Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Safety. Show all posts
Singapore
Cyber Crime Cyber Safety CyberCriminal data security Data Stolen Data Theft Database Breach Hacker attack KYC Singapore

Cybercriminals Threaten Release of Stolen World-Check Database, Exposing Millions to Financial Risk

 

A financially motivated criminal hacking group, self-identified as GhostR, has claimed responsibility for the theft of a confidential database containing millions of records from the renowned World-Check screening database. The stolen data, totaling 5.3 million records, includes sensitive information used by companies for screening potential customers and assessing their links to sanctions and financial crime.
 
World-Check, a vital tool for conducting "know your customer" (KYC) checks, enables companies to identify high-risk individuals with potential ties to money laundering, government sanctions, or other illicit activities. The hackers disclosed that they obtained the data from a Singapore-based firm with access to the World-Check database, though the specific company remains unnamed. 

A portion of the stolen data encompasses individuals sanctioned as recently as this year. The compromised records include details of current and former government officials, diplomats, politically exposed persons (PEPs), individuals associated with organized crime, suspected terrorists, intelligence operatives, and even a European spyware vendor. These individuals are deemed high-risk for involvement in corruption, bribery, or other illicit activities. 

The stolen data comprises a wealth of sensitive information, including names, passport numbers, Social Security numbers, online cryptocurrency account identifiers, bank account numbers, and more. Such a breach poses significant risks, as it could potentially expose innocent individuals to unwarranted scrutiny and financial harm. 

Simon Henrick, a spokesperson for the London Stock Exchange Group (LSEG), which oversees World-Check, clarified that the breach did not originate from LSEG's systems but involved a third party's data set. While LSEG did not disclose the identity of the third-party company, they emphasized their commitment to collaborating with the affected party to safeguard data integrity and notify relevant authorities. 

Privately operated databases like World-Check are not immune to errors, raising concerns about the accuracy and fairness of their content. Past incidents, such as the 2016 leak of an older World-Check database, underscore the potential repercussions of erroneous data, including wrongful accusations and financial repercussions for innocent individuals. 

The breach highlights the critical need for enhanced cybersecurity measures and regulatory oversight to protect sensitive personal information and mitigate the risks associated with data breaches. As investigations into the incident continue, stakeholders must prioritize transparency, accountability, and proactive measures to prevent future breaches and safeguard consumer data privacy.
Read more »
Policy
Cyber Crime Cyber Safety Cyberattacks Cybersecurity Cyberthreats Data Safety Europol Policy

Cracking Down on Crime: Europol Shares Data on Europe's Top Threats

 


There has been a considerable increase in serious organized crime over the past few years, and it continues to pose a significant threat to the EU's internal security. The most threatening criminal networks operating in and affecting the EU need to be clearly understood by law enforcement and policymakers if they are to effectively prioritise resources and guide policy action. 

Certain traits make successful companies agile and resilient, able to anticipate trends and pivot to new environments rapidly while maintaining their operations at the same time. Europol released a report on Friday that indicated that the most threatening criminal networks across the EU are also equipped with these skills. 

Europol has presented a report today (April 5) detailing the state of crime in Europe, highlighting 821 criminal networks that exist within the EU territory, flagged as the most dangerous criminal networks within the EU. Making the invisible visible so that we can know, fight, and defeat it. To produce the report, we consulted with law enforcement agencies from 27 of the member countries, as well as 17 other states, who provided information and participation. 

As Europol pointed out, some key characteristics distinguish the 821 most threatening criminal networks: they are agile as they can adopt business processes in a short time, which is characteristic of economies of scale, overcoming challenges that law enforcement agents may face as well. 

Despite their activities remaining concentrated in a single country, criminal networks are borderless: they can operate within EU and non-EU countries without any significant difficulty. Controlling: They can perform excellent surveillance over everything within the organization, and they generally specialize in a specific criminal activity. In addition to corrupt activities, the 821 networks also engage in significant damage to internal security due to corruption. 

As a result of Europol's report on terrorism, 50 per cent of the most dangerous criminal networks are involved in drug trafficking. For 36 per cent of those networks, drug trafficking is their sole business. A total of 15 percent of the organizations deal with fraud exclusively while the remaining 6 percent deal with human trafficking. 

Regarding drugs, aside from heroin, cannabis, and cocaine, there is also the concern that there is the arrival of new substances on the European market such as Fentanyl, which has already caused thousands of deaths in the United States and has already reached a critical point. Recent months have seen massive shipments of drugs hidden in bananas that have been shipped throughout Europe. 

A shipment of bananas in the British Isles contained a shipment of more than 12,500 pounds of cocaine, which was found in February, breaking the record of the most drugs seized in a single seizure in British history. In August of last year, customs agents in the Netherlands discovered that 17,600 pounds of cocaine had been hidden inside banana crates inside Rotterdam's port. 

In the Italian port of Gioia Tauro, a police dog sniffed out 3 tons of cocaine hidden in a case of bananas three months earlier. As part of the top ten criminal groups identified, nine of them specialize in cyber crimes and are actively operating in France, Germany, Switzerland and the U.S. These organizations, mainly run by Russians and Ukrainians, are active in France, Germany, Switzerland and the U.S. 

They have up to 100 members, but have a core of criminals who are responsible for distributing ransomware to affiliates so that they can conduct cyber attacks. A core group of individuals are responsible for managing the negotiation and payment of ransoms, often in cryptocurrency, and usually pay affiliates 80% of their fee for carrying out an attack. 

As a result of their involvement in fraud schemes and providing cyber services and technology solutions, service providers provide crucial support to criminal networks. The methods used in these campaigns include mass mailings and phishing campaigns, creating fake websites, creating fake advertisements and creating social media accounts. 

According to Europol, the firm has also been supporting online fraud schemes and advising on the movements of cryptocurrencies online. Law enforcement personnel sometimes use countermeasures, such as encrypted telephones to avoid detection by criminal networks, to avoid being detected by them. The other group of people avoid the use of electronic devices in all forms of communication and meet in person instead to avoid leaving any digital footprint on their activities.  

A report released by the European Commission stated that drug trafficking continues to stand out as the most significant activity in the EU countries and is witnessing record seizures of cocaine in Europe, as well as an increase in violent crimes linked to drugs, such as in Belgium and France.  

Half of the most dangerous networks in the criminal world are involved in drug trafficking in some form or another, whether on their own or as part of their overall portfolio. According to the report, more than 70% of networks engage in corruption “to facilitate criminal activity or obstruct law enforcement or judicial processes. 68% of networks use violence as an inherent element of their approach to conduct business,” which is consistent with their criminal or nefarious activities.

It has been reported that gang violence has been rife in Antwerp for decades as the city serves as the main entry point for Latin American cocaine cartels into the European continent. Federal authorities say that drug trafficking is rapidly affecting society as a result of an increase in drug use throughout the whole country. 

In Ylva Johansson, EU Commissioner for Home Affairs, the threat of organised crime is one of the biggest threats facing the society of today, a threat which threatens it with corruption and extreme violence. During a press conference, Europol explained the data it collected would be shared with law enforcement agencies in countries of the EU, which should help better target criminals.
Read more »
Security
blogger harassment case Cyber Safety Data Data Safety eBay fine settlement Security

eBay Settles Blogger Harassment Case with $3 Million Fine

 

eBay has agreed to pay a substantial fine of $3 million (£2.36 million) in order to settle charges related to the harassment of bloggers who were openly critical of the company. The disturbing details emerged in court documents, revealing that high-ranking eBay executives, including Jim Baugh, the former senior director of safety and security, orchestrated a targeted campaign against Ina and David Steiner, the couple behind the newsletter EcommerceBytes, which the company's leadership disapproved of.

The court papers outline a series of alarming incidents, including the dispatch of live spiders and cockroaches to the Steiners' residence in Natick, Massachusetts. This relentless campaign of intimidation left the couple, according to prosecutors, in a state of being "emotionally, psychologically, and physically" terrorized. Jim Baugh, alongside six associates, allegedly spearheaded this effort to silence the Steiners, going to extreme lengths.

The harassment tactics escalated to sending live insects, a foetal pig, and even a funeral wreath to the Steiners' home. Moreover, Baugh and his associates reportedly installed a GPS tracking device on the couple's car, infringing on their privacy. Additionally, the perpetrators created misleading posts on the popular website Craigslist, inviting strangers to engage in sexual encounters at the Steiners' residence.

The aftermath of these reprehensible actions saw the termination of the involved employees by eBay. In the legal proceedings, Philip Cooke, an eBay employee, received an 18-month prison sentence in 2021, while Jim Baugh was handed a nearly five-year sentence in the subsequent year.

Baugh's defense claimed that he faced pressure from eBay's former CEO, Devin Wenig, to rein in the Steiners and control their coverage of the company. However, Wenig, who resigned from his position in 2019, has not been charged in connection with the harassment campaign and vehemently denies any knowledge of it.

Acting Massachusetts US Attorney Josh Levy strongly condemned eBay's conduct, labeling it as "absolutely horrific, criminal conduct." Levy emphasized that the employees and contractors involved in this campaign created a petrifying environment for the victims, with the clear intention of stifling their reporting and safeguarding the eBay brand.
Read more »
Technology News
Apple Apple Charging Cables. Apple Devices Cyber Safety Innovation iOS Technology Technology News

A Closer Look At The Future of MagSafe in Apple's Ecosystem

Apple is actively exploring ways to enhance MagSafe, aiming to enable wireless data transfer and seamless recognition and authentication of connected accessories. Currently, placing a MagSafe-compatible iPhone on a MagSafe charger allows for charging, even with an added MagSafe iPhone case. However, Apple acknowledges existing limitations, citing issues such as accessory devices unintentionally creating heat traps and increased heat generation with advancements in processor technology. A newly granted patent application, titled "Accessory Devices That Communicate With Electronic Devices," addresses these challenges and proposes intelligent solutions to refine MagSafe functionality. 

Apple's exploration of MagSafe goes beyond conventional boundaries. It includes more than just data transmission and user authentication. One of the anticipated innovations is the integration of augmented reality (AR) features. In theory, this development translates MagSafe as a platform where connected accessories seamlessly merge with a digital environment, promising users an immersive and interactive experience beyond the device's physical realm. Additionally, there are discussions surrounding MagSafe evolving into a dynamic power-sharing system, enabling wireless charging and effortless power distribution to compatible accessories. This multifaceted approach positions MagSafe as a transformative technology, poised to redefine user interactions and boost the overall functionality of Apple devices.  

In light of this, Apple recognizes that certain electronic devices employ thermal management mechanisms, slowing down processors or even shutting down when reaching specific temperatures. This dilemma forces users to choose between safeguarding their device with an accessory or allowing optimal processing capabilities.  

To address this, Apple proposes placing a magnetic sensor in devices like the iPhone. This sensor detects MagSafe accessories, allowing the device to distinguish between a charger and a case. Based on the type detected, it adjusts the charging process, considering temperature and setting different levels for cases and chargers. 

Apple is thinking of a two-step system. First, a basic identification without specific accessory data, assuming it's a case or charger. Second, a more advanced step where MagSafe accessories send data, authenticating and exchanging information with the device based on the magnetic field.  

To this end, Apple foresees a sophisticated level of recognition within the MagSafe ecosystem. At this advanced stage, MagSafe accessories are envisioned not only as functional components but also as data transmitters through the system. The transformative concept holds the potential for MagSafe accessories to communicate their specific tolerances directly to iOS. The focus of the patent is on data transmission, hinting at exciting possibilities. The significance lies in the prospect of these accessories evolving beyond their traditional roles to become intricate keys, unlocking enhanced functionality and integration with Apple devices. 

This innovation opens doors to a domain where MagSafe accessories go above and beyond, offering a nuanced and personalised interaction with iOS. As these accessories potentially evolve into multifaceted tools, users may experience a seamless integration of technology, where MagSafe becomes more than just a connector but a dynamic interface enriching the overall user experience. With the potential to transmit data via MagSafe, there's a prospect of authentication based on magnetic field vectors, turning MagSafe into an identification tool. For instance, picture an iPhone recognising a nearby MagSafe accessory and utilising its data. 

This innovation may not be exclusive to the iPhone, as there are rumours about the iPad adopting MagSafe. This alludes to a broader synthesis of these advanced features across various Apple devices, ensuring a unified end-user involvement. 

MagSafe's evolution promises more than just seamless connections; it foresees a dynamic relationship between devices and accessories. Envision a world where MagSafe transcends being a mere connector, providing enhanced experiences tailored to each user. Apple's commitment to innovation is paving the way for a new era in technology, where MagSafe is at the forefront of redefining how we interact with our devices. Exciting times lie ahead in the world of Apple technology and connectivity. 


Read more »
Security
cyber attack Cyber Safety Cyber Security dark web forums Data Data Breach data security Genetic testing company Security

Hackers Alleged to Have Breached Millions of DNA User Profiles, Offering Data for Sale on the Internet

 

Genetic testing company 23andMe has confirmed a significant cyber attack in which hackers stole and subsequently published or sold data belonging to approximately one million individuals. The breach came to light when the hackers released a database titled "Ashkenazi DNA Data of Celebrities" on dark web forums. 

This database contained details such as display names, gender, birth years, and some information regarding users' genetic ancestry findings. It's worth noting that 23andMe is a US-based biotechnology and genomics firm that provides genetic testing services. Customers send a saliva sample to their labs and receive an ancestry and genetic predispositions report in return.

On underground forums, a post advertising the stolen data boasted of DNA profiles, potentially spanning from influential business figures to figures often mentioned in conspiracy theories. Each profile also included associated email addresses, as per reports.

Although the hacker claimed to possess data related to celebrities like Mark Zuckerberg and Elon Musk, 23andMe has not yet confirmed the veracity of these claims. 

The hacker has proposed selling the data profiles in bulk, with prices ranging from $1 to $10 per account. There are estimates, reported by PCMag, that suggest as many as seven million accounts may be available for sale.

Cybersecurity expert Professor Alan Woodward, based at the University of Surrey, highlighted that the primary value of this breach lies in the personal information that could be exploited in future scams. Details such as names, addresses, and phone numbers could be used to create targeted phishing emails, lending an air of legitimacy to potential scams.

23andMe is treating this breach as genuine and is conducting a thorough investigation into the matter. Scott Hadly, the managing editor at 23andMe, shared that initial findings suggest the login credentials used in these breaches may have been obtained by threat actors from data leaked in incidents involving other online platforms. He emphasized that there is no evidence of a security breach within their own systems.

In a statement, 23andMe affirmed, "We are taking this issue seriously and will continue our investigation to confirm these preliminary results."

''Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA). If we learn that a customer's data has been accessed without their authorization, we will notify them directly with more information,'' the statement added. 
Read more »
User Security
Cyber Attacks Cyber Safety Data Leak Data Privacy Ransom Research School Targets Schools Student Data User Data User Safety User Security

Schools: Prime Targets for Hackers Amid Poor Cybersecurity and Ransom Payments

 

New data indicates that school districts have become highly susceptible to online exploitation, emerging as the primary target for hackers. According to a recent global survey conducted by the British cybersecurity company 

Sophos, a staggering 80% of schools experienced ransomware attacks last year, representing a significant increase from the 56% reported in 2021. This doubling of the victimization rate over two years has led researchers to label ransomware as the most significant cyber risk faced by educational institutions today.

Comparing various industries, schools fared the worst in terms of victimization rates, surpassing even sectors like healthcare, technology, financial services, and manufacturing. 

The survey, which included responses from 400 education IT professionals worldwide, revealed that United States institutions are particularly attractive targets for hacking groups, especially since the events surrounding Russia's invasion of Ukraine.

Two factors have made schools especially vulnerable to cyber threats in the United States. First, the cybersecurity measures in educational settings often lag behind those in major businesses, such as banks and technology companies. Second, schools prove to be easy targets for exploitation due to their willingness to pay ransoms. 

Last year, nearly half of the attacks on schools resulted in ransom payments, further enticing threat actors. Unfortunately, this combination of weak defenses and a readiness to pay has made schools a "double whammy" for hackers, according to Chester Wisniewski, the field chief technology officer of applied research at Sophos.

The motivation to pay ransoms seems to be influenced by insurance coverage. In districts with standalone cyber insurance, 56% of victims paid the ransom, while those with broader insurance policies covering cybersecurity saw a payment rate of 43%. Insurance companies often cover ransom demands, giving them significant sway over which districts comply with the extortion demands.

Elder, a school representative, acknowledges the difficult decisions schools face when dealing with ransomware attacks. While it is essential to safeguard confidential information and protect people, the pressure to manage resources and finances can make the choice challenging.

Ultimately, the data suggests that schools must prioritize and strengthen their cybersecurity practices to avoid falling prey to hackers and ransom demands. 

Relying on insurance alone may not provide a comprehensive solution, as hackers continue to exploit vulnerabilities, and insurance companies struggle to keep pace with evolving threats.
Read more »
US-China
Chinese Hackers Cyber Data Cyber Safety Data Safety malware Ransonware Secure Security US-China

Report: Possible Chinese Malware in US Systems a 'Ticking Time Bomb'

 

According to a report by The New York Times on Saturday, the Biden administration has raised concerns about China's alleged implantation of malware into crucial US power and communications networks. The officials fear this could act as a "ticking time bomb" capable of disrupting US military operations in the event of a conflict.

The malware, as reported by the Times, could potentially grant China's People's Liberation Army the capability to disrupt not only US military bases' water, power, and communications but also those of homes and businesses across the country. 

The main concern is that if China were to take action against Taiwan, they might utilize this malware to hamper US military operations.

This discovery of the malware has led to a series of high-level meetings in the White House Situation Room, involving top military, intelligence, and national security officials, to track down and eliminate the malicious code.

Two months prior to this report, Microsoft had already warned about state-sponsored Chinese hackers infiltrating critical US infrastructure networks, with Guam being singled out as one target. 

The stealthy attack, ongoing since mid-2021, is suspected to be aimed at hindering the United States in case of a regional conflict. Australia, Canada, New Zealand, and Britain have also expressed concerns that Chinese hacking could be affecting infrastructure globally.

The White House, in response, issued a statement that did not specifically mention China or military bases. The statement emphasized the administration's commitment to defend the US critical infrastructure and implement rigorous cybersecurity practices.

These revelations come at a tense moment in US-China relations, with China asserting its claim over Taiwan and the US considering restrictions on sophisticated semiconductor sales to Beijing.
Read more »
User Safety
Cyber Data Cyber Safety Cyber Security Data Safety Security User Data User Safety

Cybercriminals Masquerade as Cybersecurity Company to Hijack Entire PCs

 

In the latest cyber threat, hackers have devised a new approach to deceive unsuspecting victims, even using reputable names as a cover. A ransom-as-a-service (RaaS) attack called "SophosEncrypt" has emerged, masquerading as the cybersecurity vendor Sophos.

The operation of SophosEncrypt was brought to light by MalwareHunterTeam on Twitter and has since been acknowledged by Sophos. Initially, there were suspicions that this might be a red team exercise conducted by Sophos itself—a simulated attack to test their security measures. 

However, it has been confirmed that SophosEncrypt is entirely unrelated to the cybersecurity firm and has only adopted its name to instill a sense of urgency and seriousness for victims to comply with the attackers' demands.

The ransomware is distributed through yet unknown means, but common methods include phishing emails, malicious websites, popup ads, and exploiting software vulnerabilities. BleepingComputer reports that the ransomware campaign is active and explains how the encryption process functions.

When executed, SophosEncrypt demands a token associated with the targeted victim, which is verified online before initiating the attack. Nevertheless, researchers have discovered that disabling network connections can bypass this step. 

Once operational, the attacker gains the ability to encrypt specific files or the entire device, appending the ".sophos" extension to the encrypted files. Subsequently, victims are prompted to contact the attackers for file decryption, with payment usually demanded through untraceable cryptocurrency. Simultaneously, the Windows desktop wallpaper is changed to notify the user of the encryption using the Sophos name.

Sophos has managed to gather some information about the attackers, revealing their association with Cobalt Strike command-and-control and crypto-mining software.

To safeguard against the rising tide of ransomware attacks, it is essential to exercise caution. Refrain from accepting files from unfamiliar sources, even from individuals you know, as they could be unwitting carriers of malicious content due to being hacked themselves. 

Additionally, be aware that legitimate cybersecurity companies would never encrypt files and demand payment for recovery. Hence, if something seems suspicious, it is best to err on the side of caution and take steps to protect yourself from potential threats.
Read more »
Researchers
Analysis Cyber Attacks Cyber Data Cyber Safety Cyber Security Data Researchers

A Few Cybercriminals Account for All Email Extortion Attacks, New Research Reveals

 

New research conducted by Barracuda Networks, in collaboration with Columbia University, has revealed that a surprisingly small group of cybercriminals is responsible for the majority of email extortion attempts worldwide. The study examined over 300,000 flagged emails, identified as extortion attacks by the company's AI detectors, over a one-year period.

To estimate the findings, the researchers traced the bitcoin wallet addresses provided in the emails, as cybercriminals often prefer this method of payment due to the anonymity and ease of transactions in the cryptocurrency realm.

However, the number of bitcoin addresses doesn't necessarily indicate the exact number of attackers. According to Columbia Master's student Zixi (Claire) Wang, who authored the report, the actual number of attackers is likely even fewer than 100, as attackers often use multiple bitcoin addresses.

The monetary demands in these email attacks were relatively low, with approximately a quarter of the emails requesting less than $1,000 and over 90% asking for less than $2,000. Wang speculates that cybercriminals opt for smaller amounts to avoid raising suspicion with victims' banks or tax authorities, and victims are more likely to comply with lower demands without investigating the legitimacy of the threat.

The researchers also observed that Bitcoin was the sole cryptocurrency used by the attackers in their dataset. Wang suggests this is because Bitcoin offers a high level of anonymity, allowing anyone to generate numerous wallet addresses.

The common scams employed by the attackers involved claims of possessing compromising photos or videos obtained by hacking the target's device camera. These threats aimed to extort money from victims under the threat of releasing the alleged content. However, the research revealed that the majority of attackers were bluffing and had no such incriminating material or infected the target systems with malware.

The silver lining in this research is that the small number of perpetrators worldwide could be advantageous for law enforcement efforts. Wang believes that tracking down even a few of these attackers could significantly disrupt this cyber threat.

Furthermore, given the similarity in tactics and templates used by extortion attackers, Wang suggests that email security vendors could block a substantial portion of these attacks using relatively simple detectors. This could provide an additional layer of protection against such cyber threats.
Read more »
User Security
Compromised Data Cyber Data Cyber Safety Data Breach data security Hacked Hackers Private Data User User Data User Safety User Security

Massive Data Breach at HCA Healthcare: 11 Million Patients' Information Compromised by Hackers

 

Hospital and clinic operator HCA Healthcare has announced that it experienced a significant cyberattack, posing a risk to the data of at least 11 million patients. 

The breach affects patients in 20 states, including California, Florida, Georgia, and Texas. HCA Healthcare, headquartered in Nashville, disclosed that the compromised data includes potentially sensitive information such as patients' names, partial addresses, contact details, and upcoming appointment dates.

This breach, discovered by the company on July 5, is considered one of the largest healthcare breaches in history. HCA Healthcare revealed that the hackers accessed various types of information, including patient names, cities, states, zip codes, emails, telephone numbers, dates of birth, genders, service dates, locations, and next appointment dates.

"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," the company said in its Monday announcement.

"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate," it said.

If the estimated number of affected patients reaches 11 million, this breach would rank among the top five healthcare hacks reported to the Department of Health and Human Services Office of Civil Rights. The most severe breach in this sector occurred in 2015 when medical insurer Anthem was compromised, affecting 79 million individuals. In that case, Chinese spies were indicted, but there is no evidence that the stolen data was ever sold.

According to the Associated Press, the suspected hacker behind the HCA breach initially posted a sample of the stolen data online on July 5, attempting to sell it and potentially extort HCA. The hacker claimed to possess 27.7 million records and subsequently released a file on Monday containing nearly 1 million records from HCA's San Antonio division.

To ensure the legitimacy of any invoices or billing requests, HCA is advising patients to contact the chain at (844) 608-1803 before making any payments. The company has reported the incident to law enforcement and engaged third-party forensic and threat intelligence advisors. 

HCA maintains that the breach, which exposed approximately 27 million rows of data related to around 11 million patients, did not include highly sensitive information such as patients' treatment or diagnosis details, payment information, passwords, driver's license numbers, or Social Security numbers.

Although DataBreaches.net initially reported on the hack and shared a code sample purportedly offered by the hacker, HCA's spokesperson clarified that the code was an email template developed by the company, and the client ID mentioned referred to a doctor's office or facility, not a patient.

HCA Healthcare assured that it has not discovered any evidence of malicious activity on its networks or systems related to this incident. As an immediate containment measure, the company has disabled user access to the storage location. 

HCA intends to reach out to affected patients to provide additional information and support, complying with legal and regulatory obligations. It will also offer credit monitoring and identity protection services where necessary. HCA Healthcare operates more than 180 hospitals and 2,000 care locations, including walk-in clinics, across 20 states and the U.K., according to its website.
Read more »
Safety
Anitivirus BAT Files Cyber Safety Cyber Security Data data security Safety

BatCloak: This Obfuscation Tool Successfully Bypasses 80% of AV Engines

 

Trend Micro has issued a warning about the effectiveness of a tool called BatCloak, which is designed to conceal batch files and has enabled malicious BAT files to evade detection by antivirus engines with an impressive success rate of 80%. Researchers have discovered numerous heavily obfuscated batch files that are being used to deploy modified and completely undetectable malware. These files utilize BatCloak for obfuscation.

In a detailed analysis of hundreds of batch samples obtained from a public repository, it was found that 80% of the samples went undetected by security solutions. This highlights the effectiveness of BatCloak in bypassing traditional detection methods used by security tools. 

Out of a total of 784 samples examined, the average detection rate was less than one, indicating the challenges involved in identifying and mitigating threats associated with malware protected by BatCloak.

Since 2022, the majority of collected samples have consistently evaded antivirus detection, enabling threat actors to easily load different malware families and exploits using extensively obfuscated batch files.

ScrubCrypt is the latest version of the BatCloak engine, representing a significant advancement in batch obfuscation techniques. The developers have shifted from an open-source framework to a closed-source model, motivated by the success of previous projects like Jlaive and the desire to monetize the project while protecting it from unauthorized replication. 

In addition to its ability to make malware fully undetectable, ScrubCrypt incorporates features aimed at bypassing host-based security measures, including UAC bypass, anti-debugging capabilities, AMSI bypass, and Event Tracing for Windows (ETW) bypass. The 8220 gang used ScrubCrypt in a campaign between January and February, targeting Oracle Weblogic Server vulnerabilities for the purpose of cryptomining.

This ongoing research highlights the continuous development of the BatCloak engine, which aims to be compatible with a wide range of malware families, demonstrating its impressive versatility and adaptability in the field of batch obfuscation. This underscores the prevalence of this technique in today's threat landscape and the need for a better understanding of threat actor tactics, techniques, and procedures to effectively counter such intrusions.
Read more »
Ransomware
Cyber Attacks Cyber Leak Cyber Safety CyberCrime Phishing Scams Ransomware

Schools' Files Leak Online Days After Ransomware Deadline

 


Many documents purported to have been stolen from Minneapolis Public Schools, and have now been posted online. In the days following the announcement of the breach, a cyber gang claimed that the district did not meet its deadline to pay a ransom demand of $1 million. 

It was evident that download links appeared on a website designed to look like a technology news blog in the middle of the night, a front for the attack, on Wednesday morning, and the next day, the links appeared on Telegram, an encrypted instant messaging service widely used by terrorists and far-right extremists.

There is still some doubt about the contents of the large 92-gigabyte file currently being sent to the 74. There is still a significant difference between the available download and what the Medusa ransomware gang claimed it stole from the district. This is 157 terabytes - 1,000 gigabytes in one terabyte. 

Earlier this month, a dark web blog belonging to the criminal group uploaded a file tree detailing the ownership of the files to its website. As the file tree shows on the left, it would appear that a large amount of sensitive information is contained in the records that are visible in the file tree. In addition to these questions, you will be able to obtain information about allegations of sexual violence by students, district finances, student discipline, special education, civil rights investigations, and notification of student maltreatment and sexual offenders, as well as information regarding district finances, student discipline, special education, and civil rights investigations.  

Even though the full scale of the breach is not known yet, cybersecurity experts say present and former Minneapolis residents and district employees should take steps to protect themselves as soon as possible.  

According to Doug Levin, the national director of the K-12 Security Information Exchange and an expert in K-12 cybersecurity incidents, now is a good time to implement two-factor authentication to accounts that can benefit from it as well as avoid reusing passwords across multiple services. 

However, experts said that there are no easy solutions for those who are now at risk of having sensitive personal information accessible to them, including personal information about incidents of student sexual misconduct. Levin is one of the most prominent mental health professionals in the country. He says that if you are the victim of harassment, you should strongly consider seeking mental health counseling or creating an action plan.  

As Levin explained, when a genie has been allowed out of its bottle, it is extremely difficult to re-inject it. As he continued, he stated that the school district had no idea what it could do to comfort these individuals or even to provide them with any recourse. Credit monitoring is not helpful. They would like their well-being and reputation to be protected.  

There have been several complaints about the Minnesota district's public communications about a ransomware attack, which it initially referred to as an "encryption event." This past Friday, the Minneapolis district announced that the ransomware group had released the stolen records on the dark web, a part of the internet accessible only with special software that can leave the user untraceable. 

In a Telegram message, the user identified himself as an 18-year-old Minneapolis high school student who was interested in downloading the data, because they were concerned it might contain sensitive information such as their Social Security number or other personal information, The 74 reported.  

The district has urged the community, as a part of its checklist of safety precautions, that downloads of the breached data should be avoided as much as possible. The paper argues that doing so could contribute to the work of cybercriminals because it would increase our community's fear of the information and increase the level of panic that they would cause.  

Additionally, the district has issued warnings to its residents urging them not to respond to suspicious emails or phone calls because they may be phishing scams. It has also urged them to change their passwords periodically. A statement from the district stated that the district was working to determine which records had been compromised on Friday. As a result of the ongoing process that is expected to take some time, the company planned to inform affected individuals when it was complete.  

Callow believed ransomware victims should take a proactive approach to notify those whose data was stolen in the first place. The investigation will be completed at the end of the investigation rather than waiting until it is completed.   
Read more »
Vulnerabilities and Exploits
AI Cyber Safety Data Safety Machine learning MLflow Vulnerabilities and Exploits

A Major Flaw in the AI Testing Framework MLflow can Compromise the Server and Data

MLflow, an open-source framework used by many organizations to manage and record machine-learning tests, has been patched for a critical vulnerability that could enable attackers to extract sensitive information from servers such as SSH keys and AWS credentials. Since MLflow does not enforce authentication by default, and a growing percentage of MLflow deployments are directly exposed to the internet, the attacks can be carried out remotely without authentication.

"Basically, every organization that uses this tool is at risk of losing their AI models, having an internal server compromised, and having their AWS account compromised," Dan McInerney, a senior security engineer with cybersecurity startup Protect AI, told CSO. "It's pretty brutal."

McInerney discovered the flaw and privately reported it to the MLflow project. It was fixed in the framework's version 2.2.1, which was released three weeks ago, but no security fix was mentioned in the release notes.

Path traversal used to include local and remote files

MLflow is a Python-based tool for automating machine-learning workflows. It includes a number of components that enable users to deploy models from various ML libraries, handle their lifecycle (including model versioning, stage transitions, and annotations), track experiments to record and compare parameters and results, and even package ML code in a reproducible format to share with other data scientists. A REST API and command-line interface are available for controlling MLflow.

All of these features combine to make the framework an invaluable resource for any organisation experimenting with machine learning. Scans using the Shodan search engine confirm this, revealing a steady increase in publicly exposed MLflow instances over the last two years, with the current count exceeding 800.However, it is likely that many more MLflow deployments exist within internal networks and may be accessible to attackers who gain access to those networks.

"We reached out to our contacts at various Fortune 500's [and] they've all confirmed they're using MLflow internally for their AI engineering workflow,' McInerney tells CSO.

McInerney's vulnerability is identified as CVE-2023-1177 and is rated 10 (critical) on the CVSS scale. He refers to it as local and remote file inclusion (LFI/RFI) via the API, in which remote and unauthenticated attackers can send specially crafted requests to the API endpoint, forcing MLflow to expose the contents of any readable files on the server.

What makes the vulnerability worse is that most organisations configure their MLflow instances to store their models and other sensitive data in Amazon AWS S3. In accordance with a review of the configuration of publicly available MLflow instances by Protect AI, seven out of ten used AWS S3. This means that attackers can use the s3:/ URL of the bucket utilized by the instance as the source parameter in their JSON request to steal models remotely.

It also implies that AWS credentials are most likely stored locally on the MLflow server in order for the framework to access S3 buckets, and that these credentials are typically stored in a folder called /.aws/credentials under the user's home directory. The disclosure of AWS credentials can be a serious security breach because, depending on IAM policy, it can give attackers lateral movement capabilities into an organization's AWS infrastructure.

Insecure deployments result from a lack of default authentication

Authentication for accessing the API endpoint would protect this flaw from being exploited, but MLflow does not implement any authentication mechanism. Simple authentication with a static username and password can be added by placing a proxy server, such as nginx, in front of the MLflow server and forcing authentication through it. Unfortunately, almost none of the publicly exposed instances employ this configuration.

McInerney stated, "I can hardly call this a safe deployment of the tool, but at the very least, the safest deployment of MLflow as it stands currently is to keep it on an internal network, in a network segment that is partitioned away from all users except those who need to use it, and put behind an nginx proxy with basic authentication. This still doesn't prevent any user with access to the server from downloading other users' models and artifacts, but at the very least it limits the exposure. Exposing it on a public internet facing server assumes that absolutely nothing stored on the server or remote artifact store server contains sensitive data."
Read more »
Ring Home Security
Android Central Cyber Safety Cyber Security Data Stolen Eufy Home Security Home Surveillance Ransomware attack Ring Home Security

Home Security: Breaches and Ransomware Making it Impossible to Review Firms and Their Security


The recent Ring home security ransomware incident and Eufy's insecure network has left numerous researchers and users wondering about the cyber safety these home security and surveillance firms possess. 

Product reviewers and tech journalists are even left with a sense of perplexity on what security camera, or security product must they recommend to potential users, knowing for a fact that the backend could or could not be secure. 

According to Michael Hicks, senior editor at Android Central “When I review a product, I try to be as nitpicky as possible. Not because I want to give a bad review, but because it's my job to go past the idealized press releases and spec sheets to see the cracks beneath the surface.” 

While it is possible to cite certain problems pertaining to a security camera, like the video quality or an unreliable AI detection. However, there is always the possibility of some undiscovered breach, even with the some of the best cameras around, that are tested and appreciated. 

Hicks says, this is not something most tech journalists are qualified to detect. With a smartphone, one can examine most software and security for themselves, and users too have almost complete control to block or enable apps from tracking them. The entire data security for a security camera is managed remotely, therefore we can only trust the company to protect ones data safely. 

The issue is that, if ever, we really can trust a security business to provide an honest assessment of its cybersecurity. 

Companies like LastPass or Eufy, whether they specialize in hardware or software, frequently conceal any ongoing breaches for months until they become public, at which point they play down their seriousness with technical jargons and mitigating factors. 

Some Recent Unsettling Incidents 

According to a report Vice published this past week regarding a third-party associated with Ring being infected by BlackCat ransomware, Ring employees have been instructed to “anything about this,” and that they are unsure yet what user data is at risk if Amazon does not pay. 

Prior to this incident, security researcher Paul Moore found that Eufy cameras were sending users' images and facial recognition data to the cloud without them knowing or consent, that one could stream anyone's private camera feeds from a web browser, and that Eufy's AES 128 encryption was easily cracked due to the use of simple keys. 

In response, Eufy patched some issues and edited its privacy guidelines to provide fewer protections for its users. 

Accepting the Unknown 

The bottom line is: even the renowned security firms with encryption that seems impenetrable can make choices that expose your personal information or home feeds, or they can recruit someone who unethically abuses their position of authority. And even if someone blows the whistle or a security expert notices the error, there is absolutely no guarantee that you will learn about it after that corporation learns about it. 

In an environment like this, casually reviewing any company's security camera on the basis of its merits and recommending online readers seems like an irresponsible take. Michael Hicks in his article wrote “It's my job to do so, and I will write about the Blink Indoor and Blink Mini once it's clear how its parent company handles the Ring ransomware attack.” 

However, in doing so, Michael Hicks adds he will have to include certain big disclaimers that he “just don't know what Blink's (or any company's) weakest link is.” There is a possibility that it could be a dishonest employee, an unreliable third-party team, shoddy encryption, or something else. 

In the meantime, he advises individuals to use security cams with local storage in order to avoid storing their private footages and information on company servers. However, there is no guarantee of security, considering the fact that firms like Eufy was well received and trusted as a local storage option before its numerous problems were revealed.  

Read more »
Safeboot
Boot Configuration Cyber Safety Cyber Security Logs Research Safeboot

Identifying Ransomware’s Stealthy Boot Configuration Edits

 

The research by Binary Defense entails the various threat hunting techniques and detections for a regularly reported Ransomware-as-a-Service (RaaS) methodology. Using the built-in Windows programme bcdedit.exe (Boot Configuration Data Edit),  threat actors have been spotted changing boot loader configurations to: 
  • Modify Boot Status Policies 
  • Disable Recovery Mode 
  • Enable Safe Mode 
Threat actors (such as Snatch and REvil) may not need to utilise bcdedit to adjust boot loader configurations if they implement code that directly modifies the Windows registry keys that define such configurations, according to the hypothesis employed by Binary Defense to construct the hunting queries. Last year, the researcher am0nsec published a proof-of-concept code that showed how to do exactly this on Windows 10 PCs. Binary Defense wanted to make sure that they could detect such behaviour not only on Windows 7, 8.1, and 11 computers but also on systems where the necessary registry key is stored under a different Globally Unique Identifier (GUID). 

The research builds on the work of Specter Ops researcher Michael Barclay, who published an in-depth blog about hunting for such activities on Windows 10 earlier this year. Below are the bcdedit.exe commands that attackers employ to change boot configuration. Other tools, such as the Windows System Configuration Utility (msconfig.exe), can be used to change the boot configuration data as well. Alternatives, on the other hand, are not described in the study because they are not command-line apps and hence cannot be utilised without a user interface.

Boot Status Policy: The usual way to edit the boot status policy is to use bcdedit with these command line arguments:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
If there is a failed shutdown, boot, or other error during the startup process, this will change the "boot status policy" settings and compel the system to boot normally rather than entering Windows Recovery Environment (Windows RE). Threat actors deactivate this to prevent system administrators from using the Windows RE's System Image Recovery tool.

Recovery Mode: The usual method for disabling recovery mode with bcdedit is like this:
bcdedit.exe /set {default} recoveryenabled no
This command completely eliminates the Windows RE. Using the prior command to change the boot status policy will prevent the boot loader from loading the recovery environment when there are starting difficulties, but it will also prohibit system administrators from manually loading it.

Safeboot: To change the Safeboot options, bcdedit is used with these command line arguments:
bcdedit.exe /set {default} safeboot minimal

This command modifies the configuration that decides whether or not the system will restart in Safe Mode the next time it is powered on. Since not all Endpoint Detection and Response (EDR) solutions and Anti-Virus (AV) software will be running in Safe Mode, this is being changed to prevent identification rather than recovery. Windows Defender, for example, does not work in Safe Mode. As a result, any activities taken by a threat actor (for example, file encryption) will not be tracked, and thus will not be prevented.

Prior study into similar approaches revealed that the registry keys storing these boot loader configuration items were Windows version-specific, with only Windows 10 detections. Binary Defense simply set up VMs running Windows 7, 8.1, and 11 and ran the three aforementioned bcdedit.exe commands while doing a capture with the Windows SysInternals tool Procmon to figure out what those registry keys were for other Windows versions. The logs created by this tool are notoriously noisy, but by adding two filters, one excluding any process not named bcdedit.exe and the other excluding any operation not named RegSetValue, it was simple to filter down to the necessary logs.

In a 60-day period, the following queries were evaluated across different enterprise environments with zero false positives. Because changes to these parameters are uncommon, all of these inquiries can be surfaced to a SOC as detections.

Detections
  • Carbon Black
Windows 7:

regmod_name:(*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*)

Windows 8.1:

regmod_name:(*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*)

Windows 10:

regmod_name:(*BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\16000009*)

Windows 11:

regmod_name:(*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*)

  • CrowdStrike
Windows 7:

(event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*”)

Windows 8.1:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*”)

Windows 10:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\25000080*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\250000E0*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\16000009*”)

Windows 11:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*”)

  • Microsoft Sentinel and Defender for Endpoint
Windows 7:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080″)

Windows 8.1:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080″)

Windows 10:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009″)

Windows 11:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080″)

  • SentinelOne
Windows 7:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080”)

Windows 8.1: {303a1187-f04f-11e7-ae97-d7affdbdc5e9}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080”)

Windows 10:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009”)

Windows 11: {ea075dc0-83af-11ec-9994-82f1525d1096}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080”)
Read more »
Vulnerabilities and Exploits
Cyber Safety Internet Safety Linux Microsoft Nimbuspwn Vulnerabilities and Exploits

New Nimbuspwn Linux Flaws Could Provide Attackers Root Access

 

Microsoft uncovered vulnerabilities in Linux systems that could be used to grant attackers root access if they were chained together. 

The flaws, dubbed "Nimbuspwn," are detected in networkd-dispatcher, a dispatcher daemon for systemd-networkd connection status changes in Linux, and are labelled as CVE-2022-29799 and CVE-2022-29800. As part of a code review and dynamic analysis effort, Microsoft found the vulnerabilities while listening to signals on the System Bus. 

Microsoft’s Jonathan Bar Or explained, “Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities.”
 
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” 

He went on to state that ransomware attackers might use Nimbuspwn as a route for root access in order to have a significant impact on affected machines. Clayton Craft, the maintainer of the networkd-dispatcher, apparently worked promptly to remedy the flaws after responsibly revealing the bugs. 

Linux users who are affected are recommended to apply patches as soon as they become available. Although Nimbuspwn has the potential to affect a huge number of people, attackers would first need local access to the targeted systems in order to exploit the flaws. 

Mike Parkin, senior technical engineer at Vulcan Cyber argued, “Any vulnerability that potentially gives an attacker root-level access is problematic. Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released.” 

“While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”
Read more »
Trojan
Android Banking Trojan Android Users Banking Trojan Cyber Safety Flubot malware Security Teabot Trojan

Threat Actors Blanket Androids with Flubot & Teabot Campaigns

 

Researchers have found a bundle of dynamic campaigns transmitting the Flubot and Teabot trojans through a variety of delivery strategies, with threat actors utilizing smishing and pernicious Google Play applications to target victims with fly-by assaults in different locations across the globe. 

Specialists from Bitdefender Labs said they have caught more than 100,000 malignant SMS messages attempting to transmit Flubot malware since the start of December, as indicated by a report distributed Wednesday. 

During their analysis of Flubot, the team additionally found a QR code-peruser application that has been downloaded more than 100,000 times from the Google Play store and which has disseminated 17 different Teabot variations, they said. 

Flubot and Teabot surfaced on the scene last year as somewhat clear financial trojans that take banking, contact, SMS and different kinds of private information from infected gadgets. Be that as it may, the administrators behind them have interesting strategies for spreading the malware, making them especially nasty and expansive. 
 
Flubot was first founded in April focusing on Android clients in the United Kingdom and Europe using noxious SMS messages that nudged recipients to introduce a "missed package delivery" application, exhibiting a component of the malware that allows attackers to utilize command and control (C2) to send messages to victims. 

This feature permits administrators to rapidly change targets and other malware highlights on the fly, augmenting their assault surface to a worldwide scale without requiring a complex framework. For sure, campaigns later in the year targeted Android users in New Zealand and Finland. 

“These threats survive because they come in waves with different messages and in different time zones,” Bitdefender researchers wrote in the report. 

“While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing. For example, in the month between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany, Spain, Italy and a few other European countries.”   

Campaigns between Jan. 15 and Jan. 18 then, at that point, moved to different parts of the globe, including Romania, Poland, the Netherlands, Spain and even Thailand, they found. 
 
Attackers likewise spread out past attempting to fool users into thinking they missed a package delivery- what Bitdefender named "fake courier messages" - to disseminate Flubot. However this strategy was available in almost 52% of campaigns specialists noticed, they likewise utilized a trick named "is this you in this video" that is a take-off of a credential-stealing campaign that has been streaming steadily via web-based media in around 25% of noticed missions, analysts wrote. 

“When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives attackers direct access to credentials,” researchers explained. 

Flubot administrators have gotten on this trick and are involving a variety of it in one of the smishing efforts noticed, with clients getting an SMS message that inquires, "Is this you in this video?" researchers noted. In any case, the objective of the mission is very similar: to some way or another trick users into installing the software under some cover. 

“This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS messages.”
  
Among different lures, Flubot administrators likewise utilized SMS messages utilizing counterfeit program updates and phoney phone message notices in around 8% of noticed campaigns, separately, analysts stated.
Read more »
US
Cyber Attacks Cyber Safety data security Education Educational Institutes hack Schools Students Data US

Cyberattack Compels Albuquerque Public Schools to Close 144 Schools

 

Following a cyberattack that attacked the district's attendance, communications, and transportation systems, all 144 Albuquerque Public Schools are closed for the remainder of this week, according to APS's announcement on mid-day Thursday. 

APS is one of the 50 largest school districts in the country, with around 74,000 students. 

District IT staff discovered the problem on Wednesday, and APS posted a statement on its website and Twitter account that afternoon stating, “All Albuquerque Public Schools will be closed Thursday, Jan. 13, due to a cyberattack that has compromised some systems that could impact teaching, learning, and student safety. … The district is working with contracted professionals to fix the problem.” 

"The district continues to examine a cyberattack that affected the student information system used to take attendance, contact families in emergencies, and ensure that students are picked up from school by authorised people," APS stated online on Thursday afternoon and cancelled classes for Friday. 

APS said it will reopen schools on Tuesday, Jan. 18, after being closed on Monday for Martin Luther King Jr. Day, specifying that administrative offices stayed open. The attack was detected Wednesday morning when instructors attempted to enter onto the student information system and were unable to obtain access to the site, according to APS Superintendent Scott Elder in a brief statement uploaded to the district's APS Technology YouTube page. 

Elder further stated, “APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network and ensure a safe environment to return to school and business as usual.” 

He noted that the district's IT department had been "mitigating attacks" in recent weeks. A spokeswoman told the Albuquerque Journal she was sceptical about what kind of attack it was and said she didn’t know whether those responsible had demanded a ransom.
Read more »
Spyware
Apple Cyber Safety Cyber Security Data protection Government Hacker iPhone NSO Pegasus Spyware

Pegasus Spyware Reportedly Hacked iPhones of U.S. State Department & Diplomats

 

An unidentified party used NSO Group's Pegasus spyware to attack the Apple iPhones of at least nine US State Department officials, as per a report published Friday by Reuters. 

After receiving a query about the incident, NSO Group indicated in an email to The Register that it had barred an unnamed customer's access to its system, but it has yet to determine whether its software was engaged. 

An NSO spokesperson told The Register in an email, "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations." 

"To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case." 

The Israel-based firm, which was recently sanctioned by the US for reportedly selling intrusion software to repressive regimes and is being sued by Apple and Meta's (Facebook's) WhatsApp for allegedly assisting the hacking of their customers, says it will work cooperatively with any relevant government authority and share what it learns from its investigation. 

NSO's spokesperson stated, “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case." 

According to Reuters, the impacted State Department officials were situated in Uganda or were focused on Ugandan issues, therefore their phone numbers had a foreign nation prefix rather than a US prefix. When Apple launched its complaint against the NSO Group on November 23rd, the iPhone maker also stated that it will tell iPhone customers who have been the target of state-sponsored hacking. On the same day, Norbert Mao, a communist, was assassinated. On the same day, Norbert Mao, a lawyer and the President of Uganda's Democratic Party, tweeted that he'd gotten an Apple threat notification. 

According to the Washington Post, NSO's Pegasus software was involved in the attempted or accomplished hacking of 37 phones linked to journalists and rights activists, including two women connected to Saudi journalist Jamal Khashoggi. The findings contradicted NSO Group's claims that their software was only licenced for battling terrorists and law enforcement, according to the report. 

The NSO Group released its 2021 Transparency and Responsibility Report [PDF] the same month, insisting that its software is only used against groups with few sympathisers, such as terrorists, criminals, and pedophiles. 

Several reports from cybersecurity research and human rights organisations, not to mention UN, EU, and US claims about the firm, have disputed that assertion. The US State Department refused The Register's request for confirmation of the Reuters claim but said the agency takes its obligation to protect its data seriously. They were also told that the Biden-Harris administration is seeking to limit the use of repressive digital tools.
Read more »
Minor Safety
Child Identity Theft Cyber bullying Cyber Crime Cyber Safety Frauds Juvenile Minor Safety

Child Identity Fraud Costs Nearly $1 Billion per Year

 

On November 2, Javelin Strategy & Research published a new study that stated the yearly cost of child identity theft and fraud in the United States is estimated to be approximately $1 billion. 

Tracy Kitten, director of fraud & security at Javelin Strategy & Research, published the 2021 Child Identity Fraud research, which examined the variables that put children at the most risk of identity theft and fraud. The research examined habits, characteristics, and social media platforms as risk factors. 

Children who use Twitch (31%), Twitter (30%), and Facebook (25%), as per the survey, are most prone to have their personal information compromised in a data breach. Another significant result was that in the previous year, more than 1.25 million children in the United States were victims of identity theft and fraud. On average, the family spent more than $1,100 to resolve the matter, and it took a long time. 

Surprisingly, the survey indicated that over half of all child identity theft and fraud instances include children aged nine and under, with the majority of victims (70 percent) knowing their attackers.

Kitten added, “One of the most eye-opening findings from our research was just how much risk children are exposed to when they are not supervised online. Add to that nearly 90% of the households with internet access say they have children on social media, and the picture our findings paint quickly becomes dark, grim, and scary.” 

Criminals utilised social media to gain access to vulnerable minors, according to Kitten, a journalist and cybersecurity subject specialist. 

“Predators and cybercriminals lurk in the wings of all social media platforms, waiting for the moment to prey on overly trusting minors who may not fully understand safe online behaviour.” 

Families should limit and supervise children' usage of social media and messaging platforms, and be on the watch for cyber-bullying, according to Javelin. 

“Platforms that allow users to direct/private message (DM), friend, or follow other users via public search pose the greatest concern,” stated a company spokesperson. 

Parents were advised not to reveal their children's personal information on social media and to set a good example for their children by demonstrating safe online conduct.
Read more »
Subscribe to: Posts (Atom)