Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberfrauds. Show all posts
UPI
AI AI Fraud AI Techniques Artifical Intelligence Cyberfrauds Cybersecurity CyberThreat Digital Threat Technology UPI

AI Fraud Emerges as a Growing Threat to Consumer Technology


 

With the advent of generative AI, a paradigm shift has been ushered in the field of cybersecurity, transforming the tactics, techniques, and procedures that malicious actors have been using for a very long time. As threat actors no longer need to spend large amounts of money and time on extensive resources, they are now utilising generative AI to launch sophisticated attacks at an unprecedented pace and efficiency. 

With these tools, cybercriminals can scale their operations to a large level, while simultaneously lowering the technical and financial barriers of entry as they craft highly convincing phishing emails and automate malware development. The rapid growth of the cyber world is posing a serious challenge to cybersecurity professionals. 

The old defence mechanisms and threat models may no longer be sufficient in an environment where attackers are continuously adapting to their environment with AI-driven precision. Therefore, security teams need to keep up with current trends in AI-enabled threats as well as understand historical attack patterns and extract actionable insights from them in order to stay ahead of the curve in order to stay competitive.

By learning from previous incidents and anticipating the next use of generative artificial intelligence, organisations can improve their readiness to detect, defend against, and respond to intelligent cyber threats of a new breed. There has never been a more urgent time to implement proactive, AI-aware cybersecurity strategies than now. With the rapid growth of India's digital economy in recent years, supported by platforms like UPI for seamless payment and Digital India for accessible e-governance, cyber threats have become increasingly complex, which has fueled cybercrime. 

Aside from providing significant conveniences and economic opportunities, these technological advances have also exposed users to the threat of a new generation of cyber-related risks caused by artificial intelligence (AI). Previously, AI was used as a tool to drive innovation and efficiency. Today, cybercriminals use AI to carry out incredibly customized, scalable, and deceptive attacks based on artificial intelligence. 

A threat enabled by artificial intelligence, on the other hand, is capable of mimicking human behaviour, producing realistic messages, and adapting to targets in real time as opposed to traditional scams. A malicious actor is able to create phishing emails that mimic official correspondence very closely, use deepfakes to fool the public, and alarmingly automate large-scale scams by taking advantage of these capabilities. 

In India, where millions of users, many of whom are first-time internet users, may not have the awareness or tools required to detect such sophisticated attacks, the impact is particularly severe. As a global cybercrime loss is expected to reach trillions of dollars in the next decade, India’s digitally active population is becoming increasingly attractive as a target. 

Due to the rapid adoption of technology and the lack of digital literacy present in the country, AI-powered fraud is becoming increasingly common. This means that it is becoming increasingly imperative that government agencies, private businesses, and individuals coordinate efforts to identify the evolving threat landscape and develop robust cybersecurity strategies that take into account AI. 

Affectionately known as AI, Artificial Intelligence can be defined as the branch of computer science concerned with developing products capable of performing tasks that are typically generated by human intelligence, such as reasoning, learning, problem-solving, perception, and language understanding, all of which are traditionally performed by humans. In its simplest form, AI involves the development of algorithms and computational models that are capable of processing huge amounts of data, identifying meaningful patterns, adapting to new inputs, and making decisions with minimal human intervention, all of which are crucial to the overall success of AI. 

As an example, AI helps machines emulate cognitive functions such as recognising speech, interpreting images, comprehending natural language, and predicting outcomes, enabling them to automate, improve efficiency, and solve complex problems in the real world. The applications of artificial intelligence are extending into a wide variety of industries, from healthcare to finance to manufacturing to autonomous vehicles to cybersecurity. As part of the broader field of Artificial Intelligence, Machine Learning (ML) serves as a crucial subset that enables systems to learn and improve from experience without having to be explicitly programmed for every scenario possible. 

Data is analysed, patterns are identified, and these algorithms are refined over time in response to feedback, thus becoming more accurate as time passes. A more advanced subset of machine learning is Deep Learning (DL), which uses layered neural networks that are modelled after the human brain to process high-level data. Deep learning excels at processing unstructured data like images, audio, and natural language and is able to handle it efficiently. As a result, technologies like facial recognition systems, autonomous driving, and conversational AI models are powered by deep learning. 

ChatGPT is one of the best examples of deep learning in action since it uses large-scale language models to understand and respond to user queries as though they were made by humans. With the continuing evolution of these technologies, their impact across sectors is increasing rapidly and offering immense benefits. However, these technologies also present new vulnerabilities that cybercriminals are increasingly hoping to exploit in order to make a profit. 

A significant change has occurred in the fraud landscape as a result of the rise of generative AI technologies, especially large language models (LLMs), providing both powerful tools for defending against fraud as well as new opportunities for exploitation. While these technologies enhance the ability of security teams to detect and mitigate threats, they also allow cybercriminals to devise sophisticated fraud schemes that bypass conventional safeguards in order to conceal their true identity. 

As fraudsters increasingly use generative artificial intelligence to craft attacks that are more persuasive as well as harder to detect, they are making attacks that are increasingly convincing. There has been a significant increase in phishing attacks utilising artificial intelligence. In these attacks, language models are used to generate emails and messages that mimic the tone, structure, and branding of legitimate communications, eliminating any obvious telltale signs of poor grammar or suspicious formatting that used to be a sign of scams. 

A similar development is the deployment of deepfake technology, including voice cloning and video manipulation, to impersonate trusted individuals, enabling social engineering attacks that are both persuasive and difficult to dismiss. In addition, attackers have now been able to automate at scale, utilising generative artificial intelligence, in real time, to target multiple victims simultaneously, customise messages, and tweak their tactics. 

It is with this scalability that fraudulent campaigns become more effective and more widespread. Furthermore, AI also enables bad actors to use sophisticated evasion techniques, enabling them to create synthetic identities, manipulate behavioural biometrics, and adapt rapidly to new defences, thus making it difficult for them to be detected. The same artificial intelligence technologies that fraudsters utilise are also used by cybersecurity professionals to enhance the defences against potential threats.

As a result, security teams are utilising generative models to identify anomalies in real time, by establishing dynamic baselines of normal behaviour, to flag deviations—potential signs of fraud—more effectively. Furthermore, synthetic data generation allows the creation of realistic, anonymous datasets that can be used to train more accurate and robust fraud detection systems, particularly for identifying unusual or emerging fraud patterns in real time. 

A key application of artificial intelligence to the investigative process is the fact that it makes it possible for analysts to rapidly sift through massive data sets and find critical connections, patterns, and outliers that otherwise may go undetected. Also, the development of adaptive defence systems- AI-driven platforms that learn and evolve in response to new threat intelligence- ensures that fraud prevention strategies remain resilient and responsive even when threat tactics are constantly changing. In recent years, generative artificial intelligence has been integrated into both the offensive and defensive aspects of fraud, ushering in a revolutionary shift in digital risk management. 

It is becoming increasingly clear that as technology advances, fraud prevention efforts will increasingly be based upon organisations utilising and understanding artificial intelligence, not only in order to anticipate emerging threats, but also in order to stay several steps ahead of those looking to exploit them. Even though artificial intelligence is becoming more and more incorporated into our daily lives and business operations, it is imperative that people do not ignore the potential risks resulting from its misuse or vulnerability. 

As AI technologies continue to evolve, both individuals and organisations should adopt a comprehensive and proactive cybersecurity strategy tailored specifically to the unique challenges they may face. Auditing AI systems regularly is a fundamental step towards navigating this evolving landscape securely. Organisations must evaluate the trustworthiness, security posture and privacy implications of these technologies, whether they are using third-party platforms or internally developed models. 

In order to find weaknesses and minimize potential threats, organizations should conduct periodic system reviews, penetration tests, and vulnerability assessments in cooperation with cybersecurity and artificial intelligence specialists, in order to identify weaknesses and minimize potential threats. In addition, sensitive and personal information must be handled responsibly. A growing number of individuals are unintentionally sharing confidential information with artificial intelligence platforms without understanding the ramifications of this.

In the past, several corporations have submitted proprietary information to tools such as ChatGPT that are powered by artificial intelligence, or healthcare professionals have disclosed patient information. Both cases raise serious concerns regarding data privacy and compliance with regulations. The AI interactions will be recorded so that system improvements can be made, so it is important for users to avoid sharing any personal, confidential, or regulated information on such platforms. 

Secured data is another important aspect of AI modelling. The integrity of the training data is a vital component of the functionality of AI, and any manipulation, referred to as "data poisoning", can negatively impact outputs and lead to detrimental consequences for users. There are several ways to mitigate the risk of data loss and corruption, including implementing strong policies for data governance, deploying robust encryption methods, enforcing access controls, and using comprehensive backup solutions. 

Further strengthening the system's resilience involves the use of firewalls, intrusion detection systems, and secure password protocols. Additionally, it is important to adhere to the best practices in software maintenance in order to maintain the software correctly. With the latest security patches installed on AI frameworks, applications, and supporting infrastructure, you can significantly reduce the probability of exploitation. It is also important to deploy advanced antivirus and endpoint protection tools to help protect against AI-driven malware as well as other sophisticated threats.

In an attempt to improve AI models, adversarial training is one of the more advanced methods of training them, as it involves training them with simulated attacks as well as data inputs that are unpredictable. It is our belief that this approach will increase the robustness of the model in order for it to better deal with adversarial manipulations in real-world environments, thereby making it more resilient. As well as technological safeguards, employee awareness and preparedness are crucial. 

Employees need to be taught to recognise artificial intelligence-generated phishing attacks, avoid unsafe software downloads, and respond effectively to changing threats as they arise. As part of the AI risk management process, AI experts can be consulted to ensure that training programs are up-to-date and aligned with the latest threat intelligence. 

A second important practice is AI-specific vulnerability management, which involves identifying, assessing, and remediating security vulnerabilities within the AI systems continuously. By reducing the attack surface of an organisation, organisations can reduce the likelihood of breaches that will exploit the complex architecture of artificial intelligence. Last but not least, even with robust defences, incidents can still occur; therefore, there must be a clear set of plans for dealing with AI incidents. 

A good AI incident response plan should include containment protocols, investigation procedures, communication strategies, and recovery efforts, so that damage is minimised and operations are maintained as soon as possible following a cyber incident caused by artificial intelligence. It is critical that businesses adopt these multilayered security practices in order to maintain the trust of their users, ensure compliance, and safeguard against the sophisticated threats emerging in the AI-driven cyber landscape, especially at a time when AI is both a transformative force and a potential risk vector. 

As artificial intelligence is continuing to reshape the technological landscape, all stakeholders must address the risks associated with it. In order to develop comprehensive governance frameworks that balance innovation with security, it is important to work together in concert with business leaders, policymakers, and cybersecurity experts. In addition, cultivating a culture of continuous learning and vigilance among users will greatly reduce the vulnerabilities that can be exploited by increasingly sophisticated artificial intelligence-driven attacks in the future.

It will be imperative to invest in adaptive technologies that will evolve as threats arise, while maintaining ethical standards and ensuring transparency, to build resilient cyber defences. The goal of securing the benefits of AI ultimately depends upon embracing a forward-looking, integrated approach that embraces both technological advancement and rigorous risk management in order to protect digital ecosystems today and in the future, to be effective.
Read more »
Vulnerabilities and Exploits
CyberCrime Cyberfrauds Cybersecurity Cyberthreats Darkweb Databreach Hackers Vulnerabilities and Exploits

FortiGate Vulnerability Exposes 15,000 Devices to Risks

 



Fortinet Firewall Data Breach: 15,000 Devices Compromised by Belsen Group

On January 14, 2025, it was reported that the configuration data of over 15,000 Fortinet FortiGate firewalls was leaked on the dark web. The hacker group, identified as Belsen, shared this data for free on its newly created TOR website. The leaked information includes full firewall configurations, plaintext VPN credentials organized by IP address and country, serial numbers, management certificates, and other sensitive data. This breach poses a significant security risk to affected organizations, as it enables attackers to compromise internal networks with ease.

Exploitation of Critical Vulnerabilities

According to cybersecurity analysts, the Belsen Group exploited a zero-day vulnerability, identified as CVE-2022-40684, to obtain the leaked data. This vulnerability, published in 2022, allowed attackers to bypass administrative authentication through specially crafted HTTP/HTTPS requests. By leveraging this flaw, the attackers exfiltrated configuration files containing sensitive details such as passwords, firewall rules, and advanced settings. These files, though obtained in 2022, remained undisclosed until January 2025, significantly increasing the risk exposure for affected organizations.

In response to this ongoing threat, Fortinet released patches for CVE-2022-40684 and announced a new critical authentication bypass vulnerability, CVE-2024-55591, on the same day the leak was disclosed. This new vulnerability is being actively exploited in campaigns targeting FortiGate firewalls, particularly those with public-facing administrative interfaces. Devices running outdated FortiOS versions are especially at risk.

Impact and Recommendations

The leaked configuration files provide a comprehensive map of victim networks, including firewall rules and administrator credentials. Threat actors can exploit this information to:

  • Bypass perimeter defenses and gain unauthorized access to internal networks.
  • Deploy ransomware, perform lateral movement, and exfiltrate sensitive data.
  • Identify additional vulnerabilities within the network architecture to maximize attack impact.

Organizations affected by this breach must take immediate action to mitigate risks. This includes:

  • Updating credentials for all compromised devices.
  • Applying the latest security patches, including fixes for CVE-2022-40684 and CVE-2024-55591.
  • Conducting thorough security audits to identify and address additional vulnerabilities.

Cybersecurity expert Kevin Beaumont has announced plans to release an IP list from the leak to help FortiGate administrators determine if their devices were affected. Meanwhile, security firms like CloudSEK and Arctic Wolf have emphasized the importance of prioritizing updates and vigilance against future exploitation campaigns.

Fortinet devices' history of vulnerabilities has made them frequent targets for cybercriminals and nation-state actors. Addressing these security gaps is crucial to preventing further breaches and protecting sensitive organizational data.

Read more »
Vulnerabilities and Exploits
Cyberfrauds CyberThreat Cyercrime Cyersecurity Email Phishing Vulnerabilities and Exploits

Millions of Email Servers Found Vulnerable in Encryption Analysis

 


In a new study published by ShadowServer, it was revealed that 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) servers are currently at risk of network sniffing attacks because they are not encrypting their data using TLS. 

Using IMAP, users can access their emails from different devices, while keeping messages on the server. With POP3, however, the messages are downloaded to one specific device, which restricts access to that particular device, resulting in IMAP and POP3 being used to access email. Mail servers can be accessed through two different methods: POP3 and IMAP. POP3 is a way to access email through a server. 

A good reason to use IMAP is that it stores users' emails on the server and synchronizes them across all their devices. This allows them to check their inbox across multiple devices, such as laptops and phones. However, POP3 works by downloading emails from the server and making them only accessible from the device from which they were downloaded. Additionally, there is no denying that many hosting companies configure POP3 and IMAP services by default, even though most users do not use them. 

It is important to note that it is very common to have those services configured by default. To ensure that TLS is enabled, and all email users use the latest version of the protocol, the organization advised them to check with their email provider. With the latest versions of Apple, Google, Microsoft, and Mozilla email platforms, users can rest assured that their information is already protected thanks to the TLS encryption protocol. 

To securely exchange and access emails across the Internet using client/server applications, the TLS secure communication protocol helps secure users' information while exchanging and accessing. In the absence of TLS encryption, the messages' content and credentials are sent in clear text, making them susceptible to network sniffing attacks that could eavesdrop on them. In the sense of a security protocol, TLS, or Transport Layer Security, is an Internet-based security protocol used for secure web browsing as well as encrypting emails, file transfers, and messaging messages. It is used to provide end-to-end security between applications over the Internet. 

It is the role of TLS to keep hackers away from sniffing the network, encrypting users' email credentials and message contents instead of sending them as plain text, which helps to prevent hackers from sniffing the network. As an alternative to TLS encryption, it is also possible for anyone to sniff out that information without encryption. To find out 3.3 million hosts that do not support TLS, ShadowServer scanned the internet for POP3 services running on ports 110 and 995. 

As of 2006, there has been widespread use of TLS 1.1 as an improvement over TLS 1.0, which had been introduced to the market in 1999, and TLS 1.0 remained in use until this very day. Having discussed and developed 28 protocol drafts, the Internet Engineering Task Force (IETF) approved TLS 1.3, the next major version of the TLS protocol, in March of 2018, after extensive discussions and development of 28 drafts. 

Without TLS, passwords for mail access could be intercepted, and exposed services could allow a password-guessing attack on the server, and without TLS, passwords could be intercepted, and the server could suffer from password-guessing attacks. Hosts can be eavesdropping on network sniffer attacks if credentials and message content are sent in clear text without encryption. 

It is estimated that about 900,000 of these sites reside in the United States with over 500,000 being in Germany and Poland with 380,000 being in Germany. However according to the researchers, no matter whether TLS is enabled or not, service exposure could result in a password-guessing attack against the server. As part of the coordinated announcement made by Microsoft, Google, Apple, and Mozilla in October 2018 informing the public that insecure TLS 1.0 and TLS 1.1 protocols would be retired in 2020, Microsoft, Google, Apple, and Mozilla announced their intentions. As of August 2020, the latest Windows 10 Insider builds have begun using TLS 1.3 by default. 

The National Security Agency also released a guide in January 2021 detailing how outdated versions of the TLS protocol, configurations, and versions can be identified and replaced with current, secure solutions. As a ShadowServer foundation spokesperson pointed out, “regardless of whether TLS is enabled or not, service exposure may enable password guessing attacks against the server regardless of whether TLS is enabled.” 

Email users are urged to make sure that their email service provider indeed enables TLS and that their email service provider is using the current version of the protocol. Regardless of whether they are using Apple, Google, Microsoft, or Mozilla email platforms, users need not be worried since they all support TLS and use the latest versions of it.
Read more »
Online Store Security
Cyberattacks CyberCrime Cyberfrauds Cyberhackers Cybersecurity CyberThreat JavaScript malware Online Store Security

Cyberattack Compromises European Space Agency Online Store Security

 


A malware attack on the European Space Agency's official web shop revealed that the application was hacked by loading a JavaScript script that generated a fake Stripe payment page at checkout. With an annual budget of more than 10 billion euros, the European Space Agency (ESA) is dedicated to extending the boundaries of space activity through the training of astronauts and the development of rockets and satellites for exploring our universe's mysteries. 

Thousands of people were put at risk of wire fraud after the European Space Agency (ESA) website was compromised due to the recent exploitation of a credit card skimmer, which was found to be malicious on ESA's webshop. According to researchers from Sansec, the script creates a fake Stripe payment page when the customer is at checkout, which collects information from the customer. 

As a result of the fake payment page being served directly from ESA's web shop, which mimicked an authentic Stripe interface, it appeared authentic to unsuspecting users, who were unaware of the fraudulent payment process. According to Source Defense Research, screenshots of the malicious payment page were provided alongside the real one in the post, but this attack took advantage of domain spoofing with a different top-level domain to exploit domain spoofing, using a nearly identical domain name for the attack. 

The official shop of the European Space Agency is located under the domain "esaspaceshop.com," but the attackers used the domain "esaspaceshop.pics" to deceive visitors. Sansec, who flagged the incident, emphasized that the integration of the webshop with ESA's internal systems could significantly increase the risks for both employees and customers of the agency. 

An examination of the malicious script revealed that its HTML code was obscured, which facilitated detection as well as the theft of sensitive payment information, as it contained obfuscated HTML code derived from the legitimate Stripe SDK. The malicious code was created to create a convincing fake Stripe payment interface that looked legitimate because it was hosted by the official ESA web store domain. 

Although the fake payment page was removed, researchers discovered that the malicious script remained in the source code of the site. As of today, the ESA website has been taken offline, displaying a message indicating it has been taken out of orbit for an extended period. The agency clarified that this store is not hosted by its infrastructure, and they do not manage its associated data. 

As confirmed by whois lookup records indicating different ownership between the main domain of ESA (esa.int) and the compromised web store, it is not known exactly how many customers were affected by the breach, nor what financial impact it had. According to ESA's website, the company is well known for its role in astronaut training and satellite launches. However, it has not yet provided details as to how it intends to strengthen its online security measures after the incident occurred. 

A recent cyberattack on well-respected institutions shows just how vulnerable they can be to cyber attacks, especially when their e-commerce systems are integrated into a broader organization's network. According to cybersecurity experts, e-commerce platforms are urged to prioritize robust security protocols to prevent similar incidents from occurring in the future. This can erode customer trust and result in significant financial consequences. 

The past few months have seen an increase in cyberattacks targeting e-commerce platforms, with criminals using digital skimming methods to steal payment information. Earlier in August 2024, Malwarebytes reported that it had infiltrated Magento-based e-commerce platforms with skimmer code, exposing sensitive customer information, such as credit card numbers, by November 2024, as described by Malwarebytes. 

Sucuri discovered several PHP-based skimmers, such as Smilodon, harvesting payment data covertly. Although these skimmers were highly obfuscated, their detection was significantly hindered. Finland's Cybersecurity Centre reported in December 2024 that skimming attacks were on the rise, where malicious code embedded on payment pages was used to steal credit card information. Those developments highlight the crucial need for e-commerce platforms to implement robust security measures to ensure their customers' data is protected from unauthorized access. 

It is still unclear who was responsible for these attacks, but Magecart, one of the most infamous threat groups around, has been previously linked to similar activities, including installing credit card skimmers on prominent websites, which are typical of such attacks. During March 2023, Malwarebytes speculated that this group was involved in an extensive series of attacks targeting multiple online retailers, but this was not the first mention of the group. 

The majority of victims of credit card fraud that results from such breaches can receive refunds from their banks. Cybercriminals, however, use the stolen funds to finance malicious campaigns, including malware distribution. Likely, significant damage has already been done by the time the affected cards are locked and the funds are returned, even though the stolen funds can be used to finance fraudulent campaigns.
Read more »
Lawsuits
Anti Malwares Cyber Security Cyberfrauds DOJ Georgia Georgian Cyber Security IT department Lawsuits

Georgia Tech Faces DOJ Lawsuit Over Alleged Lapses in Cybersecurity for Defense Contracts

 

Researchers at the Georgia Institute of Technology, who have received over $1 billion in Defense Department contracts, are facing scrutiny for allegedly failing to secure their computers and servers, citing that doing so was too “burdensome.” Since 2013, the Department of Defense has mandated that any contractor handling sensitive data provide “adequate security” on their systems. 

However, at Georgia Tech, laboratory directors reportedly resisted developing a security plan and opposed IT department efforts to implement basic antivirus and anti-malware software. Two IT department employees filed a whistleblower lawsuit, leading the Department of Justice (DOJ) to join the case against the university and the Georgia Tech Research Corporation (GTRC), the nonprofit entity managing government contracts. The lawsuit claims that the Astrolavos Lab at Georgia Tech delayed creating and implementing a security plan, as required by the government contracts. 

When a plan was finally created in 2020, it did not cover all relevant devices, according to the DOJ. Furthermore, the lab, whose mission is to address the security of emerging technologies critical to national security, did not install or update antivirus or anti-malware tools until December 2021. The lab allegedly fabricated compliance reports sent to the Defense Department. The reasons behind these alleged security lapses reportedly stem from campus politics. The DOJ complaint suggests that researchers bringing in substantial government funding were viewed as “star quarterbacks,” using their influence to resist compliance with federal cybersecurity mandates. 

Between 2019 and 2022, GTRC secured more than $1.6 billion in government contracts, with over $423 million in 2022 alone. The whistleblowers, Christopher Craig and Kyle Koza, filed the suit under the False Claims Act, allowing them to receive a portion of any recovered funds. Georgia Tech and GTRC face nine counts, including fraud, breach of contract, negligence, and unjust enrichment, with the DOJ seeking damages to be determined at trial. The DOJ stressed the importance of cybersecurity compliance by government contractors to safeguard U.S. information against threats from malicious actors. 

Meanwhile, Georgia Tech expressed disappointment at the DOJ’s filing, arguing it misrepresents the university’s culture and integrity, claiming that the government itself had indicated that the research did not require cybersecurity restrictions. Georgia Tech has vowed to dispute the case in court, maintaining that there was no data breach or leak and reaffirming its commitment to cybersecurity and collaboration with federal agencies.  

This case is notable given recent cybersecurity threats faced by major universities, such as the University of Utah and Howard University, where ransomware attacks have resulted in significant financial losses.
Read more »
Vulnerabilities and Exploits
Cryoptographic Cyberattacks CyberCrime Cyberfrauds Cybersecurity DMARC Emails Google Locker Vulnerabilities and Exploits

Guarding Against DMARC Evasion: The Google Looker Studio Vulnerability

 


As a free online tool, Google Looker Studio allows users to create reports that can be customized with charts, graphs, and other data points. Once users have prepared their report, they can share it with anyone they desire. 

It appears that based on our observations, threat actors are using Google Looker Studio to create fake cryptographic pages which are sent to the intended victims in email attachments that are sent from the legitimate tool itself, as part of the observed attacks. 

Using a Web-based tool, Google Looker Studio can convert documents - such as slideshows, spreadsheets, etc. - into information. It can be done in several different ways, including charting and graphing data into usable visuals. 

Researchers at Check Point have discovered a botnet campaign known as the business email compromise (BEC) campaign that has been operating over the past several weeks. The campaign uses this tool to build crypto-themed pages in an attack that is socially engineered to look like the actual cryptocurrency.

It has been discovered that attackers send emails that appear to come directly from Google, containing links to unverified reports purporting to be useful for cryptocurrency investors, and encouraging them to click on a link to sign in to their accounts to obtain further information about the reports. 

There is a link in the message that leads to the fake report which purports to provide all the information the victim needs on investment strategies that can yield significant returns. This scam solicits the recipient to click on a link provided to them and be taken to a legitimate Google Looker page which displays a Google slideshow which contains instructions on how to receive more cryptocurrencies from the sender. 

A message is displayed to the victim as the user is taken to a login page where a warning has been displayed warning them that unless they log into their account immediately they may lose access to it. Nonetheless, this page has been designed with the intent of stealing the credentials users supply. It is common for cybercriminals to embed the URLs of these websites in their phishing emails, as Looker Studio's reputation for being a legitimate and trustworthy company makes them a good target for email security checks. 

Using Google's letterhead, the phishing emails appear to originate from Google and claim to have been sent by the tech giant itself. They inform the recipient that they have won approximately 0.75 Bitcoins ($19,200) by joining the firm's cryptocurrency insights and trading strategies program, as part of which they had the opportunity to participate. 

Gmail users are encouraged to follow the embedded link to collect their earnings in the e-mail, which otherwise appears to be well-written. It has been found in Check Point's analysis that because the sender's IP address is listed as authorized for a subdomain located at google.com, the attack can pass email authentication checks that prevent spoofing. 

Using Google's authority to bypass email security scans, the attackers were able to bypass the security scans for emails. They employ several techniques such as fooling Sender Policy Frameworks (SPFs), DomainKeys Identified Mail (DKIMs), and the Domain-based Message Authentication, Reporting, and Conformance (DMARC) frameworks to achieve their end. 

With these tactics, phishing emails can go undetected since they are associated with the legitimate domain "google.com", giving them the appearance of being legitimate. Using cryptographic signatures, DomainKeys Identified Mail (DKIM) verifies the integrity and origin of emails with the use of cryptographic signatures. 

In the domain-based Message Authentication, Reporting, and Conformance (DMARC), domain owners can specify specific actions that should be taken when an email message fails an SPF authentication check or a DKIM authentication check. 

A BEC attack has been a popular phishing method for many years due to its simplicity and effectiveness. Threat actors continuously adjust their strategies and incorporate new technologies into their attacks to make them more convincing. 

Check Point researchers recommend that users adopt AI-driven security technologies capable of analysing various phishing indicators to take a proactive approach to combat sophisticated BEC attacks. Cyberattacks such as Business Email Compromise (BEC) are a form of cybercrime whereby threat actors impersonate employees or business partners, so they can steal money, and sensitive data, or gain unauthorised access to corporate networks by impersonating employees or business partners. 

An email sender is verified as authorized by the Sender Policy Framework (SPF), which is a protocol for authenticating emails. Despite the growing number of attacks, attackers are continually growing their skill set and leveraging new technology to create more convincing and creative attacks that will pique the interest of users and incite them to follow along and give up their credentials to attack lures. 

Google Looker Studio is an example of such technology. The researchers of the Check Point company advise that businesses adopt increasingly common artificial intelligence (AI)-powered security technologies to protect themselves against complex BEC attacks by analyzing and identifying numerous phishing indicators that can be used by hackers to conceal their malicious intent. 

The campaign used a legitimate Google app and domain to disguise its malicious intent. A comprehensive security solution must be implemented for organizations to increase their level of security, Fuchs advised, including document- and file-scanning capabilities as well as URL protection systems that conduct thorough scans of websites and emulate webpages for a higher level of protection.
Read more »
Vulnerability
Cyber Attacks Cyberfrauds Cybersecurity Hacking Linux Encryptor Ransomwares VMware Vulnerability

ESXi Servers are Targeted by Linux-Based Akira Ransomware

 


As part of a ransomware operation called Akira, VMware ESXi virtual machines have been encrypted using a Linux encryption tool. This is to block access to the virtual machines. The attack comes after the company targeted Windows systems for a couple of months. 

To encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide, the Akira ransomware operations use a Linux encryptor to encrypt VMware ESXi virtual machines controlled by VMware. 

There has been a recent expansion of the Akira ransomware and it now targets VMware ESXi virtual machines using a Linux encryptor. It is because of this adaptation that Akira can now attack companies across the globe. 

This ransomware virus, Akira, was found in March 2023. As the most recent addition to the ransomware landscape, it is relatively less well-known. 

In the short time that Akira ransomware has been in operation, it has been confirmed that 45 organizations have been affected. Most of the targets are based in the U.S. Organizations affected range from childcare centers to large financial institutions but all have been affected. 

The threat actors are engaged in double extortion attacks against their victims, demanding several million dollars and stealing data from breached networks, encrypting files, and encrypting the data until they reach the point of demanding payouts.

In addition to asset managers, the gang's blog lists several victims of the gang's crimes. Akira will encrypt the files of an organization after an attack has been launched, appending the name of the encrypted files to the file names. The desktop screen will display a ransom note, explaining in a condescending tone that it is the quickest way back to the state where the company functions normally if you pay the ransom. 

The Development Bank of Southern Africa and London Capital Group are completely aware of the damage they have caused. There are many US-based companies on the gang's black web blog. 

This computer virus, known as Akira, uses double extortion techniques to pressure its victims into paying a ransom. This means that Akira copies the data before encrypting it to make sure the information can not be released, as well as selling the description key, and using these techniques to force a company into paying the ransom. 

In some cases, the ransoms amount to more than a million dollars, while in others it is less. It has focused on professional services, education, manufacturing, and research and development so far.

In sectors as diverse as education and finance, the threat of ransomware has disrupted corporate networks and encrypted stolen data from breached networks. These compromised files are marked with the extension .akira, which signifies compromise. 

It is important to note that, after the Akira ransomware has been activated, many different file extensions and names will become encrypted, as well as renamed files with the .akira extension. There will also be a ransom note titled akira_readme.txt left in each folder on the encrypted device. 

It is possible to customize how Akira works on Linux, which includes specifying the percentage of data that will be encrypted on each file, which allows threat actors to better customize their attacks. The propensity of this version of Akira to skip folders and files that are usually associated with Windows seems to indicate that it has been ported from the Windows version of the game.

Despite Akira's increasing scope, the fact that the threat now faces organizations around the world illustrates the urgency of action. Sadly, ransomware groups are increasingly expanding their operations to include Linux platforms as well. Many of them are leveraging readily available tools to do so due to the trend toward expanding their operations. To maximize their profits, they have turned this strategy into a simple and lucrative one. 

Among the most notable ransomware operations, some of which predominantly target VMware ESXi servers with their ransomware encryptors, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX, and Hive. These operations use Linux-based encryption methods. 

Spreads Rapidly, is Widely Popular, and is Unsecured 

During a ransomware attack, servers are popular due to their ability to spread ransomware rapidly. Hackers need only one run to launch the ransomware attack, which means the ransomware attack becomes extremely fast for the first time in history. ESXi servers have gained popularity in the enterprise world, as they are among the most widely used hypervisors on the planet. Lastly, the devices do not have any security solutions installed on them, which leads to a lack of security. CrowdStrike published a report previously that focused on the fact that antivirus software simply isn't supported by the manufacturer. 

During the weekend of February 2-6, ESXi servers were targeted by thousands of attacks taking place simultaneously. The attackers were able to exploit an outdated vulnerability that had existed two years ago. As a result, good cyber security for servers is very important because research can take a long time and is not always easy. A problem that had not yet been exploited massively had been discovered by Mandiant in 2022, but the problem was still unknown.
Read more »
ransomware attacks
Babuk Cisco Talos Cyberattacks CyberCriminal Cyberfrauds Cybersecurity malware RA Ransomware ransomware attacks

Babuk is Customized by RA Ransomware Group


 

It has recently been discovered that an actor called the RA Group uses leaked Babuk source code in its attacks. The wrath of the same jas been faced by the companies in the United States and South Korea. Manufacturing, wealth management, insurance providers, and pharmaceuticals are among the compromised industries. 

Cybercriminal gang Babuk continues to cause havoc with the leaked source code it uses to launch cyberattacks against its targets. 

RA Group has been expanding its operations at the rate of 200 stores per month since April 22 as a result of an evaluation conducted by Cisco Talos this week. Several companies have been targeted in the US and South Korea by this threat, particularly in manufacturing, wealth management, insurance coverage, and pharmaceuticals. There have already been a few RA victims since it became prevalent in April. 

Four Companies Have Been Attacked by RA Ransomware

As per Cisco Talos’s research, “RA Group started leaking data on April 22, 2023, and we observed the first batch of victims on April 27, followed by the second batch on April 28, and we noticed more victims on April 29, 2023."

It is imperative to draw your attention to the fact that Babuk ransomware's complete source code was leaked online in September 2021. As a result of its success, several new threat actors have created ransomware by leveraging it to do business with them. Over the past year, 10 different ransomware families have gone down that route - a particular example would be a group of individuals who used it for developing lockers that were designed to work with VMware ESXi hypervisors. 

In addition, there have been others who have modified the code in other ways, using the fact that it is designed to exploit several known vulnerabilities to do so. As an example of this, there are vulnerabilities in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and other popular web applications. 

In light of the news, it is important to remember that the report from SentinelLabs published last week revealed that there was growing evidence of ransomware groups still targeting ESXi hypervisors and that the disclosure of Babuk source code in September 2021 offered a unique insight into the development operations of a ransomware group that had previously been unavailable to threat actors. 

As part of the monitoring system, victims are also reported on a dark web blog to encourage data leakage on their behalf.

A ransom note published in the report indicates that the gang is ruthless and sells the data after three days, and in that letter, they state that "Your data is encrypted when you read this letter." In addition to copying your data onto our server, you should feel comfortable knowing that no information about you is going to be compromised or made public unless you want it to be, the note stated. Most criminals give victims weeks or months to pay up. 

The Cisco Talos team of security experts on May 15 compiled a timeline of attacks using ransomware families that were derived from the leaked Babuk source code, conducted by different actors. 

Several custom malicious code families have evolved out of the ransomware, discovered in the Babuk data breach. This is according to Timothy Morris, Chief Security Advisor at Tanium. Several software vulnerabilities are exploited by the attacker, including Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, and Liferay, as well as interfering with backups and deleting volume shadow copies. Morris claims this exploit was discovered last year. 

According to RA Group’s ransom note, victims have only three days left to settle the debt; accordingly, it is using a standard double-extortion model that threatens to leak exfiltrated data if they do not pay up; however, according to the ransom note, victims have just three days remaining to settle their debt. 

Several details in the leak site divulge the identity of the victim, the name of the organization from which the data was obtained, the total size of the data downloaded, and even the official URL of the victim. As Cisco Talos has explained in its analysis of the ransomware group, this is a typical leak site among other ransomware groups of the same type. Nevertheless, RA Group is actively selling the victims' exfiltrated data through their leak site which is hosted on a secured Tor site used for selling the victims' leaked data.   

Several details are disclosed at the leak site, such as the identity of the victim, the name of the organization that provided the data, the size of the data downloaded, and even the official URL of the victim, all of which reveal the identity of the victim. Cisco Talos has explained in its analysis of this ransomware group that this is essentially a typical leak site. This is similar to those used by other ransomware groups. Despite this, the RA Group is currently selling the exfiltrated data of the victims through a leak site. This is hosted on a secure Tor site and has been used to sell the exfiltrated data of the victims.
Read more »
Subscribe to: Posts (Atom)