Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label threat. Show all posts

Tiktok Ban: China Criticizes a Proped Bill in the US Congress

China has criticized a proposed bill in the US Congress that could potentially lead to the banning of TikTok in the United States, labeling it as unfair. This action marks the latest development in a longstanding dispute over safety concerns regarding the popular app, which is owned by a Chinese company. Authorities, politicians, and security personnel in numerous Western nations have already been prohibited from installing TikTok on official devices.

Addressing three major cyber concerns surrounding TikTok, the first revolves around its data collection practices. Critics frequently accuse TikTok of gathering excessive amounts of user data, a claim supported by a cyber-security report published by Internet 2.0, an Australian firm, in July 2022. This report, based on an analysis of TikTok's source code, highlighted what it described as "excessive data harvesting," including details such as location, device specifications, and installed apps. However, contrasting studies suggest that TikTok's data collection practices are not significantly different from other social media platforms, with similar types of data being collected for user behavior tracking.

The second concern focuses on the potential for TikTok to be exploited by the Chinese government for espionage purposes. TikTok asserts its independence and denies providing user data to the Chinese government, emphasizing that such actions would not be entertained if requested. However, critics remain wary due to the app's ownership by ByteDance, a Beijing-based tech company. Allegations raised by former US President Donald Trump in a 2020 executive order suggested that TikTok's data collection could enable China to engage in espionage activities, although concrete evidence supporting these claims remains elusive.

The third concern revolves around the possibility of TikTok being utilized as a tool for "brainwashing" users. TikTok defends its community guidelines, stating that they prohibit misinformation and harmful content. However, concerns have been raised regarding the platform's recommendation algorithm and its potential susceptibility to influence operations. Comparisons with Douyin, TikTok's sister app available only in China, highlight disparities in content censorship. While Douyin reportedly promotes wholesome and educational content, TikTok's approach appears less stringent in terms of political censorship.

Overall, these concerns primarily exist as theoretical risks rather than concrete evidence of wrongdoing. Critics argue that TikTok could potentially serve as a covert instrument during times of conflict, akin to a "Trojan horse." However, decisions to ban TikTok, as seen in India in 2020, or restrict Chinese tech companies like Huawei from participating in 5G infrastructure development, are often based on these theoretical risks rather than tangible evidence. Conversely, China does not face similar concerns regarding US-based apps, as access to such platforms has been blocked for Chinese citizens for several years.

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Cyberattack Strikes Australian Energy Software Company Energy One

 

Energy One, an Australian company specializing in software solutions and services for the energy industry, has fallen victim to a cyber assault.

In an announcement made on Monday, the company revealed that the breach was identified on August 18 and had repercussions for certain internal systems both in Australia and the United Kingdom.

“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.

Energy One is actively engaged in an inquiry to ascertain the extent of the impact on customer-related systems and personal data. The organization is also committed to tracing the initial point of intrusion employed by the attacker.

Though detailed specifics about the attack are presently undisclosed, the company's official statement strongly suggests the possibility of a deliberate ransomware attack.

To facilitate the investigation, cybersecurity specialists have been enlisted, and competent authorities in both Australia and the UK have been informed about the incident.

According to a recent report by Searchlight Cyber, a British threat intelligence firm, malevolent actors have been peddling opportunities for initial access into energy sector enterprises globally, with prices ranging from $20 to $2,500.

Perpetrators of cybercrime can exploit various avenues, including Remote Desktop Protocol (RDP) access, compromised login credentials, and vulnerabilities in devices like Fortinet products.

Pentagon's Secret Service: Monitoring Social Media for Criticism of Generals

 

According to reports from The Intercept, the Army's surveillance unit has been scanning social media platforms for posts that criticize or demean generals and other military leaders. The unit is said to be specifically targeting tweets and comments that contain derogatory language or threats. While the intention behind this surveillance is to protect military personnel, it also highlights the increasing scrutiny of online speech by government agencies.

The justification for such monitoring lies in the potential risks posed by online threats and the need to ensure the safety of military personnel. Social media platforms have become hotbeds for hate speech, harassment, and even radicalization. It is only natural for authorities to be vigilant in their efforts to identify and mitigate any potential dangers.

However, concerns arise when the surveillance extends to monitoring and policing online criticism or dissent. Freedom of speech is a fundamental pillar of any democratic society, and citizens should be able to express their opinions, even if they are critical of those in power. This practice by the Pentagon's secret service raises questions about the erosion of civil liberties and the chilling effect it may have on public discourse.

Critics argue that such surveillance can stifle dissent and discourage individuals from voicing legitimate concerns. It also raises concerns about the potential misuse of personal data and the infringement of privacy rights. There is a fine line between monitoring for security purposes and encroaching upon individuals' rights to free speech and privacy.

As technology advances, it is essential to strike a balance between security measures and the preservation of civil liberties. Clear guidelines and oversight mechanisms should be in place to prevent overreach and abuse of power. Transparency is key, and the public should be informed about the extent of these surveillance practices, as well as the criteria used to identify and target social media posts.

Moreover, it is important to invest in comprehensive strategies to address the root causes of online extremism and harassment. Focusing solely on monitoring and surveillance without addressing the underlying issues is a short-term solution at best.

The revelation that the Pentagon's secret service is actively trawling social media for mean tweets about generals brings into focus the delicate balance between national security and individual freedoms. While ensuring the safety of military personnel is paramount, it is crucial to safeguard citizens' rights to free speech and privacy. Striking the right balance between security measures and civil liberties is vital for maintaining a healthy and democratic society. The public's trust in these surveillance practices can only be earned through transparency, accountability, and a commitment to protecting individual rights in the digital age.

ChatGPT: A Threat to Privacy?

 


Despite being a powerful and innovative AI chatbot that has quickly drawn several people's attention, ChatGPT has some serious pitfalls that seem to be hidden behind its impressive features. 

For any question you ask it, it will be able to provide you with an answer that sounds like it was written by a human, as it has been trained on massive amounts of data from across the net to gain the knowledge and writing skills necessary to provide answers that sound like they were created by humans. 

There is no denying that time is money, and chatbots such as ChatGPT and Bing Chat have become invaluable tools for people. Computers write codes, analyze long emails, and even find patterns in large amounts of data with thousands of fields. 

This chatbot has astonished its users with some of its exciting features and is one of the most brilliant inventions of Open AI. ChatGPT can be used by creating an account on their website for the first time. In addition to being a safe and reliable tool, it is also extremely easy to use. 

However, many users have questions about chatbot accessibility to the user's data. OpenAI saves OpenGPT conversations for future analysis, along with the openings. The company has published a FAQ page where its employees can selectively review selected chats to ensure their safety, according to the FAQ page. 

You should not assume that anything you say to ChatGPT will remain confidential or private after sharing. OpenAI discovered a critical bug that has prompted a terrible security issue. 

OpenAI CEO Sam Altman stated that some users could view the titles of other users' conversations on a lesser percentage of occasions. Altman says the bug (now fixed) resides in a library accessible via an open-source repository. A detailed report will be released by the company later as the company feels "terribly about this." 

The outage tracker Downdetector highlights that the platform suffered a brief outage before the company disabled chat history. As per Downdetector's outage map, some users could not access the AI-powered chatbot at midnight on March 23. 

It was designed to synthesize natural-sounding human language through a large language model called ChatGPT. ChatGPT works like a conversation with a person. When you speak to ChatGPT, it can listen to what you say and correct itself when it gets wrong. This is just like when you speak with someone. 

After a short period, ChatGPT will automatically delete your session logs that are saved by ChatGPT. 

When you create an account with ChatGPT, the service collects your personal information. It contains personal information such as your name, email address, telephone number, and payment information. 

Whenever an individual user registers with ChatGPT, the data associated with that user's account is saved. By encrypting this data, the company ensures it stays safe and only retains it if it is needed to meet business or legal requirements. 

The ChatGPT privacy policy explains, though, that even though encryption methods may not always be completely secure, this may not be the case. Users should be aware of this when sharing their personal information on a website like this. 

It is suggested in OpenAI's FAQ that users should not "share any sensitive information in your conversations" because OpenAI cannot delete specific prompts from the history of your conversations. Additionally, ChatGPT is not connected to the Internet, and the results may sometimes be incorrect because it cannot access the Internet directly. 

It has been a remarkable journey since ChatGPT was launched last year and has seen rapid growth since then. Additionally, the AI-powered chatbot is one of the fastest-growing platforms out there.

Reports claim that ChatGPT had 13.2 million users in January, according to a report on the service. ChatGPT's website says these gains are due to impressive performance, a simple interface, and free access. Those who wish for improved performance can subscribe for a monthly fee. 

Upon clearing the ChatGPT data and eliminating the ChatGPT conversations, OpenAI will delete all of your ChatGPT data. It will permanently remove it from their servers. 

This process is likely to take between one and two weeks, but please remember that it can take longer. It is also possible to send a request to delete your account to deletion@openai.com if you would rather not log in or visit the help section of the website.

IPFS Network Technology is Being Used in More Phishing Attacks

 

Due to fresh Kaspersky research, fraudulent use of the InterPlanetary File System appears to have surged recently. Since 2022, fraudsters have leveraged IPFS for email phishing attacks. IPFS is a peer-to-peer network protocol that allows for the creation of a decentralized and distributed web. Unlike standard web protocols, which rely on centralized servers, IPFS allows users to share and access files without the need for a centralized authority. IPFS identifies files based on their content, not their location. 

Each file is assigned a unique cryptographic hash called CID; the content identifier can be used to get the file from any network node that has a copy. This makes it simple to distribute and access content even when the original source is unavailable.

IPFS is also a content-addressed system, which means that any modifications to a file generate a new hash. This keeps files immutable and tamper-proof.

IPFS material can be accessed via a specialized application programming interface or gateways, which are accessible via any web browser. The URL used to reach the gateway contains the CID and the gateway name, however, it may differ from one gateway to the next. For instance, it may be:
  • https://gateway/ipfs/CID
  • https://CID.ipfs.gateway
In a typical phishing attack, the target is lured to visit a false phishing page, which steals their passwords and possibly their credit card information; however, this fraudulent page can be hosted on IPFS and accessed through a gateway.

The implementation of such a mechanism allows attackers to minimize the expense of hosting the phishing page while also making it more difficult to remove false information from the internet because it may be present on multiple machines at the same time.

If a user clicks on a phishing link and provides their credentials, it is critical that the user reset their password as soon as possible and investigates whether there has been any fraudulent activity with that account. According to Kaspersky, most IPFS phishing attacks are similar to traditional phishing, however, in certain circumstances, IPFS is utilized for intricate targeted attacks.
 
The eradication of phishing pages from IPFS material is more difficult. Typical phishing pages can be removed by requesting that the web content provider or owner delete them. Depending on the host, that operation can take a long time, especially if it is hosted on bulletproof providers, which are illegal hosting providers who assure their customers they do not respond to law enforcement requests and do not remove information.

IPFS content takedown operations differ in that the content must be removed from all nodes.IPFS gateway providers try to counteract fraudulent pages by deleting links to those files on a regular basis, although this may not always happen as quickly as blocking a phishing website. On March 27, 2023, Kaspersky researcher Roman Dedenok wrote that the company has "observed URL addresses of IPFS files that first appeared in October 2022 and remain operational at the time of this writing."

There were 2,000-15,000 IPFS phishing emails per day as of late 2022. In 2023, IPFS phishing began to grow in Kaspersky's volumetry, with up to 24,000 emails per day in January and February; however, the levels soon returned to the same values as in December 2022. In accordance with monthly statistics, February was a busy month with about 400,000 phishing emails, while November and December were roughly 228,000 and 283,000, respectively.

How to Avoid the IPFS Phishing Threat

Anti-spam systems, such as Microsoft Exchange Online Protection or Barracuda Email Security Gateway, will assist in detecting IPFS phishing and blocking links to it, just as they would in any other phishing situation.

Users should be taught about phishing emails or any other type of phishing link that may be sent to them via various channels such as instant messaging and social networks. To prevent unauthorized access, use multifactor authentication. Even if attackers gained login credentials through phishing, this will make it more difficult for them to get access.

Cyber-attacks on Port of Los Angeles Doubled Since Pandemic

 

According to recent research, one of the world's biggest ports has witnessed an unusual spike in cyber-attacks since the outbreak began. The Port of Los Angeles' executive director, Gene Seroka, told the BBC World Service over the weekend that the facility receives roughly 40 million attacks every month. 

"Our intelligence shows the threats are coming from Russia and parts of Europe. We have to stay steps ahead of those who want to hurt international commerce. We must take every precaution against potential cyber-incidents, particularly those that could threaten or disrupt the flow of cargo,” he further added. 

Ransomware, malware, spear phishing, and credential harvesting attacks appear to be among the threats aimed against the facility, which is the busiest in the Western Hemisphere. The goal seems to harm the US economy in many situations, however, profits through extortion and data theft will also be a factor. 

Such dangers, if not adequately managed, can potentially exacerbate COVID-era supply chain snarls. Seroka said that port blockages will not be cleared completely until next year, even though the number of container ships waiting more than two days to offload has reportedly reduced from 109 in January to 20 today. 

"The past two years have proven the vital role that ports hold to our nation's critical infrastructure, supply chains and economy. It's paramount we keep the systems as secure as possible," Seroka expressed. 

The challenge is so acute that the port established one of the world's first Cyber Resilience Centers in collaboration with the FBI. It provides a single site for port stakeholders such as shipping corporations to receive, evaluate, and exchange threat intelligence. 

Ports have become such a popular target for cyber-criminals, particularly those aiming to undermine operations and extort businesses, due to their strategic significance to global trade.

Google Blocked Dozens of Domains Used by Hack-for-hire Groups

 

Google's Threat Analysis Group released a blog post on Thursday detailing the actions of hack-for-hire groups in Russia, India, and the United Arab Emirates. More than 30 domains used by these threat groups have been added to the internet giant's Safe Browsing system, preventing users from accessing them. 

Hack-for-hire groups are sometimes confused with businesses that provide surveillance tools. As per Google, surveillance vendors often give the tools required for spying but leave it up to the end-user to run them, whereas hack-for-hire groups perform the attacks themselves. Several hack-for-hire groups have been found in recent years. Google's investigation focuses on three groups thought to be based in India, Russia, and the United Arab Emirates. 

Google has been tracking the threat actor linked to India since 2012, with some of its members formerly working for offensive security firms. They now appear to be employed by Rebsec, a new firm that publicly sells corporate espionage services. The group has been observed phishing credentials for AWS, Gmail, and government services accounts from healthcare, government, and telecom firms in the Middle East. 

The Russia-linked threat actor, known as Void Balaur by others, has targeted journalists, politicians, NGOs and organisations, and persons who looked to be ordinary residents in Russia and neighbouring nations. Phishing was also used in these assaults. 

“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group. 

This group also had a public website where it advertised social media and email account hacking services. The UAE group primarily targets government, political, and educational groups in North Africa and the Middle East. This threat actor also employs phishing emails, but unlike many other organisations, it employs a custom phishing kit rather than open source phishing frameworks. 

“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said. 

Google believes Mohammed Benabdellah, who was sued by Microsoft in 2014 for developing the H-Worm (njRAT) malware, is associated with the group.