The Spanish National Police and the French Border Police, in a joint operation coordinated by Europol, have busted an organized cybercrime gang involved in the procurement and distribution of forged travel and ID documents for migrant smugglers. 

During the raids, in which three house searches were carried out and a total of 17 people were arrested, police seized computers, smartphones, storage devices, counterfeit and genuine ID documents and photocopies of ID documents, labor certificates, administrative documents, payment cards, and cash. 

According to a new report from a Beijing-based cybersecurity firm, hackers associated with the United States National Security Agency (NSA) were discovered to have inserted "covert backdoors" that could have given them access to sensitive information in dozens of countries, including India, Russia, China, and Japan. According to the report, it is getting traction in China's media after the country was accused with cyber hacking by the US. 

China's cyber-attacks target sensitive data stored by US institutions. It has become a thorn on the side of bilateral relations between the US and China. On the other side, Indian organisations believe that China hacks into sensitive data from government agencies and institutions. 

The National Security Agency (NSA) is a United States Department of Defense national-level intelligence agency that reports to the Director of National Intelligence (DNI). The NSA is in charge of worldwide information and data monitoring, gathering, and processing for foreign and domestic intelligence and counterintelligence purposes, specialised in a field known as signals intelligence (SIGINT). The NSA is also in charge of protecting the United States' communication networks and information systems. 

Among the allegedly hijacked websites named in the report were those associated with one of India's leading microbial research labs, the Institute of Microbial Technology (IMTech) under the Council of Scientific and Industrial Research, as well as the Indian Academy of Sciences in Bengaluru. Websites associated with the Banaras Hindu University were also reported to have been hacked.

Pangu Lab, a Beijing-based cybersecurity firm, published a technical study outlining how it discovered the backdoors and linked them to "unique IDs in the operating manuals of the NSA" discovered in the 2013 leak of NSA documents by insiders. 

According to the Chinese firm, in 2013, CIA analyst Edward Snowden leaked very relevant NSA files. Because they reveal the NSA's unique IDs. The company discovered a key that unlocks a backdoor Bvp47. It is a hacking tool created in partnership with the National Security Agency by The Equation Group. It also led to the detection of a number of similar cyberattacks that used the same unique IDs as the NSA platform. 

According to the report, which outlined how the backdoor operated, this was a backdoor communication technology that has never been seen before, indicating an organisation with considerable technological capabilities behind it. “As an advanced attack tool, Bvp47 has allowed the world to see its complexity,” it said. “What is shocking is that after analysis, it has been realised that it may have existed for more than 10 years.”

A new report from the Office of the Inspector General (OIG) reveals that a cyber-criminal posing as a vendor duped Baltimore city out of hundreds of thousands of dollars last year. In October 2021, the OIG initiated an investigation after obtaining information from Baltimore's Bureau of Accounting and Payroll Services (BAPS) about an alleged fraudulent Electronic Funds Transfer (EFT). The Mayor's Office of Children and Family Success (MOCFS) issued the Vendor with EFT payment funds.

BAPS and MOCFS were contacted by email on December 22, 2020 and January 7, 2021, from an email address linked with an employee of the Vendor firm, asking for a change to its EFT remittance details. On December 16, 2020, the email linked with the Vendor Employee sent BAPS a Vendor Payment & Electronic Funds Transfer Form. 

The OIG later determined that the Vendor Employee's email account had been hacked by a malicious actor who had set up rules within the Vendor Employee's email account as a result of a phishing assault. As a result, the malicious actor was able to correspond with City workers without the Vendor's awareness. 

On January 5, 2021, the fraudster contacted MOCFS and BAPS once more, this time requesting that the funds be transferred to a new account at a third financial institution. As verification, the fraudster sent a bank letter and a copy of a voided check with the same details as the third account. BAPS paid $376,213.10 into the third account on January 7, 2021, believing the fraudster's assertions. 

The OIG discovered that BAPS employees do not have access to a list of authorized signatories for vendors and must rely on the information given by representatives from City agencies. Furthermore, instead of independently validating information and requests, BAPS relied on MOCFS to assist the request and accepted an incoming phone call from someone pretending to be the Vendor's Chief Financial Officer. 

In his response to this report, Director of Finance Henry Raymond notified the OIG that new protocols had been implemented requiring Department of Finance (DOF) workers to independently verify bank changes with an executive-level employee. DOF has also devised processes to exclude City agencies from vendor accounting procedures.

Russian citizen Ilya Lichtenstein and his wife Heather Morgan were arrested in the United States on Tuesday. The U.S. Justice Department in a statement called them the largest Internet fraudsters in history. 

The spouses are suspected of hacking the Hong Kong cryptocurrency exchange Bitfinex in 2016 and withdrawing 120,000 bitcoins from its accounts, which is $4.5 billion at current prices. Intelligence agencies managed to confiscate $3.6 billion worth of bitcoins stored in the Russian's e-wallets. 

On Tuesday night, after the arraignment in the Court of the Southern District of New York, Magistrate Judge Debra Freeman decided to release the suspects on bail of $8 million for two. However, the spouses were unable to leave federal prison as the judge's decision was put on hold by Washington. 

According to the prosecution, the couple should remain in custody because "they are sophisticated cybercriminals and money launderers, and there is a serious risk of their escape." Prosecutors admit that the couple may have passports in other names. 

In particular, agents found a file named Passport_ideas on Liechtenstein's computer. And a plastic container with disposable phones was found under the bed in the apartment of the defendants. Under American law, Ilya Lichtenstein and Heather Morgan face up to 25 years in prison. 

A few years ago, 34-year-old Ilya Lichtenstein unsuccessfully tried to create a technology startup and become an investor. He came to the United States from Russia at the age of six, when his family was granted asylum for religious reasons. 

His wife, Heather Morgan, called herself an economist, a journalist, and a "Crocodile of Wall Street", was a freelance writer for Forbes magazine and even performed as a rapper under the name Razzltkhan. According to the New York Times, giant billboards with her image decorated Times Square. 

According to the investigation conducted by the FBI and the US Internal Revenue Service, Lichtenstein and Morgan hacked the Bitfinex protection system and made about 2 thousand illegal transactions, transferring funds from the accounts of the exchange's clients to their electronic wallet. 

In subsequent years, the suspects managed to launder about 25 thousand bitcoins through third-party exchanges and online services on the darknet. A new hearing on Lichtenstein and his wife's bail application will be held in Washington on February 11.

China has recently had its own national sporting event: the National Games of China began on September 15, 2021, in the Chinese city of Shaanxi. This is a comparable event to the Olympics, however, it only features athletes from China. The National Games of the People's Republic of China, also known as the All-China Games, are China's biggest national sporting event. It is typically held every four years. 

David Álvarez, an Avast security researcher, discovered a malware sample with a peculiar file extension in early September and started to examine where it came from. Following that, he discovered a report submitted to VirusTotal by the National Games IT team on an attack against a server associated with the Games.

The data suggests that the attackers acquired initial code execution on September 3, 2021, about 10:00AM local time, and deployed their first reverse shell executing scripts called runscript.lua. Researchers believe this occurred as a result of an arbitrary file-read vulnerability targeting either route .lua which, according to the API (Application User Interface) extracted from various JavaScript files, is a LUA script containing a lot of functionality ranging from login authentication to file manipulation or index.lua in combination with index.lua?a=upload API that was not used by anyone else in the rest of the network log. It's also worth noticing that runscript.lua was not included in the report or among the files uploaded by the attacker. 

After gaining initial access, the attackers uploaded numerous other reverse shells, such as conf.lua, miss1.php, or admin2.php, to gain a more permanent foothold in the network in the event that one of the shells was found. Because these reverse shells receive commands via POST requests, the data is not contained in the logs attached to the report, which simply show the URL path. Furthermore, the logs in the report do not contain enough information about network traffic for researchers to understand how and when the attackers obtained their initial web shell. 

The method used by the attackers to hack the 14th National Games of China is not novel. They got access to the system by taking advantage of a flaw in the webserver. This highlights the importance of updating software, correctly configuring it, and being aware of potential new vulnerabilities in apps by employing vulnerability scanners.

The most essential security countermeasure for defenders is to maintain the infrastructure patched up to date (especially for the internet-facing infrastructure). The primary priority for both internal and internet-facing infrastructure should be prevention. According to the researchers, in order to fight against this type of attack, more layers of protection must be deployed so that users can identify and respond immediately when a successful breach occurs.

ESET analysts reported that cybercriminals can use smartwatches to steal personal data and warned Russians about the main dangers associated with this gadget. 

"According to our estimates, the market for smartwatches and fitness trackers will grow by 12.5 percent annually and will exceed $118 billion by 2028. Such indicators cannot but attract scammers. Therefore, it is worth understanding in advance the security and privacy risks associated with this," the ESET study says. 

The threat of data interception is due to the fact that many smartwatches and fitness trackers are synchronized with the owners' smartphones, including some applications such as e-mail or messengers. Thus, attackers can hijack both devices, which threatens, in particular, the loss of passwords. ESET further warns that the stolen personal data can then be sold on the darknet. 

Another serious risk for a cybercriminal's victim is tracking the GeoPosition of the device. Such data allows hackers to draw up a detailed diagram of the user's movements in order to attack his home or car. "The safety of children's smartwatches, which can be monitored by outsiders, is even more worrying," ESET states. Speaking about the specific vulnerabilities of smart fitness trackers, cyber specialists pay attention to Bluetooth technology, in which "numerous vulnerabilities have been discovered over the years," weak software of gadgets and paired smartphone applications that may contain coding errors. 

According to ESET analysts, risks can be reduced via the use of two-factor authentication, the use of a strong password to lock the screen, as well as a ban on external connections to smartwatches will also prevent threat. 

Data can be leaked both via the Internet and via Bluetooth a critical Bluetooth vulnerabilities allow executing arbitrary malicious code on the device and gaining full control over the device's system, as well as carrying out a man-in-the-middle attack (MiTM), which leads to the unauthorized interception of user data.

According to recent reports, attackers are utilising stolen data to contact individuals who have been compromised in the attack (through social media, email, or phone). These direct contact strategies are being used by ransomware gangs as additional leverage to get victims to pay up. They call employees or customers whose data was compromised in the attack and urge them to persuade the victim to pay up, threatening them with the release of their personal information if they do not. 

NBC News featured a story on a parent whose child attended a school run by a district that was the target of a ransomware attack. The attackers emailed the parent, asking him to put pressure on the district to pay up, or else all of the exfiltrated materials, including information on him and his son, will be posted on the dark web. 

According to the person interviewed by NBC, the district did not notify parents or many staff members that they had been the victims of an attack, at least not before the assailants established contact with them. The attackers exploit whatever contact information they can obtain, such as employee directories or customer databases, to identify individuals to pressure. 

Allen ISD was the victim of a cyberattack in September 2021 and was afterward the target of attempted extortion by the perpetrators. Allen ISD, located roughly 30 miles north of Dallas, Texas, educates nearly 22,000 K-12 students. Following consultation with external cybersecurity experts, school administrators decided to refuse to pay the hackers' demands, even telling local media that there was no indication that data had been exfiltrated. Despite the fact that the ransomware gang claimed to have collected personal information from district children, families, and staff and sought to extort millions of dollars from Allen ISD. 

Another strategy used by ransomware attackers is to contact employees at a firm during the reconnaissance stages of an assault to see if they can bypass the infiltration stages by exploiting an insider threat. Insider threats are one of a few non-digital threats that have plagued businesses of all sizes to date. 

Insider threats represent a quarter of the eight main cybersecurity risks that significantly affect the corporate and public sectors, according to the Osterman Research white paper White Hat, Black Hat, and the Emergence of the Gray Hat: The True Costs of Cybercrime. 

According to a new survey conducted by identity protection firm Hitachi ID Systems, 65% of surveyed IT and security executives or their staff had been contacted to aid in ransomware cyberattacks. This marks a 17% increase over a similar survey conducted a year ago. The attackers used email and social media to contact employees in the majority of cases, while phone calls accounted for 27% of their approach efforts, a direct and brazen method of communication.

Researchers discovered that threat actors are increasingly deploying scams that impersonate package couriers such as DHL or the United States Postal Service in authentic-looking phishing emails to trick victims into downloading credential-stealing or other malicious payloads. Separately on Thursday, researchers from Avanan, a CheckPoint firm, and Cofense identified current phishing scams that involve malicious links or attachments aimed at infecting computers with Trickbot and other harmful malware. 

Researchers stated the campaigns relied separately on faith in commonly used shipping methods and employees' familiarity with receiving emailed documents linked to shipments to try to provoke further action to hack corporate systems. 

The emails used to send Trickbot in recent delivery service-related campaigns included official USPS branding as well as features such as third-party social-media logos from Facebook, Instagram, LinkedIn, and Twitter, "to make the email look even more credible," researchers said. The emails, however, have a sender address that is totally irrelevant to the USPS, which might easily have alerted someone to their shady motive, they claim.

If the bait works and a user clicks on the link to the alleged invoice, they are routed to a domain that downloads a ZIP file, hxxps:/www.zozter[.]com/tracking/tracking[.]php. The unzipped file is an XMLSM spreadsheet called “USPS_invoice_EA19788988US.xlsm” that requires editing due to document protection — a common approach used in fraudulent email campaigns. If a victim goes so far as to enable editing, a malicious PowerShell process is launched, which eventually downloads Trickbot. 

According to Avanan's Jeremey Fuchs, cybersecurity researcher, and analyst, the DHL spoofing assault likewise includes what threat actors want victims to believe is a shipping document, but this time in the form of an attachment. “By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to checking for shipping notifications,” he wrote. 

This practice has become so widespread that DHL has achieved the dubious distinction of replacing Microsoft at the top of Check Point Software's list of brands most mimicked by threat actors in the fourth quarter of 2021. Scams involving the courier accounted for 23% of all phishing emails during that time period, but the company's name was associated with only 9% of scams in the third quarter. 

Researchers attributed the increase in package delivery frauds to a number of variables. Spoofing DHL made perfect sense in the fourth quarter of last year during the hectic holiday shopping season, according to Jeremey, in a study on the latest DHL-related fraud published Thursday.

The National Cyber Security Centre of Finland (NCSC-FI) has issued a warning about an ongoing phishing attack aimed at compromising Facebook accounts by masquerading victims' friends in Facebook Messenger conversations. 

According to the NCSC-FI, this ongoing scam targets all Facebook users who got messages from online acquaintances seeking their contact information and a confirmation number given through SMS. If users provide the requested information, the attackers will gain control of their accounts by altering the password and email address linked with them. 

Once taken over, the Facebook accounts will use similar schemes to target more potential victims from their friend list. 

“In the attempts, a hacked account is used to send messages with the aim of obtaining the recipients' telephone numbers and two-factor authentication codes to hijack their Facebook accounts," the cybersecurity agency described. 

The scammers will undertake the following techniques to successfully compromise the victim' Facebook accounts: 

• They start by sending a message through Facebook Messenger from the previously compromised friend's account. 

• They request the target's phone number, claiming to be able to assist with the registration for an online contest with cash awards worth thousands of euros. 

• The next step is to request a code that was supposedly given via SMS by the contest organizers to verify the entry. 

• If the fraudsters obtain the SMS confirmation code, they will combine it with the phone number to gain access to and hijack the victim's Facebook account. 

The NCSC-FI advised, "The best way to protect yourself from this scam is to be wary of Facebook messages from all senders, including people you know. If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers." 

Meta (previously Facebook) recently has filed a federal lawsuit in a California court to stop further phishing assaults that are currently targeting Facebook, Messenger, Instagram, and WhatsApp users. 

Around 40,000 phishing sites impersonating the four platforms' login pages were used by the threat actors behind these phishing attacks. These lawsuits are part of a lengthy series of lawsuits filed by Facebook against attackers who target its users and exploit its platform for nefarious purposes.

Microsoft has issued a warning about a new multi-stage phishing campaign that first enlists an attacker's BYOD device on a corporate network before sending thousands of convincing phishing emails to other targets. Bring your own device (BYOD) refers to the practice of employees connecting to their corporate networks using personal devices to access work-related systems and possibly sensitive or confidential data. Smartphones, personal computers, tablets, and USB drives are examples of personal devices. 

According to Microsoft, the goal of enrolling or registering a device on a target company's network was to evade detection during subsequent phishing assaults. According to Microsoft, "most" firms that had activated multi-factor authentication (MFA) for Office 365 were not affected by phishing emails transmitted via attacker-controlled registered devices, but all organizations that had not implemented MFA were affected. 

The attack took advantage of situations in which MFA was not enforced while registering a new device with a company's instance of Microsoft's identity service, Azure Active Directory (Azure AD), or enrolling a BYOD device in mobile device management (MDM) platform such as Microsoft's Intune. 

"While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack's propagation heavily relied on a lack of MFA protocols," Microsoft said. "Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain," it added. 

According to Microsoft, the first wave of the attack targeted firms in Australia, Singapore, Indonesia, and Thailand. The first stage used a DocuSign-branded phishing email that asked the recipient to review and sign the document. It made use of phishing domains with the .xyz top-level domain (TLD). The phishing link in each email was also unique and included the target's name in the URL. Victims were routed to a bogus Office 365 login page by the phishing link. 

In the second phase, the attackers installed Microsoft's Outlook email client on their own Windows 10 PC, which was then successfully connected to the victim's Azure AD. All the attackers had to do was accept Outlook's onboarding experience, which encourages the user to register a device. In this situation, the attackers were using credentials obtained in phase one. 

Certain practices, according to Microsoft researchers, can limit an attacker's ability to move laterally and compromise assets after the initial intrusion and should be supplemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components. Organizations can further limit their attack surface by removing basic authentication, mandating multi-factor authentication when adding devices to Azure AD, and enabling multi-factor authentication for all users.

AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:

The German domestic intelligence services BfV issued a warning about ongoing operations orchestrated by the Chinese-backed hacker group APT27. The attackers are utilising the HyperBro remote access trojans (RAT) to backdoor German commercial enterprises' networks in this active campaign. By operating as an in-memory backdoor with remote administration capabilities, HyperBro assists threat actors in maintaining persistence on the victims' networks.

HyperBro is a RAT that has been seen predominantly in the gambling industries, while it has also been seen in other places. The malware is typically composed of three or more components: a) a genuine loader with a signed certification, b) a malicious DLL loader loaded from the former component via DLL hijacking, and c) an encrypted and compressed blob that decrypts to a PE-based payload with its C2 information hardcoded within.

APT27 (also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-sponsored threat group that has been active since at least 2010 and is noted for its emphasis on data theft and cyber espionage efforts. 

Since March 2021, APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, according to the German intelligence agency. This is consistent with prior reports that Zoho ManageEngine installations will be the target of many campaigns in 2021, coordinated by nation-state hackers employing techniques and tooling similar to APT27. 

The threat group's objective, according to the agency, is to steal critical information and may potentially seek to target its victims' customers in supply chain attacks.

"The Federal Office for the Protection of the Constitution has information about an ongoing cyber espionage campaign by the cyber-attack group APT27 using the malware variant HYPERBRO against German commercial companies," the BfV said. "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of customers or service providers." 

In addition, the BfV issued indicators of compromise (IOCs) and YARA rules to assist targeted German organisations in detecting HyperBro infections and connections to APT27 command-and-control (C2) servers. 

APT27 initially exploited an ADSelfService zero-day exploit until mid-September, then transitioned to an n-day AdSelfService vulnerability before beginning to exploit a ServiceDesk flaw on October 25. According to Palo Alto Networks researchers, they effectively infiltrated at least nine organisations from vital industries around the world, including defence, healthcare, energy, technology, and education.

RTM Group found the malicious code in the finalized 1C software by outsourced programmers. Experts estimate that with its help the fraudsters could steal the data of several dozens of companies. 1C called the described scheme technically imperfect and recognized that the platform modules can be finalized by third-party specialists and subsequently used by criminals. 

A representative of the information security company RTM Group said that the data of several dozen companies were stolen through malicious code in 1C modules, which were being finalized by programmers on outsourcing. 

According to him, at least a third of 1C users order the completion of some modules from third-party programmers who can embed malicious code in them. As a result, such modules, when checking the license key, send the data available in them about customers, payments, and potential contracts to an email address that is pre-registered. 

The victims of the scheme were several dozen companies engaged in the trade or distribution of software. The representative of the RTM Group noted that the materials were sent to law enforcement agencies. 

The representative of 1C called the described scheme technically imperfect since the license check is performed at the "core" level of the system, the code of which is closed. At the same time, he acknowledged that the platform modules can be modified by third-party specialists and used by attackers in the future. 

According to IDC, the share of 1C software in the corporate market in Russia in 2020 was 39.2%. Small and medium-sized businesses, which do not have money for their own IT departments, and they turn to small firms, are at risk of getting to scammers first of all.

“There are hundreds of thousands of 1C programmers in Russia, some of them can really be intruders, especially in the current deteriorating economic environment,” explained Pavel Korostelev, head of the Security Code company’s product promotion department. 

Alexander Dvoryansky, Director of Strategic Communications at Infosecurity a Softline Company, noted that such incidents do not always occur maliciously, as programmers when finalizing the module may use third-party or free software, the source code of which already contains malicious code.

The investigation into the hacking of A.P. Mahesh Co-operative Urban Bank Limited's servers has been taken up by Hyderabad city police's cybercrime officials.