Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CyberCriminal. Show all posts
Singapore
Cyber Crime Cyber Safety CyberCriminal data security Data Stolen Data Theft Database Breach Hacker attack KYC Singapore

Cybercriminals Threaten Release of Stolen World-Check Database, Exposing Millions to Financial Risk

 

A financially motivated criminal hacking group, self-identified as GhostR, has claimed responsibility for the theft of a confidential database containing millions of records from the renowned World-Check screening database. The stolen data, totaling 5.3 million records, includes sensitive information used by companies for screening potential customers and assessing their links to sanctions and financial crime.
 
World-Check, a vital tool for conducting "know your customer" (KYC) checks, enables companies to identify high-risk individuals with potential ties to money laundering, government sanctions, or other illicit activities. The hackers disclosed that they obtained the data from a Singapore-based firm with access to the World-Check database, though the specific company remains unnamed. 

A portion of the stolen data encompasses individuals sanctioned as recently as this year. The compromised records include details of current and former government officials, diplomats, politically exposed persons (PEPs), individuals associated with organized crime, suspected terrorists, intelligence operatives, and even a European spyware vendor. These individuals are deemed high-risk for involvement in corruption, bribery, or other illicit activities. 

The stolen data comprises a wealth of sensitive information, including names, passport numbers, Social Security numbers, online cryptocurrency account identifiers, bank account numbers, and more. Such a breach poses significant risks, as it could potentially expose innocent individuals to unwarranted scrutiny and financial harm. 

Simon Henrick, a spokesperson for the London Stock Exchange Group (LSEG), which oversees World-Check, clarified that the breach did not originate from LSEG's systems but involved a third party's data set. While LSEG did not disclose the identity of the third-party company, they emphasized their commitment to collaborating with the affected party to safeguard data integrity and notify relevant authorities. 

Privately operated databases like World-Check are not immune to errors, raising concerns about the accuracy and fairness of their content. Past incidents, such as the 2016 leak of an older World-Check database, underscore the potential repercussions of erroneous data, including wrongful accusations and financial repercussions for innocent individuals. 

The breach highlights the critical need for enhanced cybersecurity measures and regulatory oversight to protect sensitive personal information and mitigate the risks associated with data breaches. As investigations into the incident continue, stakeholders must prioritize transparency, accountability, and proactive measures to prevent future breaches and safeguard consumer data privacy.
Read more »
LockBit ransomware
Cyber Attacks CyberCrime CyberCriminal Cybersecurity LockBit ransomware

LockBit's Double Cross: Ransom Paid, Data Remains Locked Away

 


In exchange for the payment of a ransom, LockBit ransomware blocks access to the computer systems of its users. With LockBit, all computers on a network can be encrypted by encrypting them, confirming that the target is valuable, spreading the infection, and vetting potential targets. 

Enterprises and other organizations use many types of ransomware to carry out highly targeted and self-piloted cyberattacks. The cybersecurity landscape, which is always changing, is a dangerously competitive one. Adversaries lurk in the shadows and are eager to exploit vulnerabilities and disrupt the operations of organizations. 

There are many threats out there, but LockBit is one of the most formidable, as it has a dark history of evolution, and has been known to target large enterprises across various industries. Key Characteristics of LockBit During the selection of its targets, Lockbit meticulously assesses their financial capacity, as well as their potential disruptions, before choosing the best ones. 

Consequently, there is a concentration on several large businesses across healthcare, education, financial institutions, and government entities as a result of these factors. The automated vetting process can help in selecting targets and making sure they meet a certain set of criteria so that the vetting process can be used. 

There is one surprising aspect of Lockbit's strategic avoidance plan, which leads us to believe that the firm does not target organizations inside Russia and other Commonwealth countries for the same reason. The Lockbit ransomware service operates on what is known as the Ransomware as a Service (RaaS) business model, an operational model that allows affiliates to license the ransomware at a fee, and then they share the ransom payment between themselves and Lockbit as a whole. 

According to Graeme Biggar, the director general of Britain's National Crime Agency (NCA), LockBit was the most prolific and harmful ransomware group operating over the last four years. The group targeted thousands of organizations around the world with its ransomware. An extortion payment was required to obtain the decryption key and to delete the data after the criminal enterprise encrypted the devices on the victim’s computer network and/or stole data from the devices, and demanded that it be paid for the decryption key. 

In recent years, officials have consistently advised against making extortion payments of this type. According to them, such payments not only fund the criminal ecosystem, but there is no guarantee that the decryption key will function due to sloppy coding, and the criminals should not be trusted merely by the promise they will delete victim data. 

It has been revealed by the NCA-led operation that some of LockBit's data belonged to victims who had paid ransom to the threat actors. This last fact has been emphasized by the NCA-led investigation. It was stated in the NCA report that, despite what the criminals have promised, paying a ransom does not guarantee that data will be deleted, even if the ransom is paid. 

Aside from the information gathered from the takedown, the agency also plans to release additional information about the gang's finances and the administrator LockbitSupp, over the remainder of the week based on the intelligence it gained from the takedown.
Read more »
Social Engineering
Click Bait Cyber Attacks Cyber Hacking CyberCriminal Email Scams Password Social Engineering

Guarding Your Finances: The Art of Phishing Attacks and Social Engineering

 


Malware, hacking techniques, botnets, and other types of technologies are becoming increasingly sophisticated as cyber crimes become more sophisticated. Nevertheless, online criminality exploits tactics that have been refined over decades by criminals long before the internet existed. 

A cybercriminal knows how to control a human tendency for trust as well as trickery, coercion, and the movement of humans to use their faith in them to achieve their criminal goals. "Social engineering" is a term referring to a method of gaining confidence online that is most often used in confidence scams.   

Cybercriminals can glean a nuanced understanding of users by exploiting social media sites, professional profiles, blogs, websites, or local news reports. Using data harvested from these sources over weeks or months will allow them to gain a nuanced understanding of users and even their families. 

It is a collective term for a range of scams or scams that rely on social engineering to seek money directly from a victim or to gain confidential information to enable the perpetrator to commit further crimes after the victim has fallen victim to the scam. The preferred channel for contact is now social media. However, if you want to make contact by phone or in person, it is not uncommon to do that too. 

An individual who uses social engineering to gain access to a company's computer system or information about a client, or to compromise an organization's data, is known as a social engineer. If a malicious individual attempt to pose as a new employee, technician, or researcher, it may appear unassuming and respectable, with credentials that may support the claim that he or she is a new employee, technician, or researcher.

It is still a possibility that a hacker could obtain enough information by asking questions to gain entry into an organization's network. The attacker may also contact a second source within the same organization if he or she cannot gather enough information from one source and then rely on the information gathered from the first source to build credibility in the eyes of the authorities in the organization. 

Phishing scams are responsible for the loss of tens of millions of dollars each year, and the number is increasing every year, according to the authorities. A phishing scheme differs largely from scams in the form of the now-famous "Hi Mum" scheme in the sense that no overt request is made to send money to an account as the tactic. 

To effectively persuade people to provide any personal information to the scammers, they use subterfuges, doctored websites, and carefully calibrated software scripts to get them to divulge personal information. It is a technique that has become popular as a "social engineering" technique in the cybersecurity community as this technique is based on people's typical emotions and behaviours.

Scams may appear in the form of e-mails or text messages claiming to be from an official company or organization, such as the Australian Taxation Office or Netflix, that appear to be from the real thing. Upon receiving a warning message from the company, victims will be directed to a page that resembles the one used by the company and will be asked to fix a problem with their account or to confirm their contact details as soon as possible. 

A phishing kit, which contains HTML assets and scripts that you will need to create a fake website, is available for as little as $10, but scammers will probably pay anywhere from $100 to $1,000 for one. Using this information, the scammer can access bank accounts to transfer money to themselves at any time at his convenience. Phishing has evolved into an underground industry inside Australia's cybersecurity sector, according to Craig McDonald, founder of Australian cybersecurity company MailGuard. 

Many people don't realize the fact that they have made personal information available to swindlers through the use of social engineering because they do not monitor the amount of information that they disclose. There are usually privacy controls on social media sites and forums, for instance, which may be able to help users restrict how much information about them and their lives is visible publicly to others. The problem is that a large number of users consistently ignore these filters and allow any information they post to remain visible to the public.   

Some cyber criminals spend as much time as they can on building their personas as they do building their websites. They may be able to anticipate a person’s reaction to a certain situation with a good understanding of how they would react, which would in turn allow them to act and respond in a way that establishes trust once they reach out to them - as a fellow alumnus, a school parent, or an avid sports enthusiast, to name just a few examples. 

There are many ways that scams can be perpetrated. Gifts and charitable contributions are often requested during the holidays since it is the season for giving. In some cases, criminals may send emails that contain malicious links that permit them to access a person's device, account, or data as well as their personal information. The release of a device or the release of information stolen may be subject to ransom demands.   

Social Engineering: How to Spot It   


A Message of Urgency or Threat  


In case users receive an email, text message, direct message, or any other sort of message that seems overly exciting or aggressive then it is something to be cautious about. These scare tactics are used by scammers to force users into taking action without first thinking through what is being done to them. 

Click Bait for Winning Prizes 


There is a multitude of stories that scammers will tell to pry your personal information from users. Some scammers use bogus prizes and sweepstakes to win money from unsuspecting people. To make the payments out of the winnings, scammers are given users' bank information or sometimes even their tax ID number. 

Users are never going to receive the winnings they are claiming. The scammer is interested in this information so that they can hack users' accounts and steal their identities in a wide variety of ways.  

The Message Appears to be Strange in Some Way. 


A scammer will often pose as a person user knows to get your money. It can be anyone, including friends, family members, coworkers, bosses, vendors, or clients when users are working, or any other person for that matter. The message users receive when they do does seem a bit odd at first, but users will soon get used to it.  

How Can You Prevent Being Phished in The Future? 


When phishing victims become the victim of a scam, there can be difficulties in obtaining recourse. While Australians lost an unprecedented $3.1 billion through scams last year, the big banks only compensated about $21 million in compensation to their customers, even though the banks have each developed their policies for dealing with cybercrime. 

Australian Financial Complaints Authority (AFCA) is a consumer complaints body that is responsible for investigating complaints from the general public about banks. The federal government has provided some indication that it will be reforming Australian online banking law shortly, even if consumer groups maintain that the laws are not robust enough to protect victims of scams. Deputy Treasurer Stephen Jones stated several steps are being taken by the government to impose strict new codes of conduct on the industry.
Read more »
Malicious actor
CISA Cyberattacks CyberCrime CyberCriminal Cybersecurity Data Breach Data Theft Malicious actor

Unprecedented Data Breach: Millions Impacted by Personal Information Theft via Website Error

 


Tech support scams have become increasingly popular over the past few years. Scammers use scare tactics to get you to pay for unnecessary technical support services to fix supposedly unproblematic equipment or software.

In most cases, scammers try to trick you into paying them to fix an unresolvable problem with your devices or software. The scammers do so by tricking the victims into making a payment. These criminals may be stealing your financial or personal information at worst. They will often install malware, ransomware, or other unwanted programs on your computer if they can remotely access it to perform this "fix". These unwanted programs may steal your information or damage your data or your device if one allows them to do so. 

A recent report by cybersecurity experts warned that websites and web apps are increasingly stealing sensitive information belonging to millions of people every day. All three incidents in question share a common denominator: direct object references (IDOR) that are not secure. A flaw in the site or app that allows the user to request sensitive information from it, without first ensuring that the site is allowed to access this information, is known as a security hole, which enables people to request sensitive information from the site or app. 

Taking note of this, the United States Computer Emergency Readiness Team (CERT) and the Australian Cyber Security Centre have jointly published a security bulletin warning of IDORs in response to IDORs discovered in the past. 

Criminals can not lay their hands on confidential information or compromise user privacy without stealing digital information from computers, servers and electronic devices that store digital data. Data that can be stolen include bank account numbers, online account passwords, passport numbers, license numbers, social security numbers medical records, subscriptions to online stores, etc. 

When an unauthorized person has access to financial or personal information that belongs to the owner, they can delete, alter, or prevent access to that information without the owner's consent. 

Malicious actors steal data to sell it, use it to rob identities or sell it for profit. If data thieves steal enough data from an individual, they can use it to get access to secure accounts. They can also set up credit cards in the victim's name, or use the individual's identity to their advantage. While data theft in the past was predominantly the responsibility of businesses and organizations, it has unfortunately become a bigger problem for the general public as well.    

There are many misconceptions surrounding the term 'data theft'. Although it is said to be a thief stealing data, it does not mean taking or stealing information in the literal sense. Data theft refers to the act of copying or duplicating information to profit by using it themselves.  

Flaws Commonly Encountered 


CISA analysts noted in their announcement that IDOR flaws are "frequently" exploited by hackers, since "they are exceptionally common, hard to detect outside the development process, and have the capability to be exploited at scale." 

"In general, these vulnerabilities exist because an object's identifier is exposed, passed externally, or can be easily guessed -allowing any user with access to the object to use or modify the object," according to CISA. 

The occurrence of these attacks can have quite a painful impact on the victim, since it allows the perpetrator to steal sensitive information, including financial information, health information, and personal information, thereby causing quite a bit of pain. 

There has been a series of security breaches affecting First American Financial in 2019 (800 million peoples' data was stolen), the security flaw in Microsoft Teams IDOR discovered at the end of June 2023, and the IDOR bug discovered in Nexx smart home devices at the beginning of April 2023, among others.  

CISA says web developers should follow a secure-by-design approach at each step of the development process to ensure secure-by-design principles are implemented. To ensure that the code is robust and error-free, it is recommended that automated code analysis tools be incorporated, which will allow them to identify flaws before the apps reach production. 

Both groups say developers should ensure applications are set up with default access settings. To do so, they can check the authenticity of any request for accessing or editing sensitive information every time someone tries to do so. 

What Factors Contribute to Data Theft? 


Various methods are available for the theft of data or digital information. There are several types of fraud, including:

Engineering social behavior: 


There are many ways in which social engineering can be done, but phishing is the most common. A phishing attack occurs when someone impersonates an official entity to trick the victim into opening an email, a text message, or an instant message that appears to be from a trusted source. Among the most common causes of data theft is users falling victim to phishing attacks. 

Passwords With Weak Security Measures:


By using a password that is easy to guess, or by using the same password across multiple accounts, attackers can gain access to your sensitive data. This is if you choose an easy-to-guess password. As well as poor password habits, such as keeping passwords on paper or sharing them with others, other actions can lead to data theft. For example, sharing passwords. 

System vulnerabilities:


Hackers can exploit vulnerabilities in software applications and network systems to steal data and identity information. This is attributed to poorly written or poorly designed applications or network systems. Old antivirus software can also expose one to vulnerability because of its out-of-date threats.

Information about customers can be accessed by employees in the organization who are responsible for the organization's operation. If an employee runs afoul of the rules or a contractor is disgruntled, data can be copied, altered, or stolen. Although current employees may be at risk of insider threats, they are not alone.
Read more »
Technology
Cyberattacks CyberCrime CyberCriminal Data Leak Facebook Meta Pixel Social Media Technology

The Met Police passed victims' data to Facebook

 


Using its website to report crimes, such as sexual offences, domestic violence, and other crimes, the most powerful police force in the country gathered sensitive details about the people using the site. Observer reports that Facebook shared users' data to target advertising to them during their visit. 

As part of the analyses, the Metropolitan Police website included a tracking tool that recorded information about people's browsing activity and about the "secure" online reporting form they used to report crimes and crimes against them. 

Using a tracking tool called a Meta Pixel used on the police force's website, the police force sent the information, which included the type of offence being reported and the Facebook profile code of the user, to the social media giant. 

A week after The Observer published its findings on Meta Pixel tracking, the Met removed the tracker from its website. This was after The Observer raised concerns about its use. There is something wrong with this approach as it demonstrates a lack of respect for human rights and human dignity. Additionally, the report added that no personal data - such as the messages they sent to police when reporting a crime - was exchanged with the police based on the responses they provided. 

There was a suggestion that data transmission had been accidental. A tracking tool has been installed at Met to help serve ads to people who indicate they are interested in becoming a Met member. Several steps were taken to ensure that any Meta Pixels from pages that were not related to recruitment marketing campaigns on the Met's website, as well as any Pixels placed on pages that were not related to recruitment, were removed to avoid unnecessary concerns. 

When the Observer analysed police websites across England, Wales, Scotland and Northern Ireland, it found that the Met was using the pixel to track its visitors. The tool was found to be being used by four police forces, including the Metropolitan Police, during the testing last week. Additionally, there were three other police forces involved: Police Scotland, Norfolk Constabulary, and Suffolk Constabulary. 

As with the Met, Norfolk and Suffolk have also provided data about how people access sensitive web pages. This data was shared with the Met. As a result of this, Norfolk and Suffolk police have said they have been using the tracking tools “for recruitment purposes” when web visitors clicked links to report antisocial behaviour, domestic abuse, rape, hate crimes, and corruption, as well as when they clicked the “Tell us something anonymously” button. The tracking tools, Norfolk and Suffolk police have said, were used “for recruitment purposes”. 

There is criticism from victims' charities and privacy experts who have called this exchange of data a shocking violation of trust, one that could undermine the confidence of the public in the police. 

Dame Vera Baird, the former victims’ commissioner, said: "You think you are dealing with a public authority you can trust and you are dealing with Facebook and the wild world of advertising." 

Using advertising pixels in this context, said Mark Richards, a privacy researcher who focuses on online privacy, is like asking a person to report a crime while a stranger is present in the room. 

The Alan Turing Institute's director of ethics, Prof David Leslie, has said that the collection and sharing of the data feels "reckless", and that people appear to have been given "partially" or "misleading" information about how their data will be considered. 

The UK's privacy watchdog, the Information Commissioner's Office, said in a statement that the findings raised serious privacy concerns. These sites are for the convenience of crime victims, as well as their family members and witnesses. They would expect their information to be handled thoughtfully," the report said. There is already an investigation being conducted by it into the use of the Meta Pixel by NHS trusts on their websites, and according to it, the latest evidence will be taken into account. 

To reach people who have visited their websites in future marketing campaigns, businesses use Meta Pixel. This is a free tool offered by Facebook that gives them access to tracking information on people who have visited their sites. 

As part of their marketing arsenal, Facebook is pitching this tool as a way for organisations of all sizes to gain insight and insight into the performance and behaviour of their websites, as well as that of those who do not have Facebook accounts.

As the Meta Pixel collects unique identifiers, such as IP addresses and Facebook profile IDs, there does not seem to be any evidence that the company has attempted to identify people as victims of crimes or that they have targeted them with advertisements based on their status as victims or witnesses, even though this is the case. The details of interactions with the police are not included in the information shared with the company on the website. However, there is no hint that this information is shared with the company as part of the information shared. 

According to the Observer's investigation, many police websites share data with Google for advertising, in addition to Facebook. It is noteworthy that this information included that a person had visited a police website, but didn't appear to provide further information regarding the types of sensitive websites they visited or their use of online reporting tools or online forms. A police force and a military force are also believed to have shared data with Twitter to allow them to advertise their services. The ICO's chief digital privacy adviser, Stef Elliott, described the problems with Google advertising to the watchdog earlier this month following a report she made about the issue. Elliott described the problem as "systemic," according to her. 

A consent banner pops up after a web user clicks the "I agree" button on a police website, including the Met site after being shown a pop-up consent banner that asks for consent to share data. On the banner, you would normally see the words "We use cookies on this site to give you a better, more personalized experience," without ever mentioning advertising or saying that the data would be shared with third parties, like Facebook, for example. As the Met's privacy statement stated, data collected may be utilized for recruitment campaigns. However, the information collected may not be used by third parties for business purposes. However, the Met's privacy statement also mentioned advertising but said the information would only be used for recruitment campaigns and not for third-party use.
Read more »
RaaS
Cyber Attacks CyberCrime CyberCriminal Malware Attack RaaS

Rise of Cybercrime as a Service Will be Worse

 

The proliferation of cybercrime-as-a-service has created an expansive digital gateway for individuals seeking fast and unlawful gains on the internet. Alongside attacks-as-a-service, malware-as-a-service, and fraud-as-a-service, this phenomenon has granted easy access to various illicit opportunities in the online realm. 
The evolution of cybercrime as a service aligns with the prevalent model of other as-a-service business offerings. Skilled criminals, who have developed effective malicious code, now offer their cybercrime "solutions" for rent to less sophisticated criminals lacking the means or expertise to create and carry out cyberattacks independently. 

In exchange for their services, these criminals receive a percentage of the profits generated from attacks utilizing their code. This share is on the rise, with some criminals earning between 10% and 20% of the ill-gotten gains obtained through the utilization of their malicious software. 

If you're interested in acquiring a DDoS booter rental from Russia, you can obtain one for a daily cost of $60 or lease it for a week at $400. Additionally, orders exceeding $500 are eligible for a 10 percent discount, which increases to 15 percent for orders surpassing $1,000. 

Alternatively, if you're considering a ransomware kit, you have the option of renting it for one month at a price of $1,000. While this may appear expensive to some, it's important to consider the potential return on investment. Moreover, prospective customers have the opportunity to test the product for 48 hours before making a final decision. 

This trend carries significant implications. The accessibility of these cybercrime offerings has eliminated the need for customers to possess advanced technical skills. In fact, even novices can now actively engage in cybercriminal activities and, remarkably, are being actively courted. 

Numerous online marketplaces on the dark web proudly advertise their provision of technical support, catering to individuals who require additional guidance and assistance. The cybercrime-for-hire industry has reached such a level of vitality that hacker groups are reportedly struggling to meet the growing demand. 

The thriving "as-a-service" market in cybercrime has not only captivated the attention of cybercriminals but has also piqued the interest of traditional criminals. These individuals and groups recognize the service-oriented nature of the cybercrime market and are increasingly leveraging it to their advantage. 

According to a study conducted by researchers at Cambridge, over half of the cybercriminals convicted in the UK had prior criminal records related to conventional offenses like burglary. Additionally, hackers are actively exploring avenues to introduce subscription-based offerings on the dark web.
Read more »
Vulnrabilities and Exploits
CSA Cyberattacks CyberCriminal Law Society of Singapore Passwords PDPC Vulnrabilities and Exploits

Cyberattack That Stole Personal Data of 16,000 Law Society Members, What Was Lacking?

 


Law Society Members' personal information was leaked through the Law Society of Singapore's VPN. Ransomware headlines are making the rounds, however, the reality is even grimmer. There is a high probability that victims of domestic violence will never see their names in the media, since most of them are willing to pay to resolve the problem. It is becoming increasingly dangerous as threats multiply, sophistication increases, and hackers demand more ransoms. 

As a result of a vulnerability in the Law Society's virtual private network (VPN) system, in March ransomware was launched against more than 16,000 members who were affected by the attack, according to the Personal Data Protection Commission (PDPC). 

According to the PDPC's decision, which was published on Thursday (May 11), the society used an easily guessed password for its administrator account, making it an easy target for cybercriminals.  

In addition to using an easy-to-guess password, the Singaporean Personal Data Protection Commission (PDPC) investigation concluded that the Society failed to conduct periodic security reviews. An internal audit must be completed within 60 days after the event to ensure no security gaps have been discovered by the organization. 

The ransomware attack that compromised 16,009 Law Society members has prompted a court order for the society to plug security gaps. There has been a fine of $8,000 levied against the FortyTwo furniture store for a data breach involving customer information.

In a report published this Thursday, the Personal Data Protection Commission (PDPC) mentioned these topics as some of the findings of the investigation. 

LawSoc's administrative account, which was compromised as a result of the attack, had "Welcome2020lawsoc" as the password, which had been used over the years. 

According to PDPC, the society's password for the account had not been changed at "reasonable intervals".

The PDPC's Deputy Commissioner Zee Kin Yeong concluded that many members' personal information was leaked, including their full names, residential addresses, and dates of birth. According to Channel News Asia, the (Law Society) took prompt remedial action in response to the incident since there were no signs that any personal data of its members was exfiltrated or misused. 

In its latest warning, the Cyber Security Agency of Singapore (CSA) warned that ransomware has evolved into a “massive and systemic threat” in the first half of this year. During 2020, 16,117 cybersecurity cases were reported in Singapore and accounted for 43% of all crimes committed in the country. According to the available data, as many cases of ransomware attacks are not reported to the authorities, the number of ransomware attacks in the country is likely to be much higher. 

Singapore is facing a growing threat of ransomware, a threat that you need to strengthen your defenses against and develop a response plan for, as soon as possible. 

Despite a growing number of ransomware attacks, cybercriminals continue to multiply, attract new talent, innovate new malware, and operate with impunity. You need to ensure that your defenses and incident response plan are both at the very top of their game and are constantly evolving so as to mitigate the risks. Additionally, the right defensive plan for your organisation will be unique: it will take into account your critical needs, your existing and future defenses, your vulnerabilities, as well as your ethos as an organisation.
Read more »
ransomware attacks
Babuk Cisco Talos Cyberattacks CyberCriminal Cyberfrauds Cybersecurity malware RA Ransomware ransomware attacks

Babuk is Customized by RA Ransomware Group


 

It has recently been discovered that an actor called the RA Group uses leaked Babuk source code in its attacks. The wrath of the same jas been faced by the companies in the United States and South Korea. Manufacturing, wealth management, insurance providers, and pharmaceuticals are among the compromised industries. 

Cybercriminal gang Babuk continues to cause havoc with the leaked source code it uses to launch cyberattacks against its targets. 

RA Group has been expanding its operations at the rate of 200 stores per month since April 22 as a result of an evaluation conducted by Cisco Talos this week. Several companies have been targeted in the US and South Korea by this threat, particularly in manufacturing, wealth management, insurance coverage, and pharmaceuticals. There have already been a few RA victims since it became prevalent in April. 

Four Companies Have Been Attacked by RA Ransomware

As per Cisco Talos’s research, “RA Group started leaking data on April 22, 2023, and we observed the first batch of victims on April 27, followed by the second batch on April 28, and we noticed more victims on April 29, 2023."

It is imperative to draw your attention to the fact that Babuk ransomware's complete source code was leaked online in September 2021. As a result of its success, several new threat actors have created ransomware by leveraging it to do business with them. Over the past year, 10 different ransomware families have gone down that route - a particular example would be a group of individuals who used it for developing lockers that were designed to work with VMware ESXi hypervisors. 

In addition, there have been others who have modified the code in other ways, using the fact that it is designed to exploit several known vulnerabilities to do so. As an example of this, there are vulnerabilities in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and other popular web applications. 

In light of the news, it is important to remember that the report from SentinelLabs published last week revealed that there was growing evidence of ransomware groups still targeting ESXi hypervisors and that the disclosure of Babuk source code in September 2021 offered a unique insight into the development operations of a ransomware group that had previously been unavailable to threat actors. 

As part of the monitoring system, victims are also reported on a dark web blog to encourage data leakage on their behalf.

A ransom note published in the report indicates that the gang is ruthless and sells the data after three days, and in that letter, they state that "Your data is encrypted when you read this letter." In addition to copying your data onto our server, you should feel comfortable knowing that no information about you is going to be compromised or made public unless you want it to be, the note stated. Most criminals give victims weeks or months to pay up. 

The Cisco Talos team of security experts on May 15 compiled a timeline of attacks using ransomware families that were derived from the leaked Babuk source code, conducted by different actors. 

Several custom malicious code families have evolved out of the ransomware, discovered in the Babuk data breach. This is according to Timothy Morris, Chief Security Advisor at Tanium. Several software vulnerabilities are exploited by the attacker, including Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, and Liferay, as well as interfering with backups and deleting volume shadow copies. Morris claims this exploit was discovered last year. 

According to RA Group’s ransom note, victims have only three days left to settle the debt; accordingly, it is using a standard double-extortion model that threatens to leak exfiltrated data if they do not pay up; however, according to the ransom note, victims have just three days remaining to settle their debt. 

Several details in the leak site divulge the identity of the victim, the name of the organization from which the data was obtained, the total size of the data downloaded, and even the official URL of the victim. As Cisco Talos has explained in its analysis of the ransomware group, this is a typical leak site among other ransomware groups of the same type. Nevertheless, RA Group is actively selling the victims' exfiltrated data through their leak site which is hosted on a secured Tor site used for selling the victims' leaked data.   

Several details are disclosed at the leak site, such as the identity of the victim, the name of the organization that provided the data, the size of the data downloaded, and even the official URL of the victim, all of which reveal the identity of the victim. Cisco Talos has explained in its analysis of this ransomware group that this is essentially a typical leak site. This is similar to those used by other ransomware groups. Despite this, the RA Group is currently selling the exfiltrated data of the victims through a leak site. This is hosted on a secure Tor site and has been used to sell the exfiltrated data of the victims.
Read more »
Trojan
Cyberattack CyberCriminal malware Mobile Banking Mobile Threats SharkBot Telecommunication Trojan

Mobile Banking Trojan Volume Doubles

 


There were nearly 200,000 new telecommunications and banking Trojans developed in 2022, an increase of 100% over the previous year and the biggest spike in mobile malware development seen in the previous six years, confirming the trend of mobile malware development being propelled forward in recent years. 

The information was provided by Kaspersky Lab's report entitled "Mobile Threats in 2022" which can be found here. During the year, the firm also reported that 1.6 million malware installers were detected as part of its telemetry as provided by telemetry. While malware creation surged ahead in 2020, there was a decline in threat activity (down from 3.5 million in 2021 and 5.7 million in 2020), despite the surge in attacks in 2021. 

Based on the report released today, cybercriminals are increasingly targeting mobile users. They are also investing a lot of time in creating updated malware to steal financial information, making these increased activities more likely. Similarly, it stated, over the last few years, cybercriminal activity has leveled off, with attack numbers staying steady after slackening in 2021. 

The truth is that cybercriminals continue to improve the functionality of malware as well as how it spreads. 

The banking Trojan is designed to steal mobile banking credentials and e-payment information, but it can quickly be repurposed to steal other kinds of information, including those related to identity theft and the spread of other malware. In the past few years, many malware strains have emerged that have become synonymous with the term "all-purpose malware strains", including popular strains like Emotet and TrickBot, for instance. 

There is a great risk that you might encounter a banking Trojan if you use a non-official app store, but Google Play has been repeatedly flooded with "downloaders of trojans such as Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph disguised as utilities." 

According to Kaspersky's report, unofficial apps pose the greatest risk. Sharkbot is an example of malware masquerading as a legitimate file manager that is malicious (and can evade Google's vetting process) until it has been installed. 

After that, it will begin to request permission to install other packages which will together perform malicious banking Trojan activities that can be considered malicious. In recent years, mobile banking Trojans have been one of the most prevalent and concerning mobile malware threats, used to implement attacks to steal data related to online banking and e-payment systems as well as bank credentials. This is the highest number of mobile banking Trojan installers detected by Kaspersky in the past six years. The number was double what Kaspersky detected in 2021 and represents a fifty percent increase from that year's figure. 

In light of this, cybercriminals are increasingly interested in stealing financial data from smartphone users, and this information is a target of their attacks. It is also clear that they seem to be investing heavily in updating their malware, which may result in severe losses for their targets in the long run. 

The Trojan banker malware is spread by cyber criminals through both official and unofficial app stores, through which they distribute their malware. Several banking Trojan families are still available on Google Play, including Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph, which are disguised as utilities but are downloaders for banking Trojans.  

In Sharkbot's case, they created a fake file manager in which they would distribute downloaders. A Trojan can request permission to be installed on the device of a user, thus putting the user's security at risk. Furthermore, these downloaders can request permission to be installed on the device so that it can operate on the user's device.
Read more »
Social Media
ACCC Cyber Security CyberCriminal Dark Web Identity Theft Prevention Passwords Social Media

What Can Consumers Do to Protect Their Data?

 


There is a growing concern in Australia that the threat of cybercrime is not just increasing but exploding like crazy at a rapid rate. Recent data from the Australian Competition and Consumer Commission (ACCC) shows that from January to September of this year, Australians lost more than $47 million per month, as reported by ABC television. 

Compared to the same period a year ago, the losses were 90 percent higher than they had been. The actual losses that cyber criminals perpetrate are likely to be quite large since only 13 percent of victims report losing their money to cyber crimes. 

Cybercrime rates surged before the multiple high-profile data breaches that were reported by large corporations in recent months, which occurred before the recent spike in cybercrime. Cybercriminals exploited the lapses in security to steal the details of most Australians and this provided them with the opportunity to commit fraud or to steal their identity. Several reports have already leaked to the media regarding losses caused by those breaches as a consequence of the security breaches. For the nation, this will be a costly time as far as its infrastructure is concerned. 

Identity Theft Prevention: What Can Individuals Do? 

Almost no one in modern society can avoid using the Internet to store data online. There are many services provided over the Internet, and even if you do not enter the data directly yourself, banks, insurers, government agencies, and companies with whom you interact daily will store the data of your accounts, including your financial information, in cloud services, even if you do not directly input the information. A breach could pose a threat to your data without you knowing anything about it or doing anything to expose it to risk. 

Whenever a data breach occurs, the business is legally obligated to inform its customers, so when your data has been compromised, you will know about it (unfortunately, the word "when" does not mean "if"). However, there is an additional proactive measure that you can take if you want to protect your own identity from theft. 

The sooner you act on a data breach, the less damage it will cause to your business. There are a variety of things that you can do to make sure that a breach does not compromise your data if it occurs. However, you may not be able to prevent it. 

1) Be on the lookout for suspicious activity: The common problem when it comes to a breach of a person’s data is that they are not able to take action on it right away. This is because it is not enough. This information will be needed for them to complete their investigation, so they will seek ways to find it. It is a wise idea to be wary if you receive phone calls or emails from sources that you do not know. In addition, you need to be careful if you receive messages that ask you to confirm account details or if your password has been changed. It is clear that if a cybercriminal is looking for more data about you and seeking to obtain it, then they may have some available. 

2) Ensure that you carefully review your account and credit card statements: In the event of any unusual purchases or purchases where you think you may have simply forgotten about the purchase, it would be a wise idea to flag them immediately, regardless of how small they are. 

3) If there has been any change in details: You should always check the date and who authorized any changes to any correspondence you have received from the company or service if you notice some details have changed. 

4) Consult an Identity Restoration Specialist to see if you need help: To gain a better understanding of the most effective approach in practice, as well as how to move forward, consulting with a specialist can be helpful.

In addition, you can take some steps to completely resecure your data right away. If cybercriminals do manage to compromise the system that you're on, then you can be sure that the rest of the information that they need is much more difficult to get, and as a result, it will be more difficult for them to commit identity fraud against you. 

1) Ensure all your passwords are changed and enable two-factor authentication (2FA): It is recommended that you get a dedicated token device or a second phone that you can utilize solely for that purpose. This is in addition to a dedicated token device, to use with 2FA. A strategy called “hijacking phones” has become part of cyber criminal strategies to circumvent your 2-factor authentication measures by convincing your phone company to transfer your number to their device. Once they have done this, any of these methods can be used to circumvent your 2FA measures. There is an easy way to find the telephone number of most people online. The amount of protection against phishing attempts can be increased by having a secure number that does not have any public information about it for 2FA. 

2) Make sure that personal information available on social media is removed as far as possible: A birthday message on your Facebook wall or a tweet on your Twitter feed might be something you look forward to. It is, however, one of the most common pieces of information used to verify your identity, which is your date of birth. There are several reasons why this is so significant since access to your accounts is dependent on it. 

3) You may want to consider freezing your credit rating as a precaution: If you notice any suspicious activity on your credit report, the credit ratings on your credit report should be frozen.  
 
Despite strategies and technologies designed to prevent security breaches, companies cannot be guaranteed to remain secure at all times. In fact, it is much more likely that they have already been compromised without even realizing it in the first place. A company can begin protecting and monitoring sensitive information once the inevitability of a breach is accepted. They begin accepting the necessity of minimizing the risk that could be associated with it.
Read more »
Vulnerabilities and Exploits
CrowdStrike Cyberattacks CyberCriminal Microsoft Phishing Attacks Vulnerabilities and Exploits

To Get Around Security, Hackers Use This Old Trick

 


An old vulnerability in Intel drivers is being exploited by cybercriminals in an attempt to gain access to networks. This is in the form of a security flaw that enables them to get around cybersecurity measures and bypass security systems.  

According to cybersecurity researchers at CrowdStrike, one of the groups tracking the attack is Scattered Spider, also known as Roasted 0ktapus and UNC3944. This group is responsible for the attack on Windows PCs. The campaign has been identified as the work of a cybercriminal group. 

As a financially motivated cybercrime operation, Scattered Spider is described by researchers as especially interested in targeting business outsourcing companies and telecom companies. Obtaining access to the mobile carrier network is the project's main objective.  

Attackers may have initially used phishing attacks using SMS messages to gain access to networks by stealing usernames and passwords. This is to get into them. Several instances have been recorded where attackers have hacked into devices and exploited this access to gain access to other credentials. The group appears to be engaged in SIM-swapping attacks as well.   

As soon as Scattered Spider has gained access to a network, it makes use of a technique called "Bring Your Own Vulnerable Driver" (BYOD), which is designed to exploit security loopholes within the Windows platform.  Microsoft tries to limit the ability of malware to gain access to systems by preventing unsigned kernel-mode drivers from being run by default, but hackers can get around this by installing a legitimately signed but malicious driver, enabling them to carry out attacks despite this. The BYOVD system allows attackers to use unsigned kernel-mode drivers to carry out attacks.   

An attacker may find a way to hack legitimately signed certificates while taking advantage of workarounds to be able to self-sign their own certificates or obtain certificates through deception. Regardless of how they were obtained, the malware may then secretly run on computers, install their own drivers, and disable the security products on them. This is so that their activity can easily be hidden.  

They do not use any malware for this purpose to operate as discreetly as possible. They instead install a large number of legitimate remote access tools that will ensure persistence on the compromised system after they have been compromised. 

There is a vulnerability in the Intel Ethernet diagnostics driver for Windows, which has been identified by CrowdStrike as one of how attackers can deliver malicious kernel drivers.

This vulnerability has been known for a long time, as the ID number suggests. If the security update that closes the vulnerability has not been applied to the system, cybercriminals will still be able to exploit it on the system.  

To combat this and other attacks involving abused signed drivers in the future, researchers urge users to patch vulnerable drivers as a priority.  

There have been several tools that have been compromised by attackers. These include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne, as well as CrowdStrike's own Falcon security product that attackers have attempted to bypass. Researchers at CrowdStrike claim that Falcon can detect and prevent malicious activity that is being performed by cybercriminals when trying to install and run their own code.  

It has been warned previously by Microsoft that attacks are increasingly targeting legitimate drivers in the ecosystem and infecting computers through their vulnerabilities. Despite Microsoft's efforts to prevent abuse, this attack technique is still successfully used today. 

Scattered Spider seems to be targeting a specific set of industries with this campaign. In contrast, CrowdStrike recommends that security professionals in every industry develop a strategy to ensure the security of their networks against attack, irrespective of their industry type. As an example, this can be achieved by applying the old security patch that has been installed.  

Microsoft also provides advice on how you can help harden services by blocking drivers according to the recommended rules. As with any software or hardware, removing drivers from a device may lead to the malfunctioning of the device or software, and, in some cases, a blue screen of death. A vulnerable driver blocklist cannot guarantee that all drivers found to have vulnerabilities will be identified and eliminated from the list.  
Read more »
FTX
Crypto cryptocurrency Cyber Security CyberCriminal FTX

Cybersecurity in 2023: Will the Crypto Crash Impact It?

 


One of the questions that naturally arise for those working within the cybersecurity industry after the fall of the FTX exchange puts an end to the cryptocurrency crash of 2022, includes asking how it will affect the cybercrime economy as a result of this rapid decline in cryptocurrency valuations. 

Cybercriminals have been using and abusing cryptocurrency ever since the most recent crypto boom began more than a decade ago to build up their empires and make money. Through the use of cryptocurrency, ransomware is creating a world where you can pay extortion and face jail time. By using cryptocurrency, scammers target consumers to steal their wallets and accounts. A wide range of cybercriminal enterprises has traditionally relied on this method to conceal the fact that they are laundering money behind the scenes in an anonymous manner. 

Although many cybersecurity experts and intelligence analysts agree that there have been some changes in trends and tactics that they believe are loosely related to the crypto crash, the jury is still out on the effects of the crypto crash over the long run, and the jury is still out on how the crypto crash will affect the cyber world. 

The Shifting Trends & Tactics of Cryptocurrencies in 2022 

Despite the value of cryptos this year, cybercriminals have developed a more sophisticated strategy for monetizing their attacks with cryptocurrencies, according to Helen Short, Accenture cybersecurity intelligence analyst, who points to the use of yield farming within the field of decentralized finance, as an example of some ransomware groups making use of yield farming as a monetization method. 

In other words, yield farming is similar to lending money, in that the amount of interest that has to be paid is clearly outlined in the contract that outlines the amount that has to be paid," she explains. As a ransomware group, the advantages are that they will be able to collect legitimate proceeds from the ransom and they will not be forced to launder or hide the funds." 

In her analysis, she has found that threat actors have increasingly turned to 'stablecoins,' which are typically 'pegged' to fiat currencies or gold. This is to decrease the volatility of their wallets. Cryptocurrency is making headlines worldwide due to the recent downturn in its price. This has resulted in cybercriminals having a heightened appetite for risk, leading to more investment frauds and cryptocurrency scams being perpetrated. 

In addition to some people losing their wallet value, others may have simply lost interest in keeping an eye on their accounts. They may have stopped paying as much attention to them. Brittany Allen, the team's trust and safety architect and fraud researcher, offers some insight into how this is fueling another trend. "Fraudsters are noticing that consumers are paying less attention to their crypto wallets than they were when crypto prices were higher earlier this year and in 2021, as a result of plummeting prices for cryptocurrency," she said. Consequently, cryptocurrency account takeover attacks have increased by 79% in the last few months. 

According to the researcher, there is an increasing number of threat actors joining forces instead of being paid by each other for their specialist services. This reduces the costs of the attack as there is a set share of the proceeds included in the agreement. 

Ransomware Will Not Go Away

As far as cybersecurity pundits are concerned, one thing that has been agreed upon almost unanimously is that ransomware will remain prevalent for some time despite the growing volatility of cryptocurrencies. Ransomware activity in 2022 has seen a slight decline compared to early 2022. Despite that, the threat intelligence analyst at Optiv, Aamil Karimi, said that there are other factors out of our control, such as the war in Ukraine. These factors contribute to the decrease in activity.  

A significant regrouping of ransomware cartels has resulted in a decline in activity in recent years, which is more likely to be due to this than anything else. For as long as cryptocurrency is a popular extortion target, he believes extortion will remain a popular business model. 

As of right now, cryptocurrency is the safest medium through which cybercriminals can act as a means of doing transactions. Cryptocurrency is the preferred payment method by extortion," Karimi says. The amount of cybercrime and extortionary activity will not slow down soon, as Karimi doesn't anticipate any slowdown." 

The evolution to be expected in 2023

Cybercriminals may also evolve their techniques in response to increased friction between law enforcement and themselves about other types of attacks in addition to ransomware. This is a result of increased friction between the two organizations. The most common among these is business email compromise (BEC), which does not require cryptocurrency. 

It was determined in the FBI's annual IC3 report [PDF] that business email compromise was the most common method used by attackers to steal fiat coins. It is becoming increasingly easy and convenient for technology to mimic human writing, speech, and even live video. This is a result of advances in artificial intelligence, according to GreyNoise's Rudis. As businesses, ransomware groups have been around for a long time. Therefore, it makes sense to assume that they would use their technological skills to deploy more advanced BEC schemes in addition to their primary mission of stealing money.  

At the same time, attackers are likely to continue advancing technology to stay one step ahead of the authorities. This is regarding the tracking and laundering of money, thereby staying one step ahead of the police. 

"The number of attackers will increase, and they will try to obfuscate their illicit funds by breaking the sequence of blockchain transactions, which will become increasingly sophisticated," Short says. "We will likely see a professionalization of cryptocurrency mixers, such as Tornado Cash, with threat actors offering fast and high value 'cash out as-a-service offerings." 

As a result, she believes that there will be an increase in demand for account takeovers to repurpose stolen accounts to create mule accounts as a way of cashing out on the back end of various scams by 2023, as it will increase the value of personally identifiable information (PII).
Read more »
Technology systems
Cyber Security CyberCriminal CyberThreat Digital Connectivity Journalist Passwords Technology systems

Cybercriminals Target Citizen Journalists; Here's How to Mitigate

 


The rise of digital connectivity has made it possible for citizens, governments, and businesses to communicate more easily and efficiently. however, for reasons alike cybercrime is becoming a growing problem in the modern world, with hackers targeting individuals and organizations.

Recently, a journalist at the Citizen was targeted by cybercriminals due to information he had published on the internet. In order to change the employee's banking details with the human resources department, they sent a fake letter by email to have the information changed.

When Gertrude Makafola experienced this incident, it prompted her to tweet about it. She stated that a scammer had emailed HR pretending to be her and asking to change her banking details. Upon analyzing the letter, he pointed out, "This looks like my @CapitecBankSA confirmation letter, however, it isn't. Fortunately, the HR manager doesn’t allow this through email or phone, you have to come in person @mtyala @BelindaaaPheto @Mizzyb1".

Citizens who are considered vulnerable should be aware that cybercriminals are lurking around waiting to take full advantage of unprotected networks as they use a variety of attack methods.

According to Mohammed Amin, Senior Vice President, Middle East, Turkey, and Africa for Dell Technologies, during October, Cybersecurity Awareness Month, the company is showing no signs of slowing down the rise of cybercrime, posing risks to everyone across all aspects of society. 

During the year 2021, ransomware attacks increased by 150% from the previous year. More than 80% of experts say that this growth is now posing serious risks to public safety. "In today's world, cybercrime is a major threat, and these statistics indicate the severity and prevalence of this crime."

Cybercrime can affect anyone at any time, no matter who they are


It was earlier this year when a cybersecurity company raised concerns about cybercrime and the recent efforts of the hacking group SpiderLog$. This group pointed out that many of the security systems used in South African government departments were susceptible to serious cyberattacks.

The SpiderLog$ program has managed to obtain private information on President Cyril Ramaphosa from public sources. In addition to this, he also provided details about the loan he took out from a South African bank in the 2000s. In addition, he also provided details concerning his home address, ID number, and cellphone number.

According to Pankaj Bhula, Regional Director for Africa at Check Point Software, "this recent activity showed that no one - not even South Africa's President - is immune to cybercrime and that no one can protect themselves from the threat of such criminal activities."

As a result of this report, SpiderLog$ has shown that South Africa is worryingly vulnerable to cyberattacks, with the group even saying that the country is like a playground for hackers. "Therefore, this should serve as a stark reminder for all organizations to enhance cybersecurity security within their organization."


In the face of cyber threats, what can we do to protect ourselves?


Using Amin's words, the key objective should be to develop a cyber resilience strategy that is capable of anticipating and responding to significant disruptions in data systems across the world.

A more serious test of the organization’s readiness to return to "business as usual" should be how quickly and seamlessly they can do so. There are several components to such resilience including creating and implementing thorough cybersecurity training exercises amongst the workforce as one of the critical components.”

Amin said that this not only provides employees with training and knowledge about security risks and lures, but also heightens awareness and reinforces the importance of teamwork, skills, and collaboration across the organization as a whole.

He added that in the face of rapid advances in cybercrime, the use of cybersecurity and the methods employed by cybercriminals need to be at the top of the minds of the public and business sectors.

"In the age of cyberattacks, cyber security has become more than just an insurance policy against them. A resilient cyber market, if implemented effectively, can help bolster long-term economic prosperity and innovation, as well as provide us with the digital defenses we need to protect ourselves from cyberattacks in the modern era."

The following tips will help you minimize the chances of becoming a victim of cybercrime:

  1. Keep in mind that you should never store any personal information, including banking information, on your smart device.
  2. PINs or OTPs (one-time pins) are never requested by your bank, and will never be asked by your bank.
  3. In no case will your bank ask you to process a payment to reverse a transaction that you have already completed.
  4. Before you approve any transaction, make sure you carefully check the OTPs or app approval notifications that have been sent to you. Please do not approve any payment for a transaction that you are unaware of and are not aware of in advance.
  5. The banking app you are using needs to be updated to the most recent version and your notifications need to be enabled as well.
  6. On your devices, you should enable the screen lock feature.
  7. Choosing the most reliable antivirus or security software for your business is one of the most significant decisions you can make. Your staff members should be informed not to open unsolicited emails without first making sure that the message is virus free before opening it.
  8. As often as possible, make sure all your business software is up-to-date and that your technology is updated.
Read more »
Subscribe to: Posts (Atom)