Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Check Point. Show all posts

Forget ChatGPT, Google Bard may Possess Some Serious Security Flaws


A latest research claims that Google’s AI chatbot, Google Bard may let its users to use it for creating phishing emails and other malicious content, unlike ChatGPT.

At one such instances, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code, by using the Redmond giant’s AI tool.

Using the AI tool of the Redmond behemoth, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code.

The researchers' report further noted how they set out to compare Bard's security to that of ChatGPT. From both sites, they attempted to obtain three things: phishing emails, malicious keyloggers, and some simple ransomware code.

The researchers described that simply asking the AI bots to create phishing emails yielded no results, however asking the Bard to provide ‘examples’ of the same provided them with plentiful phishing mails. ChatGPT, on the other hand, refused to comply, claiming that doing so would amount to engaging in fraudulent activity, which is illegal.

The researchers further create malware like keyloggers, to which the bots performed somewhat better. Here too, a direct question did not provide any result, but a tricky question as well yielded nothing since both the AI bots declined. However, answers for being asked to create keyloggers differed in both the platforms. While Bard simply said, “I’m not able to help with that, I’m only a language model,” ChatGPT gave a much detailed explanation.

Later, on being asked to provide a keylogger to log their keys, both ChatGPT and Bard ended up generating a malicious code. However, ChatGPT did provide a disclaimer before doing the aforementioned.

The researchers finally proceeded to asking Bard to run a basic ransomware script. While this was much trickier than getting the AI bot to generate phishing emails or keylogger, they finally managed to get Bard into the game.

“Bard’s anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT[…]Consequently, it is much easier to generate malicious content using Bard’s capabilities,” they concluded.

Why Does it Matter? 

The reason, in simpler terms is: Malicious use of any new technology is inevitable.

Here, one can conclude that these issues with the emerging generative AI technologies are much expected. AI, as an extremely developed tool has the potential to alter an entire cybersecurity script.

Cybersecurity experts and law enforcements have already been concerned for the same and have been warning against the AI technology for it can be well used in increasing the ongoing innovation in cybercrime tactics like convincing phishing emails, malware, and more. The development in technologies have made it accessible to users in such a way that now a cybercriminal can deploy a sophisticated cyberattack by only having minimal hand in coding.

While regulators and law enforcement are doing their best to impose limits on technology and ensure that it is utilized ethically, developers are working to do their bit by educating platforms to reject being used for criminal activity.

While generative AI market is decentralized, big companies will always be under the watch of regulatory bodies and law enforcements. However, smaller companies will remain in the radar of a potential cyberattack, especially the ones that are incapable to fight against or prevent the abuse.

Researchers and security experts suggests that the only way to improve the cybersecurity posture is to fight with full strength. Even though AI is already being used to identify suspicious network activity and other criminal conduct, it cannot be utilized to make entrance barriers as high as they once were. There is no closing the door ever again.

'Cyber Battlefield' Map Shows Attacks Being Played in Real Time


A live map is all set to monitor cyberattacks around the globe as the conflict in Ukraine fuels a 'significant surge' in hostile activity.

Apparently, the technology utilizes intelligence gathered from a high-end AI-powered system – ThreatCloud AI.

The maps shows countries and companies that are particularly targeted with cyber incidents like malware attacks, phishing or exploitation.

How are Cyber Activities Impacted by the War According to a US-Israeli cyber security firm, Check Point, cyber activities have increased at an alarming rate in the past 17 months, reason being the Ukraine war.

Over the previous six months, the UK was attacked 854 times on average every week. As of May 2023, ransomware attacks have a negative effect on one out of every 77 organizations in the country.

According to Muhammad Yahya Patel, lead security engineer and evangelist for Check Point, “The threat landscape has continued to evolve in sync with the digital world as we are more connected to the internet than ever before. This has led to multi-vector cyberattacks and well thought out campaigns by criminals who want to cause maximum damage to organizations[…]Sometimes they use advanced tools and methods, while other times it’s a simple method like getting someone to click a link in an email."

Moreover, the UK has been suffering an online conflict as a group of hackers, have targeted prominent British organizations, frequently with links to the Kremlin that are either verified or rumored.

“Hacktivism has played a much bigger role globally with several state-sponsored groups and cyber criminals actively fighting a war in cyberspace[…]We had the Ukrainian government taking an unprecedented step by using a Telegram channel to call for international volunteers to help fight the cyber war by joining the “IT Army of Ukraine,” Patel said.

In regards to the Russia based group Killnet, Patel says, ”This is a properly established group with organizational structure and hierarchy. As an organised operation this group have been carrying out disruptive attacks to gain more attention and have recently targeted NATO.”

ThreadCloud AI

The ThreatCloud AI system continuously scans the environment and develops defenses against the numerous and diverse kinds of assaults. The creators provide customers with what they call a "comprehensive prevention-first architecture," which is appropriate for various devices, networks, and systems.

This live ‘battleground’ was presented at the Midland Fraud Forum’s annual conference in Birmingham last week as a segment informing audience regarding the various threats and methods to prevent them.

The multinational company based in Tel Aviv found that the ransomware operators have become more ruthless with their tactics to profit from victims.

One of the recent cases was when the University of Manchester suffered a cyber attack last month, where allegedly the students’ confidential data was compromised. In response, the university claimed that a ‘small proportion of data’ was copied and that ‘it had written directly to those individuals who may have been affected.’

Looking at the current scenarios, universities in the UK seems to have found themselves in the frontline of the ever developing threat landscape at a level greater than any other country.

In regards to this, Patel comments, ”The attacks against the education and research sector are highly concerning because this is higher than what we are seeing globally in this industry[…]It raises questions about what the UK is doing specifically for this sector to help it have a better cyber security baseline as I like to call it.”  

Blind Eagle: Hackers Targets Prominent Industries in Columbia


BlackBerry has recently published a report on a malicious actor, Blind Eagle. It is a cyberespionage campaign based in South America that has been targeting systems in Ecuador, Chile, Spain, and Colombia since the year 2019. 

The most recent threat activities conducted were primarily targeted at organizations in Colombia, involving sectors like “health, finance, law enforcement, immigration, and an agency in charge of peace negotiation in the country.” 

Check Point researchers, who recently examined the Blind Eagle, also known as APT-C-36, noted the adversary and its advanced toolset that includes Meterpreter payloads, distributes through spear-phishing emails. 

How Does APT-C-36 Operate? 

Blind Eagle’s phishing emails lure its victims over the false impression of fear and urgency. The email notifies its recipients that they have "obligaciones pendentes," or "outstanding obligations," with some letters informing them that their tax payments are forty-five days overdue. 

The cleverly-crafted emails are being provided with a link, navigating users to a PDF file that appears to be hosted on DIAN’s website but actually installs malware to the targeted systems, effectively launching the infection cycle. 

The BlackBerry researchers explain it further: 

"The fake DIAN website page contains a button that encourages the victim to download a PDF to view what the site claims to be pending tax invoices," says the BlackBerry researchers. "Clicking the blue button initiates the download of a malicious file from the Discord content delivery network (CDN), which the attackers are abusing in this phishing scam." 

"A malicious [remote access trojan] installed on a victim's machine enables the threat actor to connect to the infected endpoint any time they like, and to perform any operations they desire," they further add. 

The researchers also noted that the threat actors utilize dynamic DNS services such as DuckDNS in order to take control of the compromised hosts. 

Blind Eagle’s Operators are Supposedly Spanish 

Owing to the use of Spanish in its spear-phishing emails, Blind Eagle is believed to be a group of Spanish-speaking hackers. However, the headquarters from where the attacks are conducted and whether the attacks are carried out for espionage or financial gain are both currently undetermined. 

"The modus operandi used has mostly stayed the same as the group's previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work," BlackBerry said.  

Challenges With Software Supply Chain & CNAPP


In 2021, sales of CNAPP exceeded $1.7 billion, an increase of roughly 49% over 2020, according to a recent Frost & Sullivan analysis. According to Frost & Sullivan, CNAPP revenue growth will average over 26% annually between 2021 and 2026.

Anh Tien Vu, industry principal for international cybersecurity and the author of the report, projects that by 2026, revenues will surpass $5.4 billion "due to the increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle."

How Does CNAPPs Function?

CNAPP platforms combine many security technologies and features to cut down on complexity and expense, offering:
  • The capabilities of the CSPM, CIEM, and CWPP tools are combined across the development life cycle, correlation of vulnerabilities, context, and linkages.
  • Identifying high-risk situations with detailed context.
  • Automatic and guided cleanup to address flaws and configuration errors.
  • Barriers to stopping unauthorized alterations to the architecture.
  • Simple interaction with SecOps ecosystems to quickly deliver notifications.
Security teams must transition from guarding infrastructure to guarding workload-running applications in order to maximize cloud security and compliance, enable DevOps, and reduce friction. That entails, at the very least, protecting the security of the production environment and cloud service configurations, with runtime protection serving as an important extra layer of security.

Attackers are focusing more and more on cloud-native targets in an effort to find vulnerabilities that may be used to compromise the software supply chain. The widespread effect that a vulnerability of this kind can have on the application environment was demonstrated by the Log4Shell flaw in the widely used Log4j Java runtime library last year.

Melinda Marks, a senior analyst at Enterprise Strategy Group, claims that while CNAPP helps businesses to set up DevSecOps processes where software engineers take the initiative to find potential bugs in code before delivering application runtimes into production, it also goes beyond. Before you release your applications to the cloud, this is crucial for preventing security risks since once you do, hackers can access them.

The scanning of development artifacts like containers and infrastructure as code (IaC), cloud infrastructure management (CIEM), runtime cloud workload protection platforms, and cloud security posture management (CSPM) are just a few of the siloed capabilities that CNAPPs combine. Together with a more uniform approach and improved awareness of the risk associated with cloud-native computing environments, CNAPP offers standard controls to reduce vulnerabilities.

Significantly, CNAPP also promotes communication between teams working on application development, cybersecurity, and IT infrastructure, opening the door to finding and fixing flaws before apps are put into use. CNAPP features are being added to security platforms by security manufacturers like Check Point and Palo Alto Networks. Marks cautions against the common misunderstanding that shifting security left is all about putting security first during the software development and build process.





Dingo Token Charging 99% Fee is a Scam

A major cryptocurrency scam by Dingo Token, as per researchers who discovered backdoor features intended to steal users' money.

Check Point analysts observed this fraudulent charge modification 47 times before issuing the alert. The Dingo Smart Contract's purchase and sell fees are adjustable by up to 99% using a backdoor method called 'setTaxFeePercent,' according to Check Point Research (CPR), which examined the code for the contract. Despite the fact that the project's whitepaper claims that only a 10% fee for each transaction, this is the case. 

According to the cyber security software company, one customer purchased 427 million Dingo Tokens for $26.89 but received 4.27 million, or $0.27 value of Dingo Tokens. Dingo Token had a current market valuation of $223,992 and was rated 1915 on CoinMarketCap.  Recent complaints about the Dingo Token have also been made by users of CoinMarketCap and Twitter. Crypto dealer IncredibleJoker stated in a post on February 5 they could not sell their assets.

According to Check Point's head of product vulnerabilities research, Oded Vanunu, what his group uncovered at Dingo Token is becoming more regular, "this is a popular method that locks users' funds until the scammers gradually withdraw the entire sum. A growing number of scammers are lured to cryptocurrencies. They can remain unidentified. It moves quickly. It's profitable." 

Users are worried that once the creators determine that the value has peaked, they will turn on the backdoor to steal 99% of all users' coins. Investors in cryptocurrencies should be upfront about their questions in order to hear what other people have to say about a project. Whether you are new to trading, it is advised to diversify your money over several different coins and only utilize reliable exchange providers.

DingoToken: What is it?

DingoToken enables users to quickly deposit ANY tokens, including BEP-20 tokens, into an NFT. Now, a rare NFT can be turned into a basket containing a variety of different tokens. An entirely new NFT world is made possible by the DingoToken platform, a new protocol layer. The decentralized app (DApp) built on top of the DingoToken Protocol and targeted at art/collectible NFTs will also be made available for our public launch.

The DApp enables users to Mint / Generate an NFT, deposit their preferred asset into it, and then create their own NFTs. Only NFTs produced with the Dingo NFT Minting Station are supported in our v1 online application. To protect platform users' safety, steps are being taken by the firm. The option to mint one's own NFTs or buy those produced by Dingo Token platform users is available to users.


ChatGPT: When Cybercrime Meets the Emerging Technologies


The immense capability of ChatGPT has left the entire globe abuzz. Indeed, it solves both practical and abstract problems, writes and debugs code, and even has the potential to aid with Alzheimer's disease screening. The OpenAI AI-powered chatbot, however, is at high risk of abuse, as is the case with many new technologies. 

How Can ChatGPT be Used Maliciously? 

Recently, researchers from Check Point Software discovered that ChatGPT could be utilized to create phishing emails. When combined with Codex, a natural language-to-code system by OpenAI, ChatGPT can develop and disseminate malicious code. 

According to Sergey Shykevich, threat intelligence group manager at Check Point Software, “Our researchers built a full malware infection chain starting from a phishing email to an Excel document that has malicious VBA [Visual Basic for Application] code. We can compile the whole malware to an executable file and run it in a machine.” 

He adds that ChatGPT primarily produces “much better and more convincing phishing and impersonation emails than real phishing emails we see in the wild now.” 

In regards to the same, Lorrie Faith Cranor, director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute and FORE Systems Professor of computer science and of engineering and public policy at Carnegie Mellon University says, “I haven’t tried using ChatGPT to generate code, but I’ve seen some examples from others who have. It generates code that is not all that sophisticated, but some of it is actually runnable code[…]There are other AI tools out there for generating code, and they are all getting better every day. ChatGPT is probably better right now at generating text for humans, and may be particularly well suited for generating things like realistic spoofed emails.” 

Moreover, the researchers have also discovered hackers that create malicious tools like info-stealers and dark web markets using ChatGPT. 

What AI Tools are More Worrisome? 

Cranor says “I think to use these [AI] tools successfully today requires some technical knowledge, but I expect over time it will become easier to take the output from these tools and launch an attack[…]So while it is not clear that what the tools can do today is much more worrisome than human-developed tools that are widely distributed online, it won’t be long before these tools are developing more sophisticated attacks, with the ability to quickly generate large numbers of variants.” 

Furthermore, complications could as well arise from the inability to detect whether the code was created by utilizing ChatGPT. “There is no good way to pinpoint that a specific software, malware, or even phishing email was written by ChatGPT because there is no signature,” says Shykevich. 

What Could be the Solution? 

One of the methods OpenAI is opting for is to “watermark” the output of GPT models, which could later be used to determine whether they are created by AI or humans. 

In order to safeguard companies and individuals from these AI-generated threats, Shykevich advises using appropriate cybersecurity measures. While the current safeguards are still in effect, it is critical to keep upgrading and bolstering their application. 

“Researchers are also working on ways to use AI to discover code vulnerabilities and detect attacks[…]Hopefully, advances on the defensive side will be able to keep up with advances on the attacker side, but that remains to be seen,” says Cranor. 

While ChatGPT and other AI-backed systems have the potential to fundamentally alter how individuals interact with technology, they also carry some risk, particularly when used in dangerous ways. 

“ChatGPT is a great technology and has the potential to democratize AI,” adds Shykevich. “AI was kind of a buzzy feature that only computer science or algorithmic specialists understood. Now, people who aren’t tech-savvy are starting to understand what AI is and trying to adopt it in their day-to-day. But the biggest question, is how would you use it—and for what purposes?”  

Killnet Targets Japanese Government Websites

According to investigation sources on Wednesday, the Tokyo Metropolitan Police Department intends to look into the recent website outages of the Japanese government and other websites that may have been brought on by cyberattacks by a Russian hacker organization.  

As per Chief Cabinet Secretary Hirokazu Matsuno, the government is apparently investigating if issues with the aforementioned sites were brought on by a denial-of-service (DDoS) attack. 

As per experts, access to the government's e-Gov portal website, which provides a wealth of administrative information, temporarily proved challenging on Tuesday.  

The pro-Russian hacker collective Killnet claimed responsibility for the attack and alleged it had attacked the electronic system of the tax authority and Japan's online public services in a post on the messaging app Telegram. Furthermore, it appeared that the hacker collective wrote that it was an uprising over Japan's 'militarism' and that it kicked the samurai. 
 
However, as per Sergey Shykevich, manager of Check Point Software's threat intelligence group, Killnet was likely responsible for these attacks.  

Killnet's justification for these strikes, according to Shykevich, "is owing to Japan's support of Ukraine in the ongoing Russia-Ukraine war, as well as a decades-long dispute over the Kuril Islands, which both sides claim control over."

As per the sources, the MPD will look into the cases by gathering specific data from the affected businesses and government bodies. The National Police Agency will assess whether the hack on the e-Gov website qualified as a disruption that materially impairs the operation of the government's primary information system as defined by the police statute, which was updated in April.

The cybersecurity expert added that firms in nations under attack by Killnet should be aware of the risks because the group employs a variety of tactics, such as data theft and disruptive attacks, to achieve its objectives. 

Following a recent large-scale attack by Killnet on websites in Italy, Lithuania, Estonia, Poland, and Norway, there have been allegations of attacks targeting Japanese government websites.





Iranian Hackers: Israeli Tourism Sites Targeted

A malware targeted websites for the Israeli public transportation companies Dan and Kavim, a children's museum, and a public radio blog. Reportedly, none of the sites were reachable to users by Saturday noon.

On Tuesday, the Sharp Boys hacking group claimed to have stolen data from Israeli travel websites, including ID numbers, addresses, credit card details, and etc.

Websites were compromised 

As per hackers, the affected websites are hotels.co.il, isrotel.com, minihotel.co.il, tivago.co.il, and danhotels.com. Tuesday morning, according to the company, hotels.co.il was inaccessible, however by Tuesday afternoon, the site had loaded. 

"Hello once more! If you don't want your data disclosed by us, contact us as soon as possible," on Friday night, the hackers posted a message on Telegram. A follow-up message stated: "They did not get in touch with us, the first list of data is here " the group said, posting the data online.

Later on Saturday, the gang uploaded what it claimed to be information about customers of the Dan transportation company and a travel agency in a new message that claimed to have more data. "You are under our control no matter where you go, even on your travels. Please keep our name in mind." In an image shared on a Telegram account, Sharp Boys made the statement. 

Everything to know about Sharp Boys cyber gang

According to Israeli media, Sharp Boys is a hacking group with links to Iran that conducts cyber espionage for illicit purposes. 

The Sharp Boys hacker group first appeared in December when it claimed to have affected two Israeli hiking websites. They also claimed to have taken control of the website's backend administration and released a spreadsheet that contained the personal data of 120,000 people. 

In December last year, the group hacked into the Shirbit insurance company in Israel and stole vast volumes of data. When the company declined to pay the $1 million ransom demand, it exposed the data. A spreadsheet that contained personal data and credit card details for 100,000 people was released.

According to a report released on Tuesday by the Israeli cybersecurity firm Check Point, the average weekly number of assaults on businesses in the travel and leisure industry increased globally by 60% in June 2022 compared to the first half of June 2021.

Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

 

The Phorpiex malware's creators have shut down their botnet and are selling the source code on a dark web cybercrime forum. The ad states that none of the malware's two original authors are participating in maintaining the botnet, which is why they opted to sell its source code. It was posted on 27th August by an individual previously associated with the botnet's operation. 

Phorpiex, a long-running botnet notorious for extortion schemes and old-school worms delivered via removable USB drives and instant messaging programmes, has been broadening its architecture in recent years in order to become more durable and deliver more deadly payloads. 

These operations had extended to encompass bitcoin mining, which had previously included extortion and spamming. Researchers have noticed an upsurge in data exfiltration and ransomware delivery since 2018, with the bot installer releasing malware such as Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others. 

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said on Friday in a forum post spotted by British security firm Cyjax. 

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse engineer for security firm Check Point. “The description of the malware is very similar to what we saw in the code,” Bukhteyev said. The malware's command and control (C&C) servers have been inactive for approximately two months, according to the researcher, who previously researched the Phorpiex virus in 2019. 

The last command the bot received from the Phorpiex C&C servers was on July 6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot in order to spy on its operations. The command was a self-explanatory "SelfDeletion" instruction. The botnet appears to have vanished from open-source reports since then. 

"As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev said. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone buys the code, they can set up new ones and hijack all the already infected systems.

Snake Keylogger: Enters Top 10 List for the Most Prominent Malwares

 

Check Point Research reveals that for straight three months the Trickbot is by far the most common malware, whereas, for the very first time, the Snake Keylogger is the second most prevalent malware.
 
The Snake Keylogger, first spotted in November 2020  is a modular.NET keylogger and credential stealer. Snake Keylogger has advanced to the position of second-most frequent malware variant in the world and has become increasingly popular in recent weeks as per the Check Point’s Global Threat Index for July 2021. 

The main function of the malware is to capture keystrokes of users on computers or mobile devices and then to pass over the collected information to the rogue software's cyber thieves and hackers. 

Infections with Snake Keylogger are indeed a huge threat to the data privacy of any user and internet security because spyware can stole nearly everything. It is also usually considered to be an especially deceptive and persistent keylogger. After a spur of effective phishing attacks, Snake Keylogger has become extremely prevalent. The malware is currently purchasable at a variety of underground sites, with purchasers being able to buy the malware for only $25. 

Check Point researchers have shown that Snake Keylogger attacks are typically very efficient because of the human tendency to use the same password and username on many accounts. Thereby, after an infringement of a certain login credential, malicious hackers get access to all accounts using the same password. 

Maya Horowitz, VP of Check Point Research, recommended that users must employ a "unique option" for each of the many profiles to stop such cyberattacks. “When it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services,” she further explained. 

“Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign-On (SSO) technologies,” Horowitz added. Keeping vigilance whenever visiting the web or checking emails is highly encouraged by Horowitz. 

As 'Keyloggers' are frequently spread through phishing emails, users must be aware of subtle anomalies, such as errors in URLs and email addresses. They must avoid clicking on malicious links or downloading any unusual attachments. 

Check Point research also identified some of the world's leading malware families, as well as provided information on rising mobile malware activity. It affirms that Trickbot is indeed the world's most popular malware that has an impact of 4%, trailed by Snake Keylogger and XMRig, each with worldwide impacts of 3%. Trickbot is an ongoing modular Botnet and Banking Trojan with new functions, features, and vectors for propagation. Meanwhile, XMRig which was first seen in the wild in May 2017  is an open-source CPU mining program that is used for Monero cryptocurrency mining. 

Throughout the month of July, xHelper was recognized as one of the most widespread mobile viruses in the world, followed by AlienBot and Hiddad. Studies indicate that xHelper has been around since March 2019. Whereas, Hiddad is an Android trojan that repackages and delivers legitimate programs to a third-party store. The primary purpose of the malware is to show advertisements. 


Kindle's E-book Vulnerability Could Have Been Exploited to Hijack a User's Device

 

Amazon patched a significant vulnerability in its Kindle e-book reader platform earlier this April, which could have been used to gain complete control of a user's device and steal sensitive data by simply deploying a malicious e-book. "By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of cyber research at Check Point, said in an emailed statement. "The security vulnerabilities allow an attacker to target a very specific audience."

In other words, if a threat actor wanted to target a certain group of individuals or demographic, the adversary could tailor and coordinate a highly targeted cyber-attack using a popular e-book in a language or dialect widely spoken among the group.

Threat actors might readily target speakers of a specific language, according to Balmas. To target Romanians, for example, they would only need to publish a bestselling book in that language as an e-book. Because the majority of people who download that book will almost certainly speak Romanian, a hacker may be confident that nearly all of the victims will be Romanian. 

“That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber-espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely,” Balmas said. 

Following a responsible disclosure of the problem to Amazon in February 2021, the retail and entertainment behemoth released a patch in April 2021 as part of its 5.13.5 edition of Kindle software. The flaw is exploited by sending a malicious e-book to an intended victim, who, upon opening the book, triggers the infection sequence without any interaction from the user, allowing the threat actor to delete the user's library, gain full access to the Amazon account, or turn the Kindle into a bot for striking other devices in the target's local network. 

The flaw is in the firmware's e-book parsing architecture, notably in the implementation of how PDF documents are opened, which allows a malicious payload to be executed on the device. 

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "These IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."

Chinese Hackers Cloned Exploit Tool Belonging to NSA

 

A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report. 

The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016. 

Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes. 

A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report. 

 In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.

Domestic Kitten - An Iranian Surveillance Operation

 

Check Point researchers as of late revealed the full degree of Domestic Kitten's broad surveillance operation against Iranian residents that could pose a threat to the security of the Iranian system. The actual operation is linked to the Iranian government and executed by APT-C-50. Started in 2017, this operation comprised 10 unique campaigns, targeted more than 1,200 people with more than 600 effective infections. It incorporates 4 currently active campaigns, the latest of which started in November 2020. In these campaigns, victims are tricked to install a malicious application by various vectors, including an Iranian blog website, Telegram channels, and even by SMS with a link to the noxious application. 

The victims incorporate prominent scholastics, activists and business pioneers in Iran and elsewhere, and government authorities in the United States and Europe, researchers at Israeli cybersecurity firm Check Point said in a couple of reports released on Monday. 

The APT uses versatile malware called FurBall. The malware depends on commercially-available monitoring software called KidLogger, and as indicated by the researchers, "it seems that the developers either obtained the KidLogger source code or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities." FurBall is spread through an assortment of assault vectors including phishing, Iranian sites, Telegram channels, and employing SMS messages containing a link to the malware. The malware uses an assortment of disguises to attempt to fool a victim into the installation, for example, being packaged as "VIPRE" mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

When installed on a target device, FurBall can intercept SMS messages, get call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their target's movements, and more. At the point when data has been accumulated from the compromised device, it very well may be sent to command-and-control (C2) servers that have been utilized by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.  

On Monday, Check Point researchers, along with SafeBreach, additionally uncovered the activities of a subsequent danger group that is effectively focusing on Iranian dissidents but rather than focus on their smartphones, their PCs are at risk.

Check Point: What to expect from hackers in 2021

The pandemic has made its own adjustments in all areas of modern life. The attackers changed the targets of their attacks, choosing new priority areas of hacking, including focusing on the medical industry. Founder and CEO of information security company Check Point Software Technologies Gil Shwed told how hacker attacks have changed in the pandemic and what to expect from cybercrime in the future.

Gil Shwed suggested that in 2021, first, since the coronavirus and the fight against it will continue to bother humanity, then pharmaceutical companies working on the development of vaccines and medicines will most likely be attacked.

Secondly, while schoolchildren and students study from home, most likely, hackers will be interested in distance learning systems as well.

Third, it can be expected that botnets will increasingly be used in attacks. Hackers have already transformed many existing malicious applications into botnets to create entire armies of infected computers for cyber attacks.

The fourth expected point is that cyberwarfare will be at the global level.

Mr. Shwed noted that attacks on hospitals, research laboratories, especially during the period of COVID-19 are an opportunity for attackers to get ransom or attention.

The goals of cybercriminals who attack medical institutions can be different - both obtaining financial gain, and causing harm, and gaining widespread publicity. For example, medical records are sold in Darkweb for up to $1,000 per record.

In addition, medical devices such as insulin injectors, heart monitors, and pacemakers can be targeted.  

Check Point researchers have demonstrated the ease with which an ultrasound machine running on an old Windows operating system can be hacked, revealing an entire database of patient images. Unsurprisingly, there has been a 75% increase in ransomware attacks on healthcare facilities in recent months.

Microsoft's researchers said that hackers from only three countries carried out 89% of national cyberattacks this year. Attacks were extremely common, and their target was events of various levels, from elections to the Olympic Games. And also in 2021, the active use of deepfakes is expected.

Earlier E Hacking News reported that Russian hackers gained access to the source codes of Microsoft programs and systems. The organization assured that there is no reason to believe that hackers gained access to services for maintenance of its products or to customer data.

Check Point: 56 apps from the Google Play Store hide a new dangerous malware


Check Point experts have identified a new family of malware in the Google Play Store. It was installed in 56 Google Play Store apps that have been downloaded almost a million times by users worldwide. 24 apps among the damaged 56 are children's games, as well as utilities such as calculators, translators, cooking apps and others. As it is specified, applications emulate the behavior of a real user.

Tekya malware uses the MotionEvent mechanism in Android that simulates a click on an ad banner (first discovered in 2019) to simulate user actions and generate clicks.

Imitating the actions of a real person does not allow the program or a third-party observer to understand the presence of fraud. This helps hackers to attack online stores, make fraudulent ads, promote advertising, promote sites in search engine results, and also serve to carry out banking operations and other illegal actions.

During the research, Tekya went unnoticed by the VirusTotal and Google Play Protect programs.
Hackers created copies of official popular apps to attract an audience, mostly children since most apps with Tekya malware are children's games.

However, the good news is that all infected apps have already been removed from the Google Play.
This case shows that malicious app features can still be found in Google Play. Users have access to almost 3 million apps in the Google Play Store, and hundreds of new ones are downloaded daily, making it difficult to check the security of each individual app.

Although Google is taking steps to ensure security and prevent malicious activity on the Google Play Store, hackers are finding ways to access users' devices through the app store. So, in February, the Haken family of malware was installed on more than 50 thousand Android devices through various applications that initially seemed safe.

Check Point: coronavirus has become a tool for hacker attacks on users and businesses


According to Check Point Threat Intelligence, more than 4,000 coronavirus-related domains have been registered worldwide since January 2020. 3% of these sites have already been identified as malicious, and another 5% as suspicious.

According to experts, hackers send spam with a link to a malicious site on behalf of trusted organizations to encourage a potential victim to click on it. When you click the link, malware is automatically installed on the user's device.

So, Check Point discovered a phishing attack allegedly on behalf of the World Health Organization (WHO), which spread in Italy. Experts noted that 10% of organizations in Italy were subjected to this attack.

Moreover, a website registered in Russia in February 2020 was discovered. The attackers offered to buy "the best and fastest test for detecting coronavirus at a fantastic price — 19,000 rubles ($264)".
In addition, a large spam campaign was recorded in Japan. There, attackers send spam on behalf of the Japanese Society for the rehabilitation of disabled persons (JSRD). Emails report the spread of the coronavirus in several cities in Japan, prompting the recipient to open the document.
If the user is interested and opens the attachment, the Emotet Trojan will be downloaded to their computer.

According to experts, as the spread of the coronavirus continues, scammers will continue to use the coronavirus theme to carry out attacks on users and businesses.

Any events that cause mass discussion or are popular, especially negative ones, are an occasion for fraudsters to realize their plans, said Alexey Dankov, head of the information security Department at Cross Technologies. In this case, they use the news as an excuse to get data, and people who are panicked lose their vigilance and, as a result, trust scammers.

"A virus that has become a pandemic is a great reason for cybercriminals to get the desired information on accounts and personal information," added Mr. Dankov.