Search This Blog

Latest News

Chinese Hackers Deploy Shadowpad Backdoor to Target Industrial Control Systems in Asia

  ShadowPad, a sophisticated and modular backdoor is back in action. Russian cybersecurity firm Kaspersky has unearthed a series of assaults...

All the recent news you need to know

LockBit 3.0: Launch of Ransomware Bug Bounty Program

 

The "LockBit 3.0" ransomware update from the LockBit ransomware organization features the first spyware bug bounty program, new extortion methods, and Zcash cryptocurrency payment choices. After two months of beta testing, the notorious gang's ransomware-as-a-service (RaaS) operation, which has been operational since 2019, recently underwent an alteration. It appears that hackers have already employed LockBit 3.0.

Bug bounty plan for LockBit 3.0 

With the launch of LockBit 3.0, the organization launched the first bug bounty program provided by a ransomware gang, which asks security researchers to disclose bugs in exchange for incentives that can go as high as $1 million. In addition to providing bounties for vulnerabilities, LockBit also pays rewards for "great ideas" to enhance the ransomware activity and for doxing the operator of the affiliate program, identified as LockBitSupp, which had previously posted a bounty plan in April on the XSS hacking site.

"We open our bug bounty program to any security researchers, ethical and unethical hackers worldwide. The compensation ranges from $1,000 to $1,000,000," reads the page for the LockBit 3.0 bug reward. The notion of initiating the criminal operation would be against the law in many nations, however, makes this bug reward scheme a little different from those frequently utilized by respectable businesses.

LeMagIT claims that version 3.0 of LockBit includes several other improvements, such as new methods for data recovery and monetization, as well as the option for victims to choose to have their data destroyed, and the ability for victims to make payments using the Zcash cryptocurrency in addition to Bitcoin and Monero. 

LockBit is producing outcomes. In May, LockBit 2.0 succeeded Conti as the leading provider of ransomware as a service. The gang's previous ransomware, LockBit 2.0, was to be blamed for 40% of the attacks that NCC Group observed in the preceding month. Moreover, according to Matt Hull, worldwide lead for strategic threat intelligence at NCC, The most prolific threat actor of 2022 is Lockbit 2.0,  In times like these, it's imperative that businesses become familiar with their strategies, methods, and processes.

It is unclear how this new extortion technique will operate or even whether it is activated because the LockBit 3.0 data leak site currently does not have any victims. With its public-facing manager actively interacting with other malicious actors and the cybersecurity community, LockBit is one of the most prolific ransomware campaigns.

This Banking Trojan is Targeting Users of Spanish Financial Services

 

A previously unreported Android banking trojan targeting users of the Spanish financial services business BBVA has been spotted in the wild. 

The malware, named 'Revive' by Italian cybersecurity firm Cleafy and believed to be in its early stages of development, was first discovered on June 15, 2022, and propagated via phishing operations. 

"The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up. 

Downloadable from malicious phishing websites ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com"), the malware impersonates the bank's two-factor authentication (2FA) app as a bait to mislead users into installing the software and is reported to be inspired by open-source spyware dubbed Teardroid, with the authors altering the original source code to integrate new features.

In contrast to other banking malware that are known to target a wide range of financial apps, Revive is targeted for a single target, in this case, the BBVA bank. However, it is similar to its competitors in that it uses Android's accessibility services API to achieve its operational goals. 

Revive is primarily designed to gather the bank's login credentials via lookalike websites and allow account takeover attacks. It also has a keylogger module to record keystrokes and the ability to intercept SMS messages sent by the bank, particularly one-time passwords and two-factor authentication codes. 

"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls. After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs," the researchers further stated.

The findings emphasise the importance of exercising caution while installing software from unknown third-party sources.

Phony Copyright Emails Employed to Install LockBit Ransomware

 

LockBit ransomware operators are employing a unique strategy to lure victims into infecting their devices with malware by portraying it as copyright claims. 

The ransomware hackers target victims by sending an email regarding a copyright violation for allegedly using media files without the creator’s license. It also urges the victim to remove the content from their websites immediately or face legal action. 

The emails, identified by analysts at AhnLab in Korea, do not determine which files were inappropriately employed in the body of the text; rather, they instruct the receiver to download and open the attached file in order to view the infringing content. 

The attachment is a ZIP file that has been encrypted with a password and contains a compressed file. The archive contains a compressed file, an executable file posing as a PDF document. The executable is an NSIS installer, loading the LockBit 2.0 ransomware which, in turn, encrypts all of the files on the endpoint. 

As BleepingComputer reports, copyright claims are not exactly a novelty when it comes to distributing malware. Earlier this year, there had been “numerous” emails of this sort, distributing the likes of BazarLoader, or the Bumblebee malware loader. 

Bumblebee is employed for deploying second-stage payloads, including ransomware, so opening one of those files on your computer may lead to rapid and disastrous assaults. Copyright claims are a matter that publishers of content should take into serious consideration, but if the claim isn't straightforward but instead requests you to open attached files to view the violation details, it's improbable for it to be a genuine takedown notice. 

LockBit 2.0 is by far the most widespread ransomware variant, security analysts from the NCC group have said. Allegedly, LockBit 2.0 accounted for 40% of all ransomware attacks that occurred in May this year. The notorious ransomware operation recorded a whopping 95 victims in May alone, whereas Conti, BlackBasta, Hive, and BlackCat collectively had 65. 

To mitigate the risks, multi-factor authentication can be applied across the entire ecosystem in order to provide an additional layer of defense against cyber assaults. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.

Owner of CafePress Penalized $500,000 for Hiding a Data Breach

 

CafePress's past owner Residual Pumpkin firm has been fined $500,000 by U.S. Federal Trade Commission (FTC) in their final order over a 2019 data breach that impacted 23 million customers.

CafePress is a US site that sells print-on-demand items like apparel, housewares, and kitchenware. Sellers can register on the website and upload their designs, and CafePress takes a percentage of every sale. 

Social Security numbers and password recovery responses were kept in plain text and for a longer period by the Residual Pumpkin firm. Additionally, the organization did not implement existing safeguards and react to security vulnerabilities. After several attacks on its servers, it attempted to hide the significant data breach carried on by its inadequate security protocols. 

A unanimous 5-0 vote accepted the FTC's order. The FTC has mandated that the corporations immediately implement multi-factor authentication of stored data and set an encryption key for all social security numbers, in addition to imposing fines on the businesses. 

As a result, the company's current owner PlanetArt, who acquired CafePress in 2020, has set up an alert system to notify all customers and vendors whose private information has been compromised.

Unknown attackers acquired access to files stored as SHA-1 hashes during a February 2019 breach of CafePress' servers, exploited, and later sold 23,205,290 CafePress users' personal information on the dark web. However, after receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation. The fact the users seemed to reset their passwords on checking in without being informed of the data breach was the only indication that something was wrong. 

Since some of its merchants' accounts had been hacked since at least January 2018, as per FTC's claim, CafePress was aware that it had vulnerabilities even before the 2019 incident.

Instead of letting users acknowledge the instances, CafePress terminated their accounts and assessed a $25 account closure fee to each of them. Before the 2019 security breach, the company's network was again affected by several malware infestations, and CafePress once again neglected to look into the attacks.