Search This Blog

Showing posts with label Cyber Threats. Show all posts

How Leaked Twitter API Keys Can be Used to Build a Bot Army

CloudSEK’s Attack Surface Monitoring Platform recently found a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of the keys are being utilized to gain illegal commands on Twitter handles associated with them. 

CloudSEK reported that the takeover is made possible because of the leak of legitimate Consumer Key and Consumer Secret information Singapore-based cybersecurity firm.  

Additionally, cloudsek Attack Surface Monitoring Platform discovered that 3207 apps were leaking valid Consumer Key and Consumer Secret. 230 apps, some of which are unicorns, were leaking all 4 Auth Creds and can be used to fully take over their Twitter Accounts to perform critical/sensitive actions such as: 

• Read Direct Messages 
• Retweet 
• Like 
• Delete 
• Remove followers 
• Follow any account 
• Get account settings 
• Change display picture 

"Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions," the researchers said. 

To get access to the Twitter API, hackers have to generate secret keys and access tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made. Further, the researchers said, this can range from reading direct messages to carrying out arbitrary actions including retweeting, liking, and deleting tweets, removing followers, following any account, accessing account settings, and even changing the account profile picture. 

With access to this information, malicious actors can create a Twitter bot army that could compromise to spread misinformation on the social media platform. 

“The Twitter bot army that we will try to create can fight any war for you. But perhaps the most dangerous one is the misinformation war, on the internet, powered by bots. Time Berners-Lee, the founding father of the internet said that it is too easy for misinformation to propagate because most people get their news from a small set of social media sites and search engines that make money from people clicking on links. These sites’ algorithms often prioritize content based on what people are likely to engage with, which means fake news can “spread like wildfire”, CloudSEK reported.

Watch Out For This Raccoon Stealer 2.0 With New Capabilities

Raccoon Stealer also named Legion, Mohazo, and Racealer, a high-risk trojan-type application that attacks the system and steals personal credentials is back with a second upgraded version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and advanced operational capacity. 

The trojan whose services are being offered by various hacker groups on hacker forums, when installed on one's system can lead to various cyber issues. 

The Raccoon Stealer operation was taken down in march 2022 when its operators reported that one of the lead developers of the forum was killed during Russia’s invasion of Ukraine. Also, the team promised its come back with a second upgraded version with more capabilities. 

“We expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads,” Sekoia told in the report. 

According to the malware developers, the upgraded Raccoon version was built from scratch using C/C++, featuring a new back-end, front-end, and code to steal credentials and other data. 

Raccoon Stealer 2.0 uses a fake Malwarebytes website to steal personal information including Basic system fingerprinting info, browser passwords, cookies, autofill data, saved credit cards, browser passwords, cookies, and autofill data, and saved credit cards. 

Other information that Raccoon Stealer steals is given below:

• Cryptocurrency wallets and web browser extensions including MetaMask, TronLink, BinanceChain, and Ronin
• Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash
• Individual files located on all disks
• Screenshot capturing
• Installed applications list

The data can be misused in various ways, such as transferring users' funds in crypto-wallets and other accounts (e.g., PayPal, bank accounts, etc.). Victims could, therefore, lose their savings. Moreover, hijacked accounts (e.g., Facebook, emails, etc.) can be misused to borrow money. 

The subscription cost of the Stealer which has already attacked over 100,000 devices, is $200 per month. It has become one of the most named viruses on the underground forums in 2019. 

Free Smartphone Stalkerware Detection Tool Gets Dedicated Hub

Kaspersky, Russian multinational cybersecurity and anti-virus provider has come up with a new information hub for their open-source stalkerware detection tool named TinyCheck which was created in 2019 to help people detect if their devices are being monitored. 

‘Stalkerware’ is software programs, apps, and devices – that enables people to secretly monitor others' private life via their devices. The term came into existence when people started using commercial spyware to monitor their spouses or intimate partners. 

Stalkerware has been criticized because of its use by attackers, abusers, stalkers, and employers. With the use of Stalkware abusers can remotely get access to victims’ devices including web searches, locations, photos, text messages, voice calls, and much more. Such programs are easy to buy and install, hence it leads to more cyber risks for the public. 

These tools exploit vulnerabilities in the security of modern mobile operating systems. These programs run hidden in the background, without the consent of the victim. Kaspersky's TinyCheck is a program that can identify activity associated with stalkerware in a non-invasive way by running on an external device (Raspberry Pi) and monitoring its outgoing traffic via WiFi. 

How TinyCheck Work? 

TinyCheck scans a device’s outgoing traffic, using a regular Wi-Fi connection, and identifies interactions with known sources, such as stalkerware-related servers, it can be used to check any device and on any platform, including iOS, Android, or any other OS.

Also, users don’t have to install it on their devices because it works separately (on a Raspberry Pi) to avoid being detected by a stalker. Additionally, TinyCheck is available for everyone, it does not charge a fee. 

It is a safe and open-source tool that can be used by NGOs and police units to help support victims of cyberstalking. At present many NGOs use this program, however, it should be noted that this program is not recommended for independent individual use. The organization recommended users get in touch with a local support institution before starting the scan to get advice and support if stalkerware is running on their devices. 

0patch Launched Unofficial Patches For ‘DogWalk’ Windows Zero-Day Bug


Today, the 0patch platform has released free unofficial patches for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT). 
The security flaw tracked as ‘Dogwalk’ is a path traversal flaw that can exploit to copy an executable to the Windows Startup folder when the victim opens a maliciously crafted .diagcab file (received via email or downloaded from the web). 

“The vulnerability lies in the Microsoft Diagnostic Tool’s sdiageng.dll library, which takes the attacker-supplied folder path from the package configuration XML file inside the diagcab archive, and copies all files from that folder to a local temporary folder...” 0patch told in a post0. 

“...During this process, it enumerates files in the attacker’s folder, gets the file name for each of them, then glues together the local temporary path and that file name to generate the local path on the computer where the file is to be created..”

As per the technical data, this flaw was first publicly discovered by security researcher Imre Rad in January 2020, however, Microsoft denied launching patches for the vulnerability because it was not a security issue, according to Microsoft. 

However, recently, the bug was re-discovered by security researcher j00sean. Following the same issue, Microsoft reported that the Outlook users are safe because .diagcab automatically will block. 

Until Microsoft comes with official security patches for this zero-day bug, the 0patch micro patching service has already launched unofficial and free downloaded patches for most affected Windows versions which are listed below:

1. Windows 11 v21H2 
2. Windows 10 (v1803 to v21H2) 
3. Windows 7 
4. Windows Server 2008 R2 
5. Windows Server 2012 
6. Windows Server 2012 R2 
7. Windows Server 2016 
8. Windows Server 2019 
9. Windows Server 2022 

“During my testing, I concluded that neither Gmail nor Outlook Live blocked .diagcab files at all, so users of these services could be potential targets. I encountered the filtering mechanism of some MS Exchange-based corporate servers blocking my attachments, however, by linking to a WebDAV share, I could circumvent this protection so the diagcab file could be executed in Outlook….” wrote Rad. 

“…But not even links like this can be used ultimately, they are deactivated by providers like Gmail or Outlook Live and blocked by other security measures of Internet Explorer.”

SVCReady: A New Loader Gets Ready


Recently, a team of researchers has found a brand new wave of phishing campaigns spreading a previously documented malware family called SVCReady. 

Based on HP Wolf Security telemetry, SVCReady which is in its early stage of development, has been in the light of cyber crimes since the end of April 2022, with the authors iteratively updating the malware several times last month. 

"The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP, said in a technical write-up. 

The malware is known for its unconventional way of targeting PCs- using shellcode hidden in the properties of Microsoft Office documents instead of PowerShell or MSHTA. 

The attackers send Microsoft Word document attachments to targets via email that contain Visual Basic for Applications (VBA) AutoOpen macros designed to execute the deployment of malicious payloads. 

After getting a command in the system, the malware tries to achieve persistence on the system. Following the goal the malicious actors copy the malware DLL to the Roaming directory, giving it a unique name based on a freshly generated universally unique identifier (UUID). 
Further, the malware creates a scheduled task called RecoveryExTask that runs the file copied to Roaming with rundll32.exe. 

The malware has the ability to capture systems information, capture screenshots, run shell commands, and download and execute arbitrary files. Reports also indicated that there are possibilities of malware having links with TA551. 

Additionally, HP said that it has noted overlaps between SVCReady and TA551 (aka Hive0106 or Shathak) malware, however, at present it cannot be confirmed if the same threat actor is behind the latest campaign. 

"It is possible that we are seeing the artifacts left by two different attackers who are using the same tools. However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns,” Schläpfer noted.

Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data

The unidentified malicious actors have hit hard Russia again by leaking 1TB of sensitive data from a leading Russian law firm identified as Rustam Kurmaev and Partners (RKP Law). 

Rustam Kurmaev and Partners has been operating in Russia for over 20 years and represent around 500 clients, including the Volkswagen Group Russia, Toyota, Ikea, Jones Lang LaSalle, ChTPZ PJSC, Abbott Laboratories, Mechel PJSC, Panasonic, Baker Hughes, ING Bank, Yamaha Motor, Caterpillar, Mars, Gilette, VimpelCom, 2×2 Channel, Citibank, and Sberbank. 

The group of malicious actors resorted to their Twitter handles, @DepaixPorteur and @B00daMooda to announce the cyber attack. “We are Anonymous – We have hacked RKPLaw (rkplawru) and leaked 1TB of files, emails, court files, client files, backups, and more! They have a very large (220 clients) and an interesting client list which I will post in the comments,” the tweet read.

Following this attack, it is to be noticed that cyber threats against Russian establishments have become the new normal since the war between Russia and Ukraine. Since February 2022 cyber war against Russia was dubbed #OpRussia after the country invaded Ukrainian territories, referring it to “special military operation” to denazify and demilitarize Ukraine. 

Also, @YourAnonNews, and @YourAnonTV, two of the largest social media representatives of the Anonymous movement also tweeted about the data leak: “Once again, #Anonymous delivers Many thanks to @DepaixPorteur, tweeted @YourAnonNews. Just In: #Anonymous released a terabyte of data and emails from Rustam Kurmaev and Partners (RKP Law), a Russian law firm that works with major banking, media, oil, and industrial firms and state interests, including American companies. #OpRussia,” said @YourAnonTV. 

According to DDoSecrets, this cyber attack could be devastating for the company considering that it specializes in resolving real estate, corporate, construction, and commercial sector disputes. Also, firms facilitate the criminal defense of business and create a systematic defense strategy for corporate managers and top management in various stages of criminal proceedings. Furthermore, the company deals in anti-corruption law as well.

Ukrainians DDoS Russian Vodka Supply Chains


According to the Russian news portal Vedomosti, Ukrainian cyber threat actors compromised Russia’s central alcohol distribution portal that is considered crucial for the distribution of alcoholic beverages in Russian regions called Unified State Automated Alcohol Accounting Information System or EGAIS.

EGAIS is a portal that plays important role in alcohol distribution in the nation. As per the law, for all alcohol producers and distributors, it is mandatory to register their shipments with EGAIS. Therefore, this attack caused extensive service blockage across Russia. 

The group hit the portal with DDoS attacks launched on May 2nd and 3rd. Through the DDoS or distributed denial of service attacks, the perpetrators overwhelm servers with superfluous requests in an attempt to overload systems and render some or all legitimate requests from being fulfilled. 

Also, according to the experts, sophisticated strategies have to be required against such types of attacks, as simply attempting to block a single source is insufficient. Three sites belonging to the platform have been hit by DDoS attacks. 

On May 4th, two EGAIS sites showed the error “the server stopped responding,” and the third didn’t work. The attacks took place on May 2nd and the next day system failures became more obvious about the attack. 

Wine trader Fort said that the site stopped working on May 4th, and the Union of Alcohol Producers, Igor Kosarev, and Ladoga representatives claimed the same. 

Fort further added that they had failed to upload about 70% of invoices to EGAIS due to the attack. Its supplies of wine to retail chains and restaurants in the region apparently failed to distribute on May 4 due to the incident. The outage impacted not only vodka distribution but wine companies faced disruption as well alongside purveyors of other types of alcohol. 

“Due to a large-scale failure, factories cannot accept tanks with alcohol, and customers, stores, and distributors cannot receive finished products that have already been delivered to them,” Vedomosti reported.

Ukrainian threat actors group, the Disbalancer took responsibility for the attack and announced their future plans to launch more attacks on the platform.

Russian Group Attack on Bulgarian Refugee Agency


A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Kellogg Community College Closes after Ransomware Attack


Kellogg Community College in Michigan has closed its campuses and canceled classes after falling victim to a cyber-attack. It's a Battle Creek-based community college and according to the recent data, it serves approximately 7000 students annually. 

On its official website on Sunday the community posted a statement in which it has shared basic information about the ransomware attack that took place over the weekend. Following the attack, the cancellation of all Monday classes and the closure of its five campuses in Battle Creek, Coldwater, Albion, and Hastings were announced.

Furthermore, as the website notified that the attack is causing continued technology problems in the systems, the college told, “the technology issues we have been experiencing were caused by a ransomware attack that continues to affect our systems.” 

All five Kellogg campuses will remain closed while the security vulnerabilities are under investigation, however, the college community is hoping to reopen the campuses later this week. The community is also working to launch a “forced password reset for all students, faculty, and staff” to better secure the network.

“We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” the alert read. 

According to the data, since 2021, various community colleges have been the victims of ransomware attacks, including Butler County Community College in Pennsylvania, Sierra College in California Lewis, and Clark Community College in Illinois. 

“As we have previously informed you, we have been the victim of a ransomware attack on our systems and services. We are still working to understand the full extent of this incident, but since our last update, we have been working diligently with our IRT team and have made progress in our restoration process,” said the Kellogg Community College.

Chinese Hackers Targeted Indian State Power Grid


Chinese state-sponsored malicious actors launched “probing cyberattacks” on Indian electricity distribution centers near Ladakh thrice since December 2021. On Wednesday a report by private intelligence firm Recorded Future confirmed the attack. 

The hackers targeted seven Indian state centers responsible for carrying out electrical dispatch and grid control near a border area contested by the two nuclear neighbors, the report added. This attack came to light while the military standoff between the two countries in the region had already deteriorated the relationship. However, the government sources affirmed that the attacks were not successful. 

''In recent months, we observed likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states. Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh," the group said. 

The hackers employed the trojan ShadowPad, which the experts claimed has been developed by contractors for China's Ministry of State Security, thereby concluding  that it was a state-sponsored hacking effort. 

"In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group," Recorded Future said.

FBI Investigating More than 100 Ransomware Variants


Ransomware attacks spread more quickly than most organizations can respond. The United States Federal Bureau of Investigation (FBI) is on a mission to investigate more than 100 different variants of ransomware, many of which have been used extensively in various cyberattack campaigns. 

Bryan Vorndran, assistant director of the FBI’s Cyber Division has explained his team’s efforts against the malware threats to the United States House Committee on the Judiciary in Washington. 

Following the incident, Bryan Vorndran said that “There is not a day that goes by without multiple FBI field offices responding to ransomware attacks. The ransomware threat is not new, and it has been one of the FBI’s top cybercriminal investigative priorities for some time, but we have seen ransomware attack reporting increase significantly in the past two years, and the impact of these attacks has grown to dangerous proportions, threatening our economic and national security.” 

According to new data published by the FBI this week, cyberattackers wreaked havoc across the U.S., resulting in a record-high number of cyber threat complaints. Describing the rise in ransomware attacks, Vorndran said that from 2019 to 2021, the number of ransomware complaints reported to the FBI’s Internet Crime Complaint Center (IC3) increased by 82%, with a 449% rise in ransom payments and more than 847,000 total complaints that corresponded with crimes had cost victims an estimated sum exceeding $6.9 billion. 

“Ransomware-as-a-service’ (when a developer sells or leases ransomware tools to criminal customers) has decreased the barrier to entry and technological savviness needed to carry out and benefit from these compromises and increased the number of criminals conducting ransomware campaigns,” noted Vorndran. 

Further, FBI Deputy Director Paul Abbate has said that the bureau’s cyber division is investigating and working harder than before against the surging cyber threats to protect people. 

He further said, “We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attachés and cyber assistants legal attachés.”

Cyber-Attack on New York Ethics Watchdog

Databases maintained by New York’s public watchdog agency have to shut down their systems after state information technology researchers discovered a malicious cyber-attack on its web servers. 

The ethics watchdog, which regulates lobbying at the State Capitol reported last Friday evening that an investigation has been launched to determine the scope of the attack and the perpetrators behind the attack after it received an alert regarding suspicious activity on JCOPE’s network.

Following the attack, the Commission has shut down the systems as a precaution, including its lobbying application and financial disclosure statement online filing system.

JCOPE reported that the systems will remain shut down until the agency resume normal operations safely. As of the present, the Agency officials did not report anything regarding who was responsible for the attack. However, the agency said that they are planning to work with state law enforcement officials to investigate the attack.

“Our first and highest priority is the safety and integrity of the data entrusted to the Commission by the regulated community,” said JCOPE Executive Director Sanford Berland in a statement.

Following the attack, the public was not able to access the data about lobbyist expenditures. Lobbyists were kept from submitting their required records. JCOPE said that it will grant automatic extensions to the people who missed a deadline because of the outage. 

Walter McClure, a JCOPE spokesperson added that "the outage also affects searches using the agency’s legacy lobbyist filing system, which was in use until 2019".

As the Ukraine Conflict Escalates, US Braces for Russian Cyberattacks


Some of the most serious cyberattacks on US infrastructure in the last two years have been traced back to Russian hackers. The SolarWinds hack, which infiltrated multiple government departments in 2020, the ransomware attack that forced the suspension of one of America's main fuel pipelines for several days last year, and another attack on JBS, one of the world's largest meat producers, are also on the list. 

The US administration is on high alert for signs of Russian cyberattacks on banks and other financial institutions, following Moscow's broad strike on Ukraine on Thursday, which drew harsh international sanctions. According to a homeland security source with knowledge of the situation, Russia's cyberthreat to the United States is still active and has not changed since Russian President Vladimir Putin started a full-scale invasion of Ukraine. 

Threats to the national grid and big American institutions, according to the source, are a definite possibility. The Department of Justice and the FBI are both bracing for a potential attack and closely monitoring any strange cyber activity. The Department of Justice has a whole national security division devoted to this.

If Russia entered and hacked the US power system, intelligence believes that it will take between one and two weeks to restore full functioning. The US government has previously disclosed information indicating that Moscow mounted a vast hacking campaign to breach America's "critical infrastructure," which includes power plants, nuclear power plants, and water treatment plants.

Russia has also been accused of conducting online disinformation campaigns aimed at the United States, including efforts to meddle with US elections and cause unrest. This week, US authorities again accused Russian intelligence of spreading misinformation about Ukraine. 

While many online attacks cannot be explicitly traced to the Russian state, Herb Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation, believes that hackers work with Russia's support. 

"They don't operate directly for the Russian government, but they operate under a set of rules that says: 'you guys do what you want, don't target Russian stuff and we won't bother you,'" Lin said. 

Even if Russian hackers do not directly target US organisations, Ukraine's reliance on foreign technology, according to Lin, can cause significant problems for the US. If the crisis in Ukraine worsens, "all the stuff in the US that directly aids the Ukrainian military machine becomes fair game for the Russians to target," Lin added.

Iranian APT MuddyWater Targets Turkish Public and Government Entities


Cisco Talos discovered a brand new malicious campaign of MuddyWater threat group which is targeting Turkish public and Turkish government entities, including the Scientific And Technological Research Council of Turkey — Tubitak. 

According to the technical details, the campaign includes the use of malicious excel documents (XLS maldocs) and executables stored on a file hosting domain "snapfile[.]org", PDFs to serve as the initial infection vector. These PDFs were designed in such a way as to look like legitimate documents sent from the Turkish Health and other officials. 

"This campaign utilizes malicious PDFs, XLS files, and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise," Cisco Talos researchers Asheer Malhotra and Vitor Ventura reported. 

Famous for its attacks in the Middle East region, MuddyWater Advanced Persistent Threat (APT) is also known as Static Kitten, Seedworm, Mercury. The group has been active since at least 2017. However, the group attacked many entities in Central and Southwest Asia, as well as against numerous government and privately-owned organizations from Asia, Europe, and North America. 

Besides, the group also targets telecommunications, cryptocurrency, oil, and airline industries. The cyber research unit has identified that the group uses a typical TTP and there's heavy use of scripting in their infection chains and that they also use languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins). 

Additionally, the unit has also discovered the use of flags or tokens in attacks. These flags and tokens are signals for their successful infection mission. Flags and Tokens are hidden inside the malicious files or within the email itself, and it signals the malicious group when the target opens the bait and runs the macro included within it. 

“Canary tokens are tokens that can be embedded in objects like documents, web pages, and emails. When that object is opened, an HTTP request to is generated, alerting the token’s owner that the object was opened”, researchers added. 

The study said that the Campaigns carried out by the threat group aim to achieve three outcomes: Espionage, Intellectual property theft, and Ransomware attacks.

Russians will face even more serious cyber threats in 2022

In particular, users should be wary of targeted ransomware attacks. Moreover, the damage will increase, not limited to the demand for ransom for encrypted data. Phishing and other types of attacks using social engineering will also remain popular with cybercriminals. In addition, attempts to hack smart devices are expected to rise.

Experts warned that business will become the most obvious target for attackers. The main blow will fall on supply chains, which are a weak link in protection due to the large number of participants in the process - contractors, contractors and business partners.

In December, it was reported that the barriers in Russian courtyards turned out to be a source of cyber threats. A vulnerability has been found in the device management system of the private company AM Video, which leads to the leakage of personal data. According to analysts, the discovered error allowed anyone to gain access to any of the company's facilities. To do this, it was necessary to log into a test account and select the identifier (ID) of cameras or barriers. The system provided access to all user data - names, addresses, phone numbers and car brands. Through the website, it was possible to block or open the entrance to the territory of the house, send notifications to residents on mobile phones and use their personal data.

Earlier it became known that 12 programs were found in the Google Play app store for Android devices that steal banking data from infected devices. Applications mimic document scanners and QR codes. After installing the application on the user's device, the program itself decides whether to download the virus to the phone. If the decision is positive, then the malicious code gets to the victim through a fake request to update the program.

Nordic Choice Hotels Chain Suffers Ransomware Attack


Last week, a very famous Scandinavian hotel chain witnessed a ransomware attack, which, as per the sources, may have led to the theft of personal credentials related to bookings. The staff of the hotel said that the attack rendered its key system unusable which led to the hotel guests being locked out of their rooms. 

The hotel claimed to have been hit last Thursday with a ransomware attack which impacted “the hotel systems that handle reservations, check-in, check-out and creation of new room keys.” 

One guest from the hotel took to social media to describe the situation, he wrote that the hotel staff was forced to personally escort guests upstairs to their rooms because key cards were not working. 

On Monday, an official statement was released stating that the ransomware behind the attack is one of the Conti variants. Before the aforementioned security incident, Conti has been responsible for large-scale attacks on Ireland's Health Service Executive (HSE) and an outrageous $40m ransom demand aimed at Broward County Public Schools in the USA. However, officers did not say anything related to the problem with room keys. 

Following the incident, Nordic Choice is working on replacement solutions so the continuity of its hotel operations remains. The hotel operators have also informed the Norwegian cyber threat unit while warning the guests staying at the hotel, expected at the hotel, and those who have been at the hotel in the past – regarding the potential data theft. 

The hotel chain said it is not going to engage with the attackers and the attackers also did not make any contact with the organization. 

“Our investigations do not currently give any indication that data has been leaked, but we can’t guarantee that is the case. Therefore, the incident entails a risk that information about the guests' bookings may be lost...,” the official statement read. 

“...This information consists of name, email address, telephone number, date of the visit, and any information the guest may have provided in connection with their visit. We do not know for sure yet, but since we see that there may be a risk that such information is leaked, we choose to inform about it now, so that our guests can be extra alert to any suspicious text messages, phone calls, or emails.” 

Nordic Choice Hotels operate a large chain of hotels, running around 200 hotels in various regions such as Scandinavia, Finland, and the Baltics. Brands such as Clarion, Quality, and Comfort come under its chain.

BazarLoader's Arrival and Delivery Vectors now Include Compromised Installers and ISO


While the number of BazarLoader detections increased in the third quarter, two new delivery methods have been added to the list of delivery mechanisms used by threat actors for data theft and ransomware. Malicious actors combine BazarLoader with genuine products, hence one of the approaches involves using corrupted software installers. The second approach involves loading a Windows link (LNK) and dynamic link library (DLL) payload into an ISO file. The Americans have been discovered to have the highest amount of BazarLoader attacks.

Researchers detected the tainted versions of VLC and TeamViewer software included with BazarLoader, according to reports. While the original delivery technique has yet to be discovered, it's possible that the use of these packages is part of a bigger social engineering campaign aimed at convincing individuals to download and install infected installers. A BazarLoader executable is dumped and executed when the installers load. It's also one of the most noticeable differences from recent BazarLoader arrival approaches, which appeared to support dynamic link libraries (DLL).

Meanwhile, a distribution technique based on ISO files has been uncovered, in which the BazarLoader DLL is launched via DLL and LNK files included in the ISO files. The LNK file uses a folder icon to fool the user into double-clicking it, letting the BazarLoader DLL programme to be launched. The "EnterDLL" export function, which was recently used by BazarLoader, is then called. Before injecting itself into a suspended MS Edge process, Rundll32.exe launches the malicious DLL and connects to the C&C server. 

As threat actors change their assault techniques to avoid detection, the number of arrival mechanism modifications utilized in BazarLoader campaigns continues to rise. Due to the limitations of single detection methods, both techniques are significant and still work despite their lack of novelty. 

While the usage of compromised installers has been seen with other malware, the huge file size might still pose a problem for detection systems, such as sandboxes, that apply file size constraints. LNK files used as shortcuts, on the other hand, will very certainly be obfuscated due to the additional layers generated between the shortcut and the malicious files. 

BazarLoader will continue to evolve as a standalone information stealer, an initial access malware-as-a-service (MaaS) for other malware operators, and a secondary payload distribution mechanism for even more destructive attacks like modern ransomware. For unknown risks, security teams must deploy multi-layered systems capable of pattern recognition and behavior monitoring, as well as making monitoring and tracking for known dangers more evident based on known data.

Missouri Gov. Calls Journalist a “Hacker,” who Found Cyber Flaw on Website


Earlier this month, St. Louis Post-Dispatch Newspaper reporter Josh Renaud found a flaw on the website of the Missouri Department of Elementary and Secondary Education that had compromised social security numbers and personal credentials of thousands of administrators, public school teachers, and other education personal. 

Two weeks after a newspaper identified a security flaw on a state website, Mike Parson’s administration recruited a third-party cybersecurity institution for further investigation and monitoring of the incident.

Last week Missourian government has signed a legal agreement with Identity Theft Guard Solutions, also known as ID Experts. This company provides facilities regarding data breach attacks and credit monitoring services. The matter came into the limelight when the St. Louis Post-Dispatch discovered suspicious activities in its investigation that potentially compromised the Social Security numbers of 100,000 Missouri teachers. 

However, the legal agreement does not state that the ID Experts will focus on that flaw but it does specify that it will cost state taxpayers around $4.5 million to notify the teachers of the potential breach attacks and facilitate them with credit monitoring services. 

In the wake of the incident, Missouri Government threatened to seek legal action against St. Louis Post-Dispatch journalists who discovered a security flaw. Instead of thanking the journalist, the government was claiming that the journalist is a "hacker" and that the newspaper's reporting is nothing more than a "political vendetta" and "an attempt to embarrass the state and sell headlines for their news outlet." The Republican governor has also held the newspaper “accountable". 

“This matter is serious. The state is committing to bringing to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code,’’ Parson later tweeted.

Lockean Multi-ransomware Hitting French Companies--CERT-FR


France’s Computer Emergency Response Team (CERT-FR) professionals identified details about the tools and tactics used by a ransomware affiliate group, named Lockean. Over the past two years, the cyber group is targeting French companies continuously. Reportedly, at least eight French companies’ suffered data breaches on a large scale. The group steals data and executes malware from multiple ransomware-as-a-service (RaaS) operations. 

According to the data, the companies that have been victimized by this group are the transportation logistics firm Gefco, the newspaper Ouest-France and the pharmaceutical groups Fareva and Pierre Fabre, among a few others. 

“Based on incidents reported to the ANSSI and their commonalities, investigations were carried out by the Agency to confirm the existence of a single cybercriminal group responsible for these incidents, understand its modus operandi and distinguish its techniques, tactics, and procedures (TTPs…” 

“…First observed in June 2020, this group named Lockean is thought to have affiliated with several Ransomware-as-a-Service (RaaS) including DoppelPaymer, Maze, Prolock, Egregor, and Sodinokibi. Lockean has a propensity to target French entities under a Big Game Hunting rationale), reads the report published by CERT-FR.” 

In 2020, Lockean was spotted for the very first time when the group targeted a French manufacturing company and executed DoppelPaymer ransomware on the network. Around June 2020 and March 2021, Lockean compromised at least seven more companies’ networks with various ransomware families including big names like Maze, Egregor, REvil, and ProLock. 

In most of the attacks, the hackers gained initial access to the victim network through Qbot/QakBot malware and post-exploitative tool CobaltStrike. Qbot/QakBot is a banking trojan that changed its role to spread other malware into the system, including ransomware strains ProLock, DoppelPaymer, and Egregor, CERT-FR officials said. 

The cybercriminal group had used the Emotet distribution service in 2020 and TA551 in 2020 and 2021 to distribute QakBot via phishing email. Additionally, the group used multiple tools for data exfiltration including AdFind, BITSAdmin, and BloodHound, and the RClone.

Mobile Phishing Attacks Surge, Researchers Warn Energy Sectors


There has been seen a surge in cyberattacks, threat actors are extensively going after mobile phishing attacks and victimizing the energy sectors, pharmaceuticals industries, government entities, and finance departments by targeting workers with phishing and malware campaigns designed to take advantage of potential security vulnerabilities in smartphones and tablets. 

Recently, a report has been published by cybersecurity researchers at Lookout in which they warned energy sectors against cybercrimes. According to the report, there has been a great surge from 2020 (161%) in mobile phishing attacks targeting the energy sectors. Threat actors strive to break into networks used to provide services including gas and electricity. 

Cyber attacks through mobile phishing against energy sectors globally account for around 17% which is higher than other sectors including finance, pharmaceuticals, government, and manufacturing. Notably, these independent cyber criminals are not the only threat against energy sectors, state-backed threat actors are also targeting networks of energy providers.

"The energy industry is directly related to the wellbeing and safety of citizens, globally," Stephen Banda, senior manager of security solutions at Lookout, reported.

"Threat actors know that mobile devices aren't usually secured in the same way as computers. For this reason, mobile phishing has become one of the primary ways threat actors get into corporate infrastructure," said Banda. 

"By launching phishing attacks that mimic the context that the recipient expects, attackers are able to direct a user to a fake webpage that mimics a familiar application login page. Without thinking, the user provides credentials and data has been stolen," he added. 

Phishing emails and malware become more difficult to notice in smartphones and tablets because the smaller screen provides very few opportunities while smartphones and tablets might not be secured as comprehensively as laptops and desktop PCs, it creates opportunities for attackers to compromise networks. 

 "The majority of attacks start with phishing, and mobile presents a multitude of attack pathways. An anti-phishing solution must block any communication from known phishing sites on mobile devices — including SMS, apps, social platforms, and email," said Banda.