Search This Blog

Showing posts with label Cyber Security. Show all posts

Information Commissioner Office Made a Regulatory Fine of $27 Million on Tiktok


The information commissioner's office of the United Kingdom recently fined Tiktok $29 million, having provisionally discovered that Tiktok had breached the laws of child data protection for two years. 
The privacy regulatory body of the United Kingdom reported the exploitation of protection laws of the country’s data. There was an investigation that concluded that TikTok may have breached the laws of data protection from May 2018 to July 2020. 
The fine is determined by the calculation of 4% of TikTok’s annual turnover globally. The ICO issued TikTok with a “notice of intent” with a fine of up to $27 million, which is considered the highest in ICO’s history as the largest amount paid till now is $20 million to British Airways. 
The Information Commissioner's office has pointed out in regard to Tiktok that it may breach privacy by processing data of minors under 13 years old without parental consent, failing to provide complete information to users "in a concise, transparent, and easily understandable manner" and processing unsuitable "special category" data without legal authority. 
The ICO defines “special category data” as any use of sensitive personal data including sexual orientation, religious beliefs, culture and nationality, political perspective, and biometric data. 
The information commissioner, John Edwards commented on TikTok’s failure in fulfilling its legal duties of protecting the privacy of data of its young users. He stated, "we all want children to be able to learn and experience the digital world, but with proper data privacy protection.” 
In John’s opinion, digital learning is essential for children, but the companies offering the digital services should be legally responsible for ensuring that reasonable protection measures are incorporated into these services, as during the investigation of TikTok it was found to be provisionally lacking in these measures.  
ICO added to its statement that the findings from the investigation are provisional and no final conclusions can be drawn at this time. A spokesperson from Tiktok in a conversation with TechCrunch shared that they do respect the concerns expressed by the ICO about security and protection laws, but that they disagree with the ICO's views regarding Tiktok's privacy policies.

Palo Alto Network: Domain Shadowing is a Prevalent Threat


As per Unit 42 of Palo Alto Network’s threat analysis, a fraudulent phishing technique known as domain shadowing is wreaking havoc. The company found that around 12,197 fake domains were shadowed between 25th April to 27th June of 2022, to provide malicious content. 
Cyber attackers are using domain shadowing for secretive attacks. Once a threat actor gets access to/hijacks your Domain Name System, they create their sub-domains containing malicious codes under your legitimate and reputed domains to perform malicious activities. The hijacked domains tend to be used in several ways, such as escaping security checks, distributing malicious software, committing fraud, etc. 
It is imperative to note that the attackers prepare these shadow domains without altering the functioning of the original domains, which also serves as a safeguard, since the victims are not aware that a threat exists, and the owners of the original domains rarely check on their domains to ensure their security. 
However, unit 42 employs a method to detect hacked domains or illegal sub-domains. It entails going through a checklist consisting of steps such as verifying whether the IP address of the domain and the sub-domain is the same or different, verifying whether the domain and sub-domains have been active for a certain period, and verifying the patterns of the domains and sub-domains. 
Domain shadowing can be called a new evolution in online threats or fast flux. It has been considered the most effective and hard-to-detect technique used by any malicious attacker to date. The fraudulent actor can access and add tens of thousands of sub-domains into hijacked domains, and as they are available randomly, the next victim’s domain cannot be tracked.  
According to Palo Alto Network’s threat researchers, when they became aware of the deceptive phishing technique and the increasing cases associated with it, only 200 of them were potentially harmful. VirusTotal also disclosed that some of these were organized into single phishing campaigns by registering 649 fake or deceptive domains on 16 trusted websites. 
The shadowed domains work to steal the user’s login credentials known as the phishing technique. To protect your website or data from domain shadowing, you should adopt new-generation security measures, including connected threat intel platforms and checking on the webpage before entering the credentials.

QUAD Nations to Assist Each Other in Taking Action Against Malicious Cyber Activities


On Saturday, the leaders of India, the United States, Japan, and Australia, known as the Quad, vowed to work together to ensure the security and resilience of regional cyberinfrastructure.

Following a meeting on the sidelines of the UN General Assembly session in New York, the leaders of the four countries issued a joint statement on the subject. External Affairs Minister S Jaishankar, along with his counterparts Penny Wong of Australia, Hayashi Yoshimasa of Japan, and US Secretary of State Tony Blinken, issued a statement urging states to take reasonable steps to address ransomware operations originating from within their borders.

The Quadrilateral Security Dialogue, comprised of India, the United States, Japan, and Australia, was established in 2017 to counter China's aggressive behaviour in the Indo-Pacific region. According to the statement, the leaders believe that focused initiatives to strengthen Indo-Pacific countries' cyber capabilities will ensure the security and resilience of regional cyberinfrastructure.

"The transnational nature of ransomware can adversely affect our national security, finance sector and business enterprise, critical infrastructure, and the protection of personal data. We appreciate the progress made by the 36 countries supporting the US-led Counter Ransomware Initiative and the regular, practical-oriented consultations against cybercrime in the Indo-Pacific region," they said.

The ministers emphasised that practical cooperation in countering ransomware among Indo-Pacific partners would result in ransomware actors in the region being denied a safe haven.

Recalling the last Quad Foreign Ministers' Meeting on February 11 of this year, the ministers stated their commitment to addressing the global threat of ransomware, which has hampered Indo-Pacific economic development and security.

A New Decryptor by Bitdefender for Victims of LockerGoga Ransomware


As part of Bitdefender's official announcement, the company notified that it had released a free decryptor for ransomware called LockerGoga to recover the encrypted files without paying any ransom.
The Romania-based cybersecurity firm, Bitdefender released a universal LockGoga decryptor. The company stated in its published announcement, that the new decryptor is a combination of international law agencies, including Bitdefender, Europol, the NoMoreRansom project, the Zurich Public Prosecutor’s office, and the Zurich Cantonal Police. 
The new decryptor by Bitdefender is a helping tool for decrypting the files of the victims, free of cost. It uses the path containing pairs of clean-encrypted files and scans the entire system of files or file folders. This decryptor provides a feature called as “backup file”, which comes in handy in case of any problem during the decryption of the files.
LockerGoga is a program classified as ransomware, it came into notice in the 2019 cyber-attack against the U.S. and Norway-based companies, where the threat actors targeted high-profile organisations and individuals, including the world's greatest aluminum producer Norsk Hydro, and engineering firm Altran Technologies of France. They used it to encrypt the stored data on computers and blackmailed the users for ransom in exchange for decryption tools.
The National Cyber Security Centre (NCSC) reported that this computer infection was used in attacking over 1800 organizations all around the world. Cyberattacks involving various ransomware, one of them being LockerGoga, led to monetary damages of approximately 104 million US Dollars in 71 countries.
Around 12 of the attackers involved in the cyber-attack were arrested in October 2021 under an international law enforcement operation for spreading ransomware. In the wake of the arrest of its operator, LockerGoga was dismantled – which also led to the termination of all master private keys used in the encryption. As a result, those victims who did not pay the ransom to the threat actors were left with encrypted files waiting to recover them.

Twitter Pranksters Halt GPT-3 Bot with Newly Discovered “Prompt Injection” Hack


On Thursday, a few Twitter users revealed how to hijack an automated tweet bot dedicated to remote jobs and powered by OpenAI's GPT-3 language model. They redirected the bot to repeat embarrassing and ridiculous phrases using a newly discovered technique known as a "prompt injection attack.", a site that aggregates remote job opportunities, runs the bot. It describes itself as "an OpenAI-driven bot that helps you discover remote jobs that allow you to work from anywhere." Usually, it would respond to tweets directed at it with generic statements about the benefits of remote work. The bot was shut down late yesterday after the exploit went viral and hundreds of people tried it for themselves.

This latest breach occurred only four days after data researcher Riley Goodside unearthed the ability to prompt GPT-3 with "malicious inputs" that instruct the model to disregard its previous directions and do something else instead. The following day, AI researcher Simon Willison published an overview of the exploit on his blog, inventing the term "prompt injection" to define it.

The exploit is present any time anyone writes a piece of software that works by providing a hard-coded set of prompt instructions and then appends input provided by a user," Willison told Ars. "That's because the user can type Ignore previous instructions and (do this instead)."

An injection attack is not a novel concept. SQL injection, for example, has been recognised by security researchers to execute a harmful SQL statement when asking for user input if not protected against it. On the other hand, Willison expressed concern about preventing prompt injection attacks, writing, "I know how to beat XSS, SQL injection, and so many other exploits. I have no idea how to reliably beat prompt injection!"

The struggle in protection against prompt injection stems from the fact that mitigations for other types of injection attacks come from correcting syntax errors, as noted on Twitter by a researcher known as Glyph.

GPT-3 is a large language model developed by OpenAI and released in 2020 that can compose text in a variety of styles at a human-like level. It is a commercial product available through an API that can be integrated into third-party products such as bots, subject to OpenAI's approval. That means there could be many GPT-3-infused products on the market that are vulnerable to prompt injection.

"At this point I would be very surprised if there were any [GPT-3] bots that were NOT vulnerable to this in some way," Willison said.

However, unlike a SQL injection, a prompt injection is more likely to make the bot (or the company behind it) look foolish than to endanger data security. 

"The severity of the exploit varies. If the only person who will see the output of the tool is the person using it, then it likely doesn't matter. They might embarrass your company by sharing a screenshot, but it's not likely to cause harm beyond that." Willison explained.  

Nonetheless, prompt injection is an unsettling threat that is yet emerging and requires us to be vigilant, especially those developing GPT-3 bots because it may be exploited in unexpected ways in the future.

A Large Number of Ventures Suffering From Cloud Security Attacks

The advent of technology led malicious actors, to invade the privacy of users' systems in a few steps. Cloud security is one such technology that has increasingly worked to fortify users' data from threat actors. 

However, as per the statistics, even the latest cyber security is at risk; a report publicized by Synk shows, that 80% of the enterprises suffered from these actors’ invasion in just the past 12 months. The wide adoption of cloud security has been considered a major reason for a rapidly increasing number of cases. 

There have been several bigger cases that show the breach of cloud security. Accenture is one of them which came under the claws of cloud security attacks. Once in 2017 when the company's AWS S3 storage was unsecured and was made available for public reach. The attackers found confidential API data, digital certificates, meta info, etc. and they used it to blackmail and squeeze money from the. The second was when in 202, the firm got struck by LockBit ransomware. 
As per Synk’s report, 58% of the people were predicting that they again will face another cloud security attack in the future, and 25% were afraid that they must have endured a breach in their cloud storage but were not aware of it. These thoughts were creating a negative impact on cloud security. Whereas, there are many other similar cases like Accenture, where organisations left their cloud storage open to be accessed publically, and did not have even basic security. 

The CEO and Co-founder of Orca, Avi Shua stated that other than the cloud platforms providing safe spaces for data storage in cloud infrastructure, the state of the business’s workloads, identities, etc. stored in the cloud are also equally responsible for the security of the public cloud data.

For making 100% from cloud storage and evading the problems in cloud securities, it is important to include experts in cloud-native security. and to avoid such incidents as Accenture cases it becomes a necessity to add additional training and education. As an institute can’t deal with such a situation without planning, they should work with proper strategies and focus on how to avoid the risk of 

To make the best of cloud storage and avoid falling prey to problems related to cloud security, it becomes pertinent to include experts in cloud-native security. To avoid such incidents from occurring in Accenture and other such companies, it's important that additional training and education about cloud security handling is provided by the relevant institutes and organisations. It's implausible to deal with such a situation without planning, the companies should work with proper strategies and focus on how to avoid the risk of data theft.  

Traffic Safety Agency Issues Final Guidelines for Vehicle Cybersecurity

Finally, the National Highway Traffic Safety Administration has announced the big news. The administration on Friday will publish the final version of the cybersecurity practices in the Federal Register, focusing on cryptographic techniques to mitigate cyber threat risks as vehicles become more technologically integrated. 

NHTSA officials took advice from the public in the final draft of Cybersecurity Best Practices for the Safety of Vehicles during the draft publication’s open comment period. In addition to this, the committee added more details on key systems and cryptographic elements, as well as how threat actors could use software updates to get into the vehicle’s network. 

The Federal Register in its blog post stated that the advancement in vehicle and automotive technology has increased the chances of cybercrimes, and for the safety of vehicles organizations need to follow proper guidelines. 

“The evolution of automotive technology has included an increasingly expanded use of electronic systems, software, and wireless connectivity. Automotive technology has developed to such an extent that today's vehicles are some of the most complex computerized products available to consumers,” the blog post by Federal Register read. 

“…Enhanced wireless connectivity and continued innovations in electronic control systems introduce substantial benefits to highway transportation safety, mobility, and efficiency. However, with the proliferation of computer-based control systems, software, connectivity, and onboard digital data communication networks, modern vehicles need to consider additional failure modes, vulnerabilities, and threats that could jeopardize benefits if the new safety risks are not appropriately addressed."

 According to the final draft the manufacturers have to implement measures in the following four areas: 

• Manufactures have to manage vehicle cyber risks 
• Investigating and responding to security incidents across the vehicle fleet 
• Securing modern vehicles by design to mitigate risks along the value chain 
• Ensuring that the safety of a vehicle is not compromised and also providing secure software updates

Furthermore, in the European Union, the final guidelines on automotive cybersecurity will be mandatory for all modern vehicles manufactured from July 2024. Also, the Japanese and the Korean government have agreed to implement the regulations, however, they will implement them according to their own timeline. 

Shopify Risking Customers Data by Employing Weak Password Policy


Specops Software, a password manager, and authentication solutions vendor published a new report this week disclosing that e-commerce giant, Shopify with more than 3.9 million live websites globally, employs weak password policies on the user-facing section of its website. 

To create a Shopify account, users only need to create a password that is at least five characters in length and that does not begin or end with a space. 

Threat analysts at Specops examined a list of a billion breached passwords and unearthed that nearly every (99.7%) of those passwords comply with Shopify's requirements. However, this does not mean that Shopify customers' passwords have been breached, in fact, it only highlights the threats linked with using weak passwords. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. 

Risk of using weak passwords 

According to security analysts at Specops, password attacks work because the majority of businesses require users to set short-length passwords. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Earlier this year, Hive Systems, a cybersecurity firm, analyzed the amount of time required to brute force crack passwords of multiple lengths and with different levels of complexity. The security analysts discovered that a five-character password can be easily breached, irrespective of complexity. Given the ease with which hackers can crack shorter passwords, organizations ideally require complex passwords that are at least 12 characters in length. 

Enterprises risking users’ data safety 

According to the survey conducted by identity management vendor Hitachi ID, nearly 46% of enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It suggests that businesses aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

Enhancing IT security 

This, of course, raises the question of what businesses require to strengthen their overall password security. Perhaps the most critical recommendation would be to set a password requirement that is longer and more complex than what is currently used. Businesses can employ Windows operating systems containing account policy settings to control password length and complexity requirements.

Additionally, organizations can use Specops Password Policy to restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. This might include using consecutive repeating characters (such as 99999) or replacing letters impersonating symbols (such as $ instead of s).

Zyxel Updates NAS Devices to Fix Potential Security Flaw

Shaposhnikov Ilya alerted about a major security vulnerability, targeting Zyxel's network-attached storage (NAS) device. The vulnerability was identified as CVE-2022-3474 and the patches for the same were released. The vulnerability officially described as a 'format string vulnerability' affects Zyxel NAS326 firmware versions before V5.21(AAZF.12)C0 and has a CVSS score of 9.8/10.

An attacker could take advantage of the issue by sending specially created UDP packets to vulnerable products. The firm said in an alert that a successful flaw exploit might allow a hacker to run whatever code they want on the vulnerable device.

Zyxel provided security upgrades in May 2022 to address a number of vulnerabilities impacting a variety of products, including firewall, AP, and AP controller products.

The following versions are affected by the flaw:
  • NAS326 (versions before V5.21(AAZF.11)C0)
  • NAS540 (versions prior to V5.21(AATB.8)C0), and
  • Prior to V5.21(ABAG.8)C0, NAS542
This revelation follows Zyxel's July patching of the CVE-2022-30526 and CVE-2022-2030 vulnerabilities impacting its firewall products, which affect local root access and authenticated directory traverse.

The four vulnerabilities with the command injection bug in some CLI commands classified as CVE-2022-26532 being the most critical are as follows: 
  • CVE-2022-0734: A cross-site scripting vulnerability was found in the CGI program of various firewall versions, which could let an attacker use a malicious script to access data stored in the user's browser, like cookies or session tokens.
  • CVE-2022-26531: Several erroneous input validation problems were discovered in several CLI commands of some firewall, AP controller, and AP versions that might let a local authorized attacker bring down the system or trigger a buffer overflow through the use of a specially crafted payload.
  • CVE-2022-26532: Certain firewall, AP controller, and AP versions contain the 'packet-trace' CLI command that contains a command injection vulnerability that might allow a local, authorized attacker to execute arbitrary OS instructions by providing specially crafted inputs to the function.
  • CVE-2022-0910: In the CGI program of various firewall versions, an authentication bypass issue resulting from a deficient access control mechanism has been discovered. An attacker may be able to use an IPsec VPN client to switch from two-factor verification to one-factor verification due to the bug.
A few days after QNAP issued a warning about a fresh wave of Deadbolt ransomware attacks aimed at its NAS consumers, Zyxel released its caution. 

In earlier assaults that exploited another critical-severity vulnerability resulting in remote code execution, a Mirai botnet variant targeted Zyxel NAD products.

Remote code execution flaws in NAS devices, which are frequently used to store massive amounts of data, might easily result in complete device compromise. NAS devices are frequently the target of ransomware assaults. 

Interpol Arrests 12 Suspects for Running Sextortion Racket

A joint operation to crack down sex racket

Interpol announced the arrest of 12 individuals under suspicion of core members of transnational sextortion ring. 

The arrests happened in July and August because of a joint investigation done by Interpol's cybercrime division and police in Singapore and Hongkong. 

Under the Banner #YouMayBeNext, supported by 75 INTERPOL member countries and 21 private and public entities, the campaign focuses specifically on sextortion, Distributed Denial of Service (DDoS), and ransomware attacks. 

In an example of the challenges these cyber attacks represent, international police operations supported by INTERPOL has found and tracked down transnational sextortion ring that was able to extract around USD 47,000 from targets. 

As of now, the investigation has tracked 34 back to the syndicate. 

What is sextortion?

Sextortion is considered a criminal act and is a form of sexual exploitation that includes harrassing an individual, either via threat or manipulation, into making sexually explicit content and sending it over the internet. 

The suspects reached out to potential victims through online dating and sex platforms, then lure them into downloading a malicious mobile app and trick them into "naked chats." 

The suspects used this app to hack victim's phone contact lists, then threaten victims by blackmailing to leak their nude videos to their relatives and friends. 

The victims of the sextortion racket are mostly from Hongkong and Singapore. 

Raymond Lam Cheuk Ho, Acting Head of the Hong Kong Police’s Cyber Security and Technology Crime Bureau said:

"We conducted a proactive investigation and in-depth analysis of a zombie command and control server hosting the malicious application, which – along with the joint efforts by our counterparts – allowed us to identify and locate individuals linked to the criminal syndicate.”

INTERPOL's warning 

Besides this, Interpol has warned about a surge in sextortion incident in the recent years, the rise has been aggravated due to the Covid-19 pandemic. 

It mentions the risks of the sextortion, just a click away on a malicious link or an intimate video/picture to someone can expose users to sextortion threats. 

Last year, the FBI Internet Crime Complaint Center (IC3) alarmed about a sudden rise in sextortion complaints since the start of 2021. As per the experts, the attack has caused   financial losses of more than $8 Million until July 2021. 

The FBI got more than 16,000 sextortion complaints until July 2021, most of the victims fall between the age of 20 and 39. 

How to be safe from sextortion?

Security affairs reports the following measures to stay safe from sextortion threats: 

  • NEVER send compromising images of yourself to anyone, no matter who they are or who they say they are.
  • Do not open attachments from people you do not know. Links can secretly hack your electronic devices using malware to gain access to your private data, photos, and contacts, or control your web camera and microphone without your knowledge.
  • Turn off your electronic devices and web cameras when not in use.

Authorities Seize Online Marketplace for Stolen Credentials

In coordination with International Law enforcement authorities, Portuguese conducted an investigation and successfully seized the website selling login credentials and PII addresses of over 5.85 million people. 

The United States law enforcement agencies also reported that they have seized four domains of an online marketplace associated with the online shop, named ‘’, ‘’,’, and ‘’. 

A federal agency had charged Nicolai Colesnicov, 36, of the Republic of Moldova, with operating wt1shop to facilitate the selling of stolen credentials and PII. 

Following the incident, the U.S. Justice Department (DoJ) stated that the agencies seized approximately 25,000 scanned driver’s licenses/passports, 1.7 million login credentials for various online shops, 108,000 bank accounts, and 21,800 credit cards.

According to the documents, visitors of the illegal marketplace could purchase the stolen data using Bitcoin. Around 2.4 million credentials had been sold on wt1shop, for total proceeds of $4 million. Also, the online market had a forum that could be accessed by the customers. 

The data that was sold was for online retailers, PayPal accounts, financial institutions, and email accounts. Other credentials were for remote access to computers, servers, and other appliances Additionally,  a person visiting the website to buy stolen credentials can also purchase the credit card accounts of that victim. 

 U.S. Attorney Brit Featherston said that “This case exemplifies the need for all of us, right now, to take steps to protect our online identity, our personal data, and our monetary accounts. Cyber-criminals are lurking behind the glow of computer screens and are harming Americans. These investigations require dedicated professionals who work tirelessly to stop thieves that steal from unknowing innocent people. To those who dedicate their lives to stopping cyber-criminals, we thank you.”

Earlier this year, the Department of Justice along with other international authorities had announced that they had seized Slilpp, the largest site for stolen credentials on the Dark Web. The site had data of 80 million users from 1,400 service providers. 

Also, on March 16, 2022, a federal grand jury put Igor Dekhtyarchuk, a Russian citizen, on trial for running a cyber-criminal marketplace that stole and sold thousands of login credentials, authentication tools, and Personally Identifiable Information. 

SEC Amends Cyber Incident Disclosure, Raises Concerns

SEC taking a tough stand on cyber threats 

Due to rise in breaches among its members and on its systems, the Security and Exchange Commission (SEC) is thinking how it can tackle the problem of cyber threats. 

The SEC suggested new amendments in March to supervise how investment firms and public companies under its purview should strengthen their IT security management and incident reporting. 

Throughout the years, SEC's disclosure regime has advanced to highlight evolving risks and investor needs. 

Current Cyber Security Landscape 

Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner, said SEC Chair Gary Gensler.

SEC being rough on incident reporting and identity theft programs

In July, the SEC thrashed JP Morgan & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, all these programs have violated the Identity Red Flag rules, or regular S-ID between between January 2017 and October 2019. 

Regulation S-ID aims to protect investors from identity threat risks. All the three financial organizations have agreed to: 1.Cease and desist from violations in future, 2. Getting censored, 3. Pay fines of $1.2 Million, $925,000, and $425,000, respectively. 

Besides these commitments, the SEC's proposed amendments will need the financial institutions to provide current report regarding material cybersecurity cases and periodic reporting to give updates about earlier reported cybersecurity incidents. 

The SEC in March issued that:  

“proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”  Under the new rule, it considered "information systems" in a broad sense, especially when the financial firm made use of a cloud- or host based systems. 

SEC in the amendment says:

"The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks. The registrant’s board of directors' oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures." 

Chinese Loan Apps Fraud: Indian Agency Raids Razorpay, Paytm, Cashfree


On Saturday, The Indian law Enforcement Directorate agency (ED) carry out raids at nine premises connected to online payment gateways including Paytm, Cashfree, and Razorpay in Bengaluru. Also, some of these companies are believed to be involved in illegal betting. 

The official said the raids were conducted in connection with a money laundering case — part of an ongoing investigation against some illegal loan apps allegedly run by Chinese Nationals. 

The ED reported that the law enforcement agency successfully seized Rs 17 crore kept in “merchant IDs and bank accounts of these Chinese persons-controlled entities” during the raids. 

In a statement, a Razorpay spokesperson said: “Some of our merchants were being investigated by law enforcement about a year-and-a-half back. As part of the ongoing investigation, the authorities requested additional information to help with the investigation. We have fully cooperated and shared KYC and other details. The authorities were satisfied by our due diligence process”. 

Furthermore, the agency added that after it started working on probes, many of these companies shut down their business and diverted funds through fintech companies to buy crypto assets so the money could be laundered abroad. 

In this connection, the Law enforcement agency searched various premises associated with crypto exchange WazirX and froze Rs 64 crore in its accounts. 

Cashfree said its processes adhere to PMLA directions. “We extended our diligent cooperation to the ED operations, providing them the required and necessary information on the same day of inquiry. Our operations and onboarding processes adhere to the PMLA and KYC directions, and we will continue to do so in the time to follow,” said a company spokesperson. 

Additionally, in August 2020, the agency successfully ran a raid and froze Rs 47 crore belonging to a Chinese company that was running illegal betting and loan apps in India. Also, the agency conducted searches at 15 premises in connection with the company across Delhi, Mumbai Gurgaon, and Pune. 

The Directorate of Enforcement (ED) agency is Indian law enforcement and economic intelligence agency which works for enforcing economic laws and conducting legal battles against economic frauds and crimes in India.

UK Government Releases New Machine Learning Guidance

Machine Learning and NCSC

The UK's top cybersecurity agency has released new guidance designed to assist developers and others identify and patch vulnerabilities in Machine Learning (ML) systems. 

GCHQ's National Cyber Security Centre (NCSC) has laid out together its principles for the security of machine learning for any company that is looking to reduce potential adversarial machine learning (AML). 

What is Adversarial Machine Learning (AML)?

AML attacks compromise the unique features of ML or AI systems to attain different goals. AML has become a serious issue as technology has found its way into a rising critical range of systems, finance, national security, underpinning healthcare, and more. 

At its core, software security depends on understanding how a component or system works. This lets a system owner inspect and analyze vulnerabilities, these can be reduced or accepted later. 

Sadly, it's difficult to deal with this ML. ML is precisely used for enabling a system that has self-learning, to take out information from data, with negligible assistance from a human developer.

ML behaviour and difficulty to interpret 

Since a model's internal logic depends on data, its behaviour can be problematic to understand, and at times is next to impossible to fully comprehend why it is doing what it is doing. 

This explains why ML components haven't undergone the same level of inspection as regular systems, and why some vulnerabilities can't be identified. 

According to experts, the new ML principles will help any organization "involved in the development, deployment, or decommissioning of a system containing ML." 

The experts have pointed out some key limitations in ML systems, these include:

  • Dependence on data: modifying training data can cause unintended behaviour, and the threat actors can exploit this. 
  • Opaque model logic: developers sometimes can't understand or explain a model's logic, which can affect their ability to reduce risk.
  • Challenges verifying models: it is almost impossible to cross-check if a model will behave as expected under the whole range of inputs to which it might be a subject, and we should note that there can be billions of these. 
  • Reverse engineering models and training data can be rebuilt by threat actors to help them in launching attacks. 
  • Need for retraining: Many ML systems use "continuous learning" to improve performance over time, however, it means that security must be reassessed every time a new model version is released. It can be several times a day. 

In the NCSC, the team recognises the massive benefits that good data science and ML can bring to society, along with cybersecurity. The NCSC wants to make sure these benefits are recognised. 

NSA and CISA Share Tips to Secure the Software Supply Chain

Recently, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published a 64 long pages document in which the institutions gave tips on securing the software supply chain. 

The guidelines are framed by the Enduring Security Framework (ESF)—a public-private partnership that works on intelligence-driven, shared cybersecurity challenges and addresses threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers. 

"Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said. 

State-sponsored cyberattacks like the SolarWinds supply-chain attack and FireEye which led to exploitation of several US federal agencies, and took advantage of software vulnerabilities like Log4j brought the Enduring Security Framework into the course. 

Following the cyber threats, US President Biden signed an executive order in May 2021 to advance the country's mechanism against cyberattacks. Additionally, the Biden cabinet released a new Federal strategy against cyber threats in January, pushing its government to adopt a "zero trust" security model. Later, NSA and Microsoft recommended this approach in February 2021 for large enterprises and critical networks. 

“The developer holds a critical responsibility to the security of our software. As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer,” reads NSA’s statement. 

Following are some of the mitigation tips that have been recommended in the report: 

• Generate architecture and design documents
• Create threat models of the software product
• Gather a trained, qualified, and trustworthy development team
• Define and implement security test plans
• Establish product support and vulnerability handling policies and procedures
• Define release criteria and evaluate the product against it
• Document and publish the security procedures and processes for each software release
• Assess the developers’ capabilities and understanding of the secure development process and assign training

Furthermore, the report recommends that the supplier and developer management team should set policies and security-focused principles that ensure the growth and protection of the company’s infrastructure against cybercrimes. 

Infrastructure Used in Cisco Hack is the same used to Target Workforce Management Solution Firm

Hackers Attack Organization using Cisco Attack Infrastructure

Experts from cybersecurity firm eSentire found that the attack infrastructure used in recent Cisco hack was also used in targeting a top Workforce management corporation in April 2022. 

They also observed that the attack was executed by a threat actor called as mx1r, who is an alleged member of the Evil Corp affiliate cluster called UNC2165.

What is UNC2165?

The UNC2165 is in action since 2019, it was known for using the FAKEUPDATES infection chain (aka UNC1543) to get access to victims' networks. 

Experts observed that FAKEUPDATES was also used as the initial infection vector for DRIDEX infections which were used to execute BITPAYMER or DOPPELPAYMER in the final stage of the attack. 

Hades ransomware was also used

Earlier, the UNC2165 actors also used the HADES ransomware. As per eSentire, the hackers accessed the workforce management corporation's IT network via stolen Virtual Private Network (VPN) credentials. 

The experts found various underground forum posts, from April 2022, where mx1r was looking for VPN credentials for high-profile organizations. 

They also found posts on a Dark Web access broker auction site where a threat actor was buying VPN credentials for big U.S companies. 

Experts also find Cobalt Strike 

The researchers also discovered the attackers attempting to move laterally in the network via a set of red team tools, this includes Cobalt strike, network scanners, and Active Domain crawlers. 

The attackers used Cobalt Strike and were able to have initial foothold and hands-on-actions were quick and swift from the time of initial access to when the attacker could enlist their own Virtual Machine on the target VPN network. 

eSentire researchers also noticed the attacker trying to launch a Kerberoasting attack (cracking passwords in Windows Active Directory via the Kerberos authentication protocol) which is also in line with the TTPs of the Evil Corp affiliate/UNC2165. 

eSentire experts discovered the attack

TTPs of the attack that attacked the workforce management corporation are similar with Evil Corp, while the attack infrastructure used matches that of a Conti ransomware affiliate, who has been found using Hive and Yanlukwang ransomware. eSentire traces this infrastructure cluster as HiveStrike. 

"It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the core Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti’s new subsidiaries. Conti’s subsidiaries provide a similar outcome – to avoid sanctions by diffusing their resources into other established brands as they retire the Conti brand,” eSentire report concludes. “It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.”

Kiwi Farms Offline Due to Targeted DDoS Attacks

Site accused of leaking personal information 

Kiwi Farms is a website that hosts user-generated content and discussion forums. It has been accused of doxing, cyberbullying, and harassment. Kiwi Farms has been blocked from various social media websites and domain providers. 

Since 26th August 2022, however, Kiwi Farms has not been online and is showing a note from its administrators which says why the site is offline and how Kiwi Farms has been hit by DDoS (distributed denial of service) and other types of cyber attacks. 

Before the service was disrupted, according to the Kiwi Farm forum, it was targeted by a "DDoS attack" and other forms of network interruption attacks. 

The forum's administrators think that it was due to these cyberattacks and to safeguard other users, the internet service provider was compelled to ban their site.

Why is Kiwi Farms a target?

The website is infamous for doxing- or leaking personal information of users it considers "incels" (involuntary celibates), social justice warriors, feminists, and other users. 

It is believed that Kiwi Farms intently harass and humiliate people. A Twitch streamer and transgender activist Clara Sorrenti from Canada was arrested and swatted in London, Ontario, on 5th August. 

After a few days, the streamer's hotel address and location were exposed on Kiwi Farms. With the type of content that Kiwi Farms posts, it's no surprise that the site will be targeted by people who don't conform to its tactics. 

Who attacked Kiwi Farms with DDoS?

"Although it is unclear who was behind the DDoS attack against Kiwi Farms, @YourAnonNews, the largest social media representative of the Anonymous movement also tweeted about the incident," reports HackRead. 

Currently, it is not confirmed if Anonymous Hacktivists were behind the attack. 

Cloudfare and Kiwi Farms

Cloudfare offers security and DDoS protection to sites. It also offers services to Kiwi Farms and since the site has been alleged of doxing and leaking personal information of people without consent, the critics want Cloudfare to stop providing its services. 

In August 2017, Cloudfare immediately removed the neo-nazi and racist website DailyStormer from the platform. 

In 2019,  the infamous messageboard 8chan was alleged of sharing inciting content against minorities, and people of colour got ticked off by its hosting company Voxility, and Cloudfare withdrew its services. 

"However, at this moment there has been no statement from Cloudflare over the content Kiwi Farms has been accused of posting," said HackRead. 

FBI Alerts of Rise in Attacks Targeting DeFi Platforms


The FBI is alerting of an increase in cryptocurrency theft attacks on decentralised finance (DeFi) platforms.

According to the agency, criminals are exploiting the increased interest in cryptocurrency, as well as the complex functionality and open-source nature of DeFi platforms, to carry out nefarious activities.

According to the FBI, cybercriminals are stealing virtual currency and causing investors to lose money by utilising security flaws in the smart contracts that govern DeFi platforms. Smart contracts, defined as self-executing contracts containing the terms of an agreement between a buyer and a seller within their lines of code, are present throughout the decentralised blockchain network.

DeFi platforms accounted for roughly 97% of the $1.3 billion in cryptocurrencies stolen by cybercriminals between January and March 2022, an increase from 72% in 2021 and 30% in 2020.

According to the FBI, cybercriminals have also initiated flash loans to trigger an exploit in the DeFi platform's smart contracts (resulting in $3 million in cryptocurrency losses), exploited a signature verification bug in a DeFi platform's token bridge (resulting in $3 million in cryptocurrency losses), and tampered cryptocurrency price pairs (to steal $35 million in cryptocurrency).

Before investing, investors should research DeFi platforms, protocols, and smart contracts to identify potential risks and ensure that the DeFi investment platform's code has been audited at least once.

Furthermore, they should be cautious of DeFi investment pools with short timeframes for joining and rapid deployment of smart contracts, as well as the dangers posed by crowdsourced solutions in terms of bug hunting and patching.

According to the FBI, DeFi platforms should implement real-time analytics, monitoring, and code testing to address vulnerabilities and possibly shady activity, as well as an incident response plan that includes informing investors of any suspicious activity, including smart contract exploitation.

A spyware Rival Intellexa Challenges NSO Group

The Pegasus creator NSO Group is now facing competition from a little-known spyware company called Intellexa, which is charging $8 million for its services to hack into Android and iOS devices. 

Vx-underground, a distributor of malware source code, discovered documents that represented a proposal from Intellexa, a company that provides services like Android and iOS device exploits. On Wednesday, it shared several screenshots of documents that appeared to be part of an Intellexa business proposal on Twitter.

Europe is the base of Intellexa, which has six locations and R&D facilities there. According to a statement on the company's website, "We help law enforcement and intelligence organizations across the world reduce the digital gap with many and diverse solutions, all integrated with our unique and best-in-class Nebula platform."

A Greek politician was the target of Intellexa, a Cytrox iPhone predator spyware program, according to a Citizen Lab study from last year.

The Intellexa Alliance, which Citizen Lab defined as "a marketing term for a range of mercenary surveillance companies that emerged in 2019," included Cytrox, according to Citizen Lab.

Spyware threat 

The product specifically focuses on remote, one-click browser-based exploits that let users inject a payload into iOS or Android mobile devices. According to the brief explanation, in order for the exploit to be used, the victim must click on a link.

The docs, "classified as proprietary and confidential," according to Security Week, confirmed that the exploits should function on iOS 15.4.1 and the most recent Android 12 upgrade." The fact that Apple released iOS 15.4.1 in March indicates that the offer is current.

The deal gives a "magazine of 100 active infections" in addition to 10 concurrent infections for iOS and Android devices. A sample list of Android devices that an attack would allegedly be effective against is also displayed in the stolen documents.

Last year, Apple sued NSO Group to prevent the business from using its products and services. It implies that the offer is relatively new. Since then, three security patches for the mobile operating system have been released.

This indicates that Apple might have addressed one or more of the zero-day vulnerabilities utilized by the Intellexa iOS attack, but it's also feasible that the exploits provided by these kinds of businesses could stay unpatched for a considerable amount of time.

The buyer would actually receive considerably more for the $8 million, despite the fact that some have claimed that this is the cost of an iOS hack. The offer is for a whole platform with a 12-month guarantee and the ability to evaluate the data obtained by the exploits.

The documents are undated, but according to vx-underground, the screenshots were published on the hacker forum XSS in Russian on July 14. While there is a wealth of technical knowledge available about the exploits provided by spyware companies, nothing is known regarding the prices they charge clients.

According to a 2019 estimate from India's Economic Times, a Pegasus license costs about $7-8 million each year. Additionally, it is well-known that brokers of exploits are willing to pay up to $2 million for fully automated iOS and Android flaws.

Microsoft Alert: APT29 is Back With its New Tool MagicWeb

Actors responsible for SolarWinds' are back

The attackers behind the Solar Winds supply chain attack APT29 are back and have included a latest weapon to their attack inventory. Known as MagicWeb, a post compromise capability, it is used to keep continuous access to breached environments and moves laterally. 

Experts at Microsoft noticed the Russia-backed Nobelium APT using the backdoor after gaining administrative rights to an Active Directory Federated Services (AD FS) server. 

Use of MagicWeb to get privileged access 

With the help of privileged access, the hackers change a genuine DLL with the malicious MagicWeb DLL, to load the malware with AD FS and make it look legitimate. 

Similar to domain controllers, AD FS servers can verify users. MagicWeb enables this on the behalf of hackers by letting the manipulation of the claims that pass through verification tokens generated by an AD FS server, therefore, they can verify as any user on the system. 

MagicWeb is better than previous versions 

As per Microsoft, MagicWeb is a better version of the earlier used FoggyWeb tool, which also makes a steady foothold inside the target networks. 

Researchers at Microsoft say that MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.

In the report, Microsoft mentioned that the hackers are targeting corporate networks with the latest verification technique MagicWeb. It is highly sophisticated and allows hackers to take control of the victim's network even after the defender tries to eject them. 

Stealing data isn't the only aim

We should also note that the hackers are not depending on supply chain attacks, this time, they are exploiting admin credentials to execute MagicWeb. 

The backdoor secretly adds advanced access capability so that the threat actors can execute different exploits other than stealing data. For example, the threat actor can log in to the device's Active Director as any user. 

A lot of cybersecurity agencies have found sophisticated tools, this includes backdoors used by SolarWinds' hackers, among which MagicWeb is the latest one discovered and identified by Microsoft. 

How to protect yourself?

To stay safe from such attacks Microsoft recommends "practicing credential hygiene is critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall."