when they target well-known organizations. 

The audacity of Rhysida’s operations underscores the critical need for organizations to prioritize robust cyber defence mechanisms. Protecting sensitive data has become increasingly important as cyber threats continue to evolve and grow more sophisticated. Security analysts consistently recommend the adoption of strong data protection policies to effectively combat ransomware. As The Washington Times and other organizations navigate these complex threats, they must remain acutely aware of the high stakes involved, not only in their operations but also in their readership and the broader media environment. 

In summary, the ongoing activities of the Rhysida group illustrate the serious challenges posed by ransomware in the current cybersecurity climate. Each incident involving Rhysida offers invaluable lessons for organizations striving to develop effective strategies to counter and prevent future attacks.
Read more »
ransomware operations
AvNeutralizer tool corporate network security Cyber Security cyber threat cybersecurity news endpoint protection evasion FIN7 hacking group malware tools Phishing Attacks ransomware operations

FIN7 Hacking Group Sells Custom Tool "AvNeutralizer" to Evade Endpoint Protectiono

 

The notorious FIN7 hacking group has been identified selling a custom tool called "AvNeutralizer," designed to bypass detection by disabling enterprise endpoint protection software on corporate networks.

Believed to be a Russian hacking group active since 2013, FIN7 initially focused on financial fraud, hacking organizations, and stealing debit and credit card information. 

Subsequently, the group ventured into the ransomware domain and became linked with the DarkSide and BlackMatter ransomware platforms. The same threat actors are also suspected of being associated with the BlackCat ransomware operation, which recently conducted an exit scam after pilfering a ransom payment from UnitedHealth.

FIN7 is notorious for its sophisticated phishing and social engineering attacks, which they use to gain initial access to corporate networks. Their methods have included impersonating BestBuy to distribute malicious USB drives and developing custom malware and tools.

The group also created a fake security company called Bastion Secure to recruit pentesters and developers for ransomware attacks without the applicants realizing the true nature of their work.

FIN7 is tracked under various aliases, including Sangria Tempest, Carbon Spider, and the Carbanak Group.

According to a new report by SentinelOne, one of the custom tools developed by FIN7 is "AvNeutralizer" (also known as AuKill), which was first seen in attacks by the BlackBasta ransomware operation in 2022. At that time, BlackBasta was the only ransomware operation using the tool, leading researchers to believe there was a connection between the groups.

However, SentinelOne's historical data showed that the tool had been used in attacks by five other ransomware operations, indicating widespread distribution.

"Since early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer," explains SentinelOne researcher Antonio Cocomazzi. "About 10 of these are attributed to human-operated ransomware intrusions deploying well-known RaaS payloads, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit."

Further investigation revealed that threat actors using the aliases "goodsoft," "lefroggy," "killerAV," and "Stupor" had been selling an "AV Killer" on Russian-speaking hacking forums since 2022, with prices ranging from $4,000 to $15,000. A 2023 report from Sophos detailed how AvNeutralizer/AuKill exploited the legitimate SysInternals Process Explorer driver to terminate antivirus processes on a device.

The threat actors claimed that this tool could disable any antivirus/EDR software, including Windows Defender and products from Sophos, SentinelOne, Panda, Elastic, and Symantec.

SentinelOne recently found that FIN7 had updated AvNeutralizer to use the Windows ProcLaunchMon.sys driver to hang processes, rendering them non-functional. "AvNeutralizer employs a combination of drivers and operations to create a failure in certain implementations of protected processes, ultimately causing a denial of service condition," explains SentinelOne.

"It uses the TTD monitor driver ProcLaunchMon.sys, available on default system installations, in conjunction with updated versions of the process explorer driver version 17.02 (17d9200843fe0eb224644a61f0d1982fac54d844), which has been fortified for cross-process operations abuse and is not currently blocked by Microsoft's WDAC list."

SentinelOne discovered additional custom tools and malware used by FIN7 that are not known to be sold to other threat actors, including Powertrash (a PowerShell backdoor), Diceloader (a lightweight C2-controlled backdoor), Core Impact (a penetration testing toolkit), and an SSH-based backdoor.

Researchers warn that FIN7's continuous evolution and innovation in tools and techniques, coupled with selling its software, make it a significant threat to enterprises worldwide. "FIN7's continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise," concludes SentinelOne researcher Antonio Cocomazzi. "The group's use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies."
Read more »
security threat
Cyber Attacks cyber threat Cyberattacks CyberCrime Dream Sports MII Sebi security threat

SEBI Circular Forces Stock Gaming Apps to Shut Down and Reevaluate

 


As of May 24, a circular was issued by SEBI prohibiting stock exchanges and intermediaries in India from sharing time-sensitive share price information with fantasy trading platforms that gamify stock trading in real-time.

In the week after the Securities and Exchange Board of India (SEBI) announced that such services should cease operation for the time being, nearly half a dozen startups focused on stock gaming have either shut up shop, paused operations, or are considering pivotal moves. It is becoming increasingly difficult for companies that use dated data to retain young customers, to continue to appeal to them as the appeal of leisure or educational live gaming and simulations is fading.

As part of the latest wave of startups to feel the heat, Trinkerr, founded and backed by Accel and Kunal Shah, has paused the development of its gaming product to contemplate its next move. An app for fantasy stocks backed by Dream Sports - Investro - has been discontinued and withdrawal requests are being accepted for it. Market regulators have ordered stock exchanges, clearing companies, and depositories to review the fees they charge members such as stock brokers and depository participants to ensure that they remain competitive. 

A market infrastructure institution (MII) refers to a market institution such as an exchange, clearing corporation, or depository. Brokers bear the cost of providing these services to investors, and they are recouped by investors as service charges. There have currently been several issues related to Trinkerr, such as the fact that the app has never been a pure-play gaming app (without rewards or incentives), but rather focuses on educational aspects and that the data is being delayed by five minutes. Due to the mandate that was placed upon exchanges and intermediaries, the product has become ineffective as a result of these changes. 

There is no doubt that delayed data, especially with the variability of expiration dates in F&O trading, can lead to confusion and be detrimental to the educational experience for our users if they introduce inaccuracies into the market conditions that are being studied by them. Investor and Trinkerr are not the only firms facing distress as regulations change as a result of several factors. SEBI's new norms apply to exchanges and market intermediaries, such as brokerages, on June 24, the first day they went into effect.

These norms prohibit exchanges and market intermediaries from sharing "live" data with third-party platforms offering virtual trading, thrilling fantasy games, or educational courses. It was announced on May 22 that "investor education and awareness activities (which do not involve monetary incentives for users) can be supported by delayed data feeds (with a 1-day lag)," said the Financial Services Authority in a circular. This move by SEBI to crack down on virtual trading and stock gaming apps comes at the same time as retail investors become more interested in futures and options (F&Os), as well as with concerns about a parallel market that lies outside of its jurisdiction.

There has been a heated discussion among investors regarding social trading apps, with some arguing that they should be viewed as skill-based games, according to Sanjam Arora, Partner at Trilegal. "SEBI is concerned that users of the above applications will not be provided with the same level of protections as investors typically receive in the market for securities daily.". Several concerns have been raised about the possibility that gamifying the trading experience could encourage high-risk behaviours among users that may lead to more dangerous behaviour in the real world, as well,” she stated.
Read more »
NTA
Cyber Crime cyber threat Darknet Exam Scam India NTA

NTA Faces Exam Security Crisis Amid Darknet Threats

 

The National Testing Agency (NTA) in India is in the midst of a serious crisis, with its staff worried about the safety of any exam due to claims that the NTA's website was hacked. 

Following the cancellation of the UGC-NET due to claimed cyberthreats, an NTA officer has come forward, suggesting further risks to examinations.

According to the local media outlet, a senior NTA official stated that the testing organization's IT and administrative staff are concerned that re-conducting the examinations will be impossible owing to "terrorist organisations" getting into the NTA's security systems via the dark web to expose the chinks this year. 

Earlier this week, the Bihar Police asked for data about six candidates, including their roll numbers. Two of the roll numbers do not exist, and the names of the remaining two candidates do not match. There are other discrepancies, including the timing of the seizures, which took place after the exam, when all of the question papers had already been made public, the official added.

He also stated that simply looking at exam models would not be sufficient, saying that the computer-based ITEP exam had to be cancelled since each file of the examination was 5 GB and had to be downloaded at the allocated centres, and that some applicants received false question papers. 

What's happened so far?

Earlier, the NTA published a statement, claiming that the NTA website and all of its other web portals are completely secure and that accusations of hacking were false and misleading. The clarification comes amid a debate over suspected irregularities in exams such as NEET-UG and UGC-NET.

The investigation into the irregularities in the medical entrance exam NEET-UG has also been handed over to CBI, followed by the assigning of the India Trade Promotion Organisation (ITPO) Chairman and Managing Director Pradeep Singh Kharola as the additional charge of the NTA.

A high-level seven-member team, led by a former ISRO chairman Dr K Radhakrishnan, has been constituted to investigate the functioning and fair conduct of exams by the NTA, and will give its report in two months, the Centre revealed on June 22.
Read more »
Ticketmaster
CISO cyber threat Data Breach MFA Santander ShinyHunters Ticketmaster

Ticketmaster and Santander Breaches Expose Cloud Security Flaws


Recent data breaches at Ticketmaster and Santander Bank have exposed major security vulnerabilities in the use of third-party cloud storage services. These breaches highlight the urgent need for robust security measures as more organisations move their data to the cloud.

On May 20, Ticketmaster experienced a data breach involving a third-party cloud storage provider. The breach, disclosed in a regulatory filing by its parent company Live Nation Entertainment, compromised the data of approximately 550 million customers. This stolen data, including sensitive personal information, was reportedly put up for sale on a Dark Web forum by a group known as "ShinyHunters."

Just a week earlier, on May 14, Santander Bank revealed a similar breach. Unauthorised access to a cloud-hosted database exposed data belonging to customers and employees, primarily affecting those in Spain, Chile, and Uruguay. ShinyHunters also claimed responsibility for this breach, offering the stolen data—which includes 30 million customer records, 28 million credit card numbers, and other sensitive information—for sale at $2 million.

Both breaches have been linked to Snowflake, a renowned cloud storage provider serving numerous high-profile clients like MasterCard, Disney, and JetBlue. Although Snowflake acknowledged recent malicious activities targeting its customers, an investigation by Mandiant and CrowdStrike found no evidence of a vulnerability or breach within Snowflake’s own platform. The attackers apparently exploited single-factor authentication credentials obtained through infostealer malware, highlighting the importance of robust authentication measures.

David Bradbury, Chief Security Officer at Okta, stressed the importance of implementing multi factor authentication (MFA) and network IP restrictions for securing SaaS applications. However, he pointed out that attackers are increasingly bypassing MFA by targeting post-authentication processes, such as stealing session tokens. This highlights the need for additional security mechanisms like session token binding.

Michael Lyborg, CISO at Swimlane, emphasised the shared responsibility model in cloud security. While cloud providers like Snowflake offer best practices and security guidelines, it is ultimately up to customers to follow these protocols to protect their data. Lyborg suggested that enforcing MFA and adopting a zero-trust security model by default could enhance data protection by a notable measure.


Challenges in Enforcing Security Standards

Patrick Tiquet, VP of Security and Architecture at Keeper Security, argued that while uniform security measures might enhance protection, they could also limit the flexibility and customization that customers seek from cloud services. He noted that some organizations might have their own robust security protocols tailored to their specific needs. However, the recent breaches at Ticketmaster and Santander highlight the dangers of relying solely on internal security measures without adhering to industry best practices.

The breaches at Ticketmaster and Santander serve as critical reminders of the risks associated with inadequate cloud security measures. As organisations increasingly transition to cloud-based operations, both cloud providers and their customers must prioritise robust security strategies. This includes implementing strong authentication protocols, adhering to best practices, and fostering a culture of security awareness. Ensuring comprehensive protection against cyber threats is essential to safeguarding sensitive data in the digital age.


Read more »
VPN security
Cyber Security cyber threat Free VPN VPN VPN security

The Dark Side of Free VPNs: Hidden Dangers and Privacy Risks

 

Virtual Private Networks, or VPNs, have become essential tools for internet users worldwide. By encrypting web traffic and masking IP addresses, VPNs promise an extra layer of privacy and security. However, not all VPNs live up to this promise. Alarmingly, many free VPNs may actually compromise user privacy, posing significant risks, especially to vulnerable groups like children. The Lure and Risks of Free VPNs Free VPNs are particularly attractive to students seeking to bypass school internet filters and access restricted content, such as pornographic sites or social media platforms. 

Yet, recent research, set to be shared with U.S. lawmakers, highlights a more sinister aspect. Some free VPNs have connections to China and may be funneling user data to the Chinese government. This alarming discovery is compounded by a recent case where a Chinese national allegedly used malware-infested free VPNs to create a botnet, compromising millions of computers and generating substantial fraudulent revenue. 

Privacy Concerns and Security Flaws 

A comprehensive study by the Commonwealth Scientific and Industrial Research Organisation (CSIRO) in Australia revealed that many free VPNs fall short of providing adequate security. Of the 283 Android VPN apps analyzed, a staggering 67% embedded at least one tracking library to monitor user activity. Even more concerning, 84% of these apps failed to properly encrypt user data, leaving it vulnerable to hackers and other malicious entities. 

Why Free VPNs Are Risky 

Malware Infections: The CSIRO study found that six out of the ten VPNs most likely to be infected with malware were free. These infections were primarily ad-related, as free VPNs often rely on advertising revenue. 

Embedded Tracking: Only 28% of free VPNs did not use third-party trackers. Many had multiple trackers, compromising user privacy for analytics and advertising purposes. 

Content Unblocking Failures: Free VPNs often struggle to bypass geo-restrictions, making them ineffective for accessing content like region-locked Netflix shows. 

Slower Connections: Free VPNs are notorious for slowing down internet speeds. Some may intentionally throttle speeds to push users towards their paid versions. 

Ad Delivery: To sustain their operations, free VPNs bombard users with pop-up ads, which not only irritate but also slow down browsing. 

Browser Hijacking: Some free VPNs hijack browsers and redirect users to unwanted websites, further eroding trust. 

Data Collection by Governments: Many free VPNs are operated by companies based in countries with weak privacy laws. This raises the possibility that these services may share user data with their respective governments. 

Expert Recommendations: Given these risks, experts advise opting for paid VPN services from reputable vendors like F-Secure or ProtonVPN. Paid VPNs typically offer robust encryption, better privacy policies, and fewer advertisements. They also invest more in their infrastructure, ensuring faster and more reliable connections.
Read more »
UAE
cyber threat DDOS Attack Middle East Sensitive data Technology UAE

UAE Takes Measures to Strengthen Cybersecurity in the META Region

 



The United Arab Emirates (UAE) is emerging as a beacon of innovation and technological advancement in the Middle East, and its commitment to cybersecurity is a vital element in shaping its hyper-connected future. As the UAE's digital footprint expands, so too does the potential for cyberattacks that could disrupt critical infrastructure and compromise sensitive data.

Recent statistics reveal a concerning increase in the UAE's vulnerability to cyber threats, including ransomware and DDoS attacks. In a joint report by the UAE government and CPX security, it was found that nearly 155,000 vulnerable points exist within the UAE, with Dubai being the most concentrated area. Insider attacks, where individuals within organizations misuse their access to steal data, are also a growing concern as the country embraces cloud computing and artificial intelligence.

The financial implications of data breaches in the Middle East have also surged, with the region ranking second only to the US in terms of breach costs. The average cost of a data breach in the Middle East exceeded $8 million in 2023, highlighting the urgent need for robust cybersecurity measures. However, a critical gap remains, as nearly a quarter of oil and gas companies and government entities in the region lack dedicated cybersecurity teams.


The UAE is actively addressing these challenges through a multi-pronged approach to enhance its cybersecurity shield. Here are the top cybersecurity trends shaping the UAE's digital landscape in 2024:

1. Advanced Threat Detection: The UAE recognizes the limitations of traditional security methods and is investing in advanced threat detection systems powered by artificial intelligence (AI), machine learning (ML), and behavioural analytics. This approach enables real-time identification and response to sophisticated cyber threats.

2. Public-Private Partnerships (PPPs) for Enhanced Security: The UAE is forging partnerships between the government and private sector to create a united front against cyber threats. Collaborations with organisations like the UN's ITU and leading cybersecurity firms demonstrate a commitment to sharing expertise and resources.

3. Cloud Security on the Rise: With the increasing reliance on cloud storage and processing, the UAE is experiencing a surge in cloud security solutions. This growth is driven by investments from cloud service providers, proactive government measures, and the need for enhanced protection against cyberattacks.

4. Cybersecurity Education and Training: The UAE is investing in cybersecurity education and training programs to equip professionals with the necessary skills to combat cyber threats. From specialised courses in universities to workshops for businesses, there is a concerted effort to build a strong cybersecurity workforce in the country.

5. Zero Trust Security Model Gaining Traction: The adoption of the zero-trust security model is growing in the UAE as businesses move away from traditional network perimeters. This model constantly verifies users and devices before granting access to resources, offering enhanced security in a more open, cloud-based environment.

6. Regulatory Compliance: The UAE has implemented stringent cybersecurity regulations to safeguard critical infrastructure and sensitive data. Adhering to these regulations is mandatory for organisations operating in the country, ensuring a baseline level of cybersecurity.

7. Quantum Cryptography: The UAE is investing in the research and development of quantum cryptography technologies to protect against future cyber threats posed by quantum computers. This cutting-edge approach leverages the principles of quantum mechanics to secure communications.

8. Focus on Critical Infrastructure Protection: Protecting critical infrastructure is a top priority in the META region, with specific measures being implemented to safeguard sectors such as energy, transportation, and healthcare systems. These measures are essential for maintaining national security and ensuring the continuity of essential services.

9. Growth of Cybersecurity Startups and Innovations: The META region is witnessing a surge in cybersecurity startups that are developing tailored solutions to address regional needs. Initiatives like Dubai's Innovation Hub and Saudi Arabia's cybersecurity accelerators are nurturing a conducive environment for these startups to thrive.

10. Cyber Threat Intelligence Sharing: Sharing cyber threat intelligence is increasingly important in the META region. Governments and organisations are establishing platforms for real-time sharing of threat information, enhancing collective cybersecurity defence.

As the UAE continues to advance in AI, PPPs, and cloud security, the question remains whether these advancements will stay ahead of the ever-evolving tactics of cybercriminals. The future of cybersecurity depends on the UAE's ability to adopt cutting-edge solutions and anticipate and adapt to the next wave of threats. 


Read more »
unauthorized disclosures
China cyber attack Cyber Security cyber threat Data Breach data incidents government data breaches MoD data breaches Russia UK national security unauthorized disclosures

400% Increase in MoD Data Breaches Sparks Fears of Cyber Threats from Russia and China

 

Data breaches within the Ministry of Defence (MoD) have surged nearly fivefold over the past five years, raising concerns about the UK's resilience against cyber threats from nations like Russia and China. MoD figures reveal 550 data incidents last year, up from 117 in 2017-18.

Ministers also disclosed that the Information Commissioner’s Office (ICO) is currently investigating three personal data incidents at the MoD. Both the Conservative and Labour parties have prioritized national security in their election campaigns amid global instability and threats from Russia, China, North Korea, and Iran.

Recent warnings suggest the upcoming UK general election could be targeted by cyber attacks and AI deep fakes from hostile states. Many breaches involve unauthorized disclosures by MoD staff, exacerbating concerns about security in a department recently hit by a suspected Chinese cyber attack.

Labour criticized the Conservative government for its “lax approach to cyber security,” promising that a Keir Starmer administration would prioritize the UK's security. However, Prime Minister Rishi Sunak countered by questioning Labour’s national security stance, highlighting Starmer’s past support for Jeremy Corbyn as a potential risk.

Earlier this month, it was revealed that the MoD’s payroll system, managed by contractor SSCL, suffered a major hack attributed to China. Deputy Prime Minister Oliver Dowden, in a letter to shadow Cabinet Office minister Pat McFadden, stated that the Government has enhanced security measures in its procurement processes following this breach.

In 2017-18, the MoD reported 117 data breaches, including unauthorized disclosures, lost equipment or documents, and insecure document disposal. By 2022-23, breaches had risen to 550, with unauthorized disclosures making up the majority. In 2023, the ICO fined the MoD £350,000 after 265 individuals' details were compromised in email breaches following the Taliban’s takeover of Afghanistan.

Defence Minister Andrew Murrison recently confirmed that the ICO has three ongoing investigations into personal data incidents at the MoD. Shadow Defence Secretary John Healey criticized the MoD’s worsening data security record, noting that breaches have tripled over five years, and vowed that a Labour government would enhance the UK’s cyber-security.

Defence Secretary Grant Shapps announced an urgent investigation into the recent MoD payroll cyber attack and a broader review of SSCL’s contracts with the MoD and other Whitehall departments. Dowden emphasized the importance of strengthening domestic cyber resilience to achieve national and international security goals. The Cabinet Office has implemented measures to ensure robust data security requirements in procurement contracts with third-party contractors across Whitehall.
Read more »
Sharp Dragon
Africa Chinese Threat Actors Cyber Security cyber threat phishing Sharp Dragon

Sharp Dragon Shifts Cyber Attacks to New Frontiers: Africa and the Caribbean


Check Point Research has been monitoring Sharp Dragon, a Chinese cyber threat group, since 2021. This group, previously known as Sharp Panda, has primarily targeted organisations in Southeast Asia with phishing campaigns. Recently, however, they have expanded their activities to include government organisations in Africa and the Caribbean, marking a significant change in their strategy.

Starting in late 2023, Sharp Dragon shifted its focus to government entities in Africa and the Caribbean. They used previously compromised email accounts from Southeast Asia to send phishing emails. These emails contained documents that appeared legitimate but were actually designed to deliver Cobalt Strike Beacon malware, replacing their earlier use of VictoryDLL and the Soul framework.

The first attack targeting Africa occurred in November 2023, involving a phishing email about industrial relations between Southeast Asia and Africa. By January 2024, further attacks within Africa suggested that some initial attempts had been successful. Similarly, in December 2023, Sharp Dragon targeted a Caribbean government with a document related to a Commonwealth meeting. This was followed by a broader phishing campaign in January 2024, using a fake survey about opioid threats in the Eastern Caribbean.

Sharp Dragon has been refining its tactics. Their new approach includes more thorough checks on target systems before deploying malware. They now use Cobalt Strike Beacon, which allows them to control infected systems without exposing their custom tools immediately. This change helps them avoid detection and gather more information on their targets.

They have also shifted from using DLL-based loaders to executable files disguised as documents. These files write and execute malicious software and create scheduled tasks for persistence on the infected system.

Another major change is Sharp Dragon's use of compromised servers for their command and control operations. Instead of using dedicated servers, they exploit legitimate servers, making their activities harder to detect. For example, in May 2023, they used a vulnerability in the GoAnywhere platform to take over legitimate servers.

Sharp Dragon's new focus on Africa and the Caribbean shows a broader effort by Chinese cyber groups to increase their influence in these regions. After years of targeting Southeast Asia, Sharp Dragon is using its established tactics to gain foothold in new territories. Their refined methods and careful target selection highlight the need for enhanced cybersecurity measures in these regions, which have yet to be as heavily scrutinized by the global cybersecurity community.


Read more »
Unfading Sea Haze
Cyber Security cyber threat Data Exfiltration LNKs Spear Phishing Unfading Sea Haze

Hidden Cyber Threat Exposed After Six Years

 


A newly identified cyber threat group, known as "Unfading Sea Haze," has been secretly infiltrating military and government networks in the South China Sea region since 2018, according to a recent report by Bitdefender researchers. The group's activities align with Chinese geopolitical interests, focusing on gathering intelligence and conducting espionage. Unfading Sea Haze shares many tactics, techniques, and procedures (TTPs) with other Chinese state-sponsored hacking groups, particularly APT41.

The group's attacks typically begin with spear-phishing emails containing malicious ZIP files disguised as legitimate documents. These ZIP files, often named to appear as Windows Defender installers, contain LNK files with obfuscated PowerShell commands. If an ESET security executable is detected on the target system, the attack is halted. Otherwise, the PowerShell script uses Microsoft's msbuild.exe to launch fileless malware directly into memory, leaving no traces on the victim's machine.

The code executed by MSBuild installs a backdoor called 'SerialPktdoor,' which gives the attackers remote control over the compromised system. Additionally, the hackers use scheduled tasks and manipulate local administrator accounts to maintain their presence on the network. By resetting and enabling the typically disabled local admin account, they create a hidden profile for continuous access.

Unfading Sea Haze employs a variety of custom tools and malware. Among these are 'xkeylog,' a keylogger for capturing keystrokes, info-stealers targeting browser data, and PowerShell scripts for extracting information. Since 2023, the group has adopted stealthier methods, such as abusing msbuild.exe to load C# payloads from remote SMB shares and deploying different variants of the Gh0stRAT malware.


Bitdefender has identified several Gh0stRAT variants used by the hackers:

1. SilentGh0st: A variant with extensive functionality through numerous commands and modules.

2. InsidiousGh0st: A Go-based evolution with enhanced capabilities, including TCP proxy, SOCKS5, and improved PowerShell integration.

3. TranslucentGh0st, EtherealGh0st, and FluffyGh0st: Newer variants designed for evasive operations with dynamic plugin loading and a lighter footprint.

Earlier attacks utilised tools like Ps2dllLoader for loading .NET or PowerShell code into memory and SharpJSHandler, a web shell for executing encoded JavaScript via HTTP requests. The group also created a tool to monitor newly connected USB and Windows Portable Devices every ten seconds, reporting device details and specific files to the attackers.

For data exfiltration, Unfading Sea Haze initially used a custom tool named 'DustyExfilTool,' which securely extracted data via TLS over TCP. In more recent attacks, the group has shifted to using a curl utility and the FTP protocol, with dynamically generated credentials that are frequently changed to enhance security.

The sophisticated techniques employed by Unfading Sea Haze highlight the need for robust cybersecurity defences. Organisations should implement a comprehensive security strategy that includes regular patch management, multi-factor authentication (MFA), network segmentation, traffic monitoring, and advanced detection and response tools.

By adopting these measures, organisations can better defend against the persistent and evolving threats posed by groups like Unfading Sea Haze. The group's ability to remain undetected for six years sets a strong precedent for the critical importance of vigilance and continuous improvement in cybersecurity practices.



Read more »
Threat Landscape
cyber threat iPhone Malware Mobile Security Spyware Threat Landscape

Is Your iPhone at Risk? Understanding iPhone Spyware Issue

 

Surprisingly, one iOS user has successfully identified Apple's iPhone Spyware Problem. Unfortunately, iPhone spyware attacks have extended to 92 nations. And it can be one of the most scary threats in the realm of technology. 

The blog post below will explore how these Spyware Attacks are potentially growing. We will share some interesting and easy-to-do strategies to ensure your privacy. 

Alarming rise 

Almost three weeks ago, Apple sent out a notification to all iOS users in 90+ countries. The alert message included a warning about iPhone spyware attacks. However, it quickly got viral, and users were incredibly wary and concerned regarding their privacy.

Apple, on the other hand, explicitly said that "the increasing use of spyware against iPhone users across the world". The company has not provided any further updates on cyberattacks, and the situation remains unclear.

Pegasus issue

Why has Apple's iPhone spyware problem become so serious? Don't mistake them as typical spying or malware. However, these assaults disrupt the weaknesses of the deployed apps. And their major goal is to gain access to your WhatsApp and iMessage. They usually install silently on your iPhone.

You will not be required to perform any actions, thus the hacker has complete control of your device. Surprisingly, the Israeli Pegasus was designed similarly and is extensively used for such spyware attacks. 

It gives you control over your microphone, camera, location, text, media, and other features. Furthermore, the Israeli Pegasus was frequently employed against journalists and political associates for a long time. 

How to detect spyware 

Detecting Apple iPhone Spyware Attacks can be difficult, but it is not impossible. No doubt, these are highly developed to be cleverly disguised in your gadgets, but here are some key signs: 

Constant battery drain; Slow or odd performance; Suspicious installation; Increased data use. 

Steps to ensure your privacy 
  • Make sure your device is running the most recent iOS version. It applies all of the security fixes and can definitely serve as a shelf for you. 
  • Using strong passwords and multi-factor authentication can help add an extra degree of security to your applications and accounts.,
  • Try to avoid any dubious messages or links. Avoid downloading attachments or documents shared by strangers.
Read more »
Wireless
Cyber Scammers cyber threat Cyberattacks CyberCrime FBI FCC Financial Loss Reddit SIM SIM swap Swap Scam T-Mobile Technology Verizon Wireless

Inside Job Exposed: T-Mobile US, Verizon Staff Solicited for SIM Swap Scam

 


T-Mobile and Verizon employees are being texted by criminals who are attempting to entice them into swapping SIM cards with cash. In their screenshots, the targeted employees are offering $300 as an incentive for those willing to assist the senders in their criminal endeavours, and they have shared them with us. 

The report indicates that this was part of a campaign that targets current and former mobile carrier workers who could be able to access the systems that would be necessary for the swapping of SIM cards. The message was also received by Reddit users claiming to be Verizon employees, which indicates that the scam isn't limited to T-Mobile US alone. 

It is known that SIM swapping is essentially a social engineering scam in which the perpetrator convinces the carrier that their number will be transferred to a SIM card that they own, which is then used to transfer the number to a new SIM card owned by the perpetrator. 

The scammer can use this information to gain access to a victim's cell phone number, allowing them to receive multi-factor authentication text messages to break into other accounts. If the scammer has complete access to the private information of the victim, then it is extremely lucrative. 

SIM swapping is a method cybercriminals utilize to breach multi-factor authentication (MFA) protected accounts. It is also known as simjacking. Wireless carriers will be able to send messages intended for a victim if they port the victim’s SIM card information from their legitimate SIM card to one controlled by a threat actor, which allows the threat actor to take control of their account if a message is sent to the victim. 

Cyber gangs are often able to trick carrier support staff into performing swaps by presenting fake information to them, but it can be far more efficient if they hire an insider to take care of it. In the past, both T-Mobile and Verizon have been impacted by breaches of employee information, including T-Mobile in 2020 and Verizon last year, despite it being unclear how the hackers obtained the mobile numbers of the workers who received the texts. 

The company stated at the time that there was no evidence that some of the information had been misused or shared outside the organization as a result of unauthorized access to the file, as well as in 2010 a Verizon employee had accessed a file containing details for about half of Verizon s 117,00-strong workforce without the employee's authorization.

It appears that the hackers behind the SIM swap campaign were working with outdated information, as opposed to recent data stolen from T-Mobile, according to the number of former T-Mobile employees who commented on Reddit that they received the SIM swap message. As the company confirmed the fact that there had not been any system breaches at T-Mobile in a statement, this was reinforced by the company. 

Using SIM swap attacks, criminals attempt to reroute a victim's wireless service to a device controlled by the fraudster by tricking their wireless carrier into rerouting their service to it. A successful attack can result in unauthorized access to personal information, identity theft, financial losses, emotional distress for the victim, and financial loss. Criminals started hijacking victims' phone numbers in February 2022 to steal millions of dollars by performing SIM swap attacks. 

The FBI warned about this in February 2022. Additionally, the IC3 reported that Americans reported 1,075 SIM-swapping complaints during the year 2023, with an adjusted loss of $48,798,103 for each SIM-swapping complaint. In addition to 2,026 complaints about SIM-swapping attacks in the past year, the FBI also received $72,652,571 worth of complaints about SIM-swapping attacks from January 2018 to December 2020. 

Between January 2018 and December 2020, however, only 320 complaints were filed regarding SIM-swapping incidents resulting in losses of around $12 million. Following this huge wave of consumer complaints, the Federal Communications Commission (FCC) announced new regulations that will protect Americans from SIM-swapping attacks to protect Americans from this sort of attack in the future.

It is required by the new regulations that carriers have a secure authentication procedure in place before they transfer the customer's phone numbers to a different device or service provider. Additionally, they need to warn them if their accounts are changed or they receive a SIM port out request.
Read more »
Subscribe to: Posts (Atom)