Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberhackers. Show all posts
Vulnerabilities and Exploits
Artificial Intelligence Cyber flaws Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach LangChain Vulnerabilities and Exploits

LangChain Gen AI Under Scrutiny Experts Discover Significant Flaws

 


Two vulnerabilities have been identified by Palo Alto Networks researchers (CVE-2023-46229 and CVE-2023-44467) that exist in LangChain, an open-source computing framework for generative artificial intelligence that is available on GitHub. The vulnerabilities that affect various products are CVE-2023-46229. It is known as the CVE-2023-46229 or Server Side Request Forgery (SSRF) bug and is an online security vulnerability that affects a wide range of products due to a vulnerability triggered in one of these products.

It should be noted that LangChain versions before 0.0.317 are particularly susceptible to this issue, with the recursive_url_loader.py module being used in the affected products. SSRF attacks can be carried out using this vulnerability, which will allow an external server to crawl and access an internal server, giving rise to SSRF attacks. It is quite clear that this possibility poses a significant risk to a company as it can open up the possibility of unauthorized access to sensitive information, compromise the integrity of internal systems, and lead to the possible disclosure of sensitive information. 

As a precautionary measure, organizations are advised to apply the latest updates and patches provided by LangChain to address and strengthen their security posture to solve the SSRF vulnerability. CVE-2023-44467 (or langchain_experimental) refers to a hypervulnerability that affects LangChain versions 0.0.306 and older. It is also known as a cyberattack vulnerability. By using import in Python code, attackers can bypass the CVE-2023-36258 fix and execute arbitrary code even though it was tested with CVE-2023. 

It should be noted that pal_chain/base.py does not prohibit exploiting this vulnerability. In terms of exploitability, the score is 3.9 out of 10, with a base severity of CRITICAL, and a base score of 9.8 out of 10. The attack has no privilege requirements, and no user interaction is required, and it can be launched from the network. It is important to note that the impact has a high level of integrity and confidentiality as well as a high level of availability. 

Organizers should start taking action as soon as possible to make sure their systems and data are protected from damage or unauthorized access by exploiting this vulnerability. LangChain versions before 0.0.317 are vulnerable to these vulnerabilities. It is recommended that users and administrators of affected versions of the affected products update their products immediately to the latest version. 

The first vulnerability, about which we have been alerted, is a critical prompt injection flaw in PALChain, a Python library that LangChain uses to generate code. The flaw has been tracked as CVE-2023-44467. Essentially, the researchers exploited this flaw by altering the functionality of two security functions within the from_math_prompt method, in which the user's query is translated into Python code capable of being run. 

The researchers used the two security functions to alter LangChain's validation checks, and it also decreased its ability to detect dangerous functions by setting the two values to false; as a result, they were able to execute the malicious code as a user-specified action on LangChain. In the time of OpenSSL, LangChain is an open-source library that is designed to make complex large language models (LLMs) easier to use. 

LangChain provides a multitude of composable building blocks, including connectors to models, integrations with third-party services, and tool interfaces usable by large language models (LLMs). Users can build chains using these components to augment LLMs with capabilities such as retrieval-augmented generation (RAG). This technique supplies additional knowledge to large language models, incorporating data from sources such as private internal documents, the latest news, or blogs. 

Application developers can leverage these components to integrate advanced LLM capabilities into their applications. Initially, during its training phase, the model relied solely on the data available at that time. However, by connecting the basic large language model to LangChain and integrating RAG, the model can now access the latest data, allowing it to provide answers based on the most current information available. 

LangChain has garnered significant popularity within the community. As of May 2024, it boasts over 81,900 stars and more than 2,550 contributors to its core repository. The platform offers numerous pre-built chains within its repository, many of which are community-contributed. Developers can directly use these chains in their applications, thus minimizing the need to construct and test their own LLM prompts. Researchers from Palo Alto Networks have identified vulnerabilities within LangChain and LangChain Experimental. 

A comprehensive analysis of these vulnerabilities is provided. LangChain’s website claims that over one million developers utilize its frameworks for LLM application development. Partner packages for LangChain include major names in the cloud, AI, databases, and other technological development sectors. Two specific vulnerabilities were identified that could have allowed attackers to execute arbitrary code and access sensitive data. 

LangChain has issued patches to address these issues. The article offers a thorough technical examination of these security flaws and guides mitigating similar threats in the future. Palo Alto Networks encourages LangChain users to download the latest version of the product to ensure that these vulnerabilities are patched. Palo Alto Networks' customers benefit from enhanced protection against attacks utilizing CVE-2023-46229 and CVE-2023-44467. 

The Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced Threat Prevention, can identify and block command injection traffic. Prisma Cloud aids in protecting cloud platforms from these attacks, while Cortex XDR and XSIAM protect against post-exploitation activities through a multi-layered protection approach. Precision AI-powered products help to identify and block AI-generated attacks, preventing the acceleration of polymorphic threats. 

One vulnerability, tracked as CVE-2023-46229, affects a LangChain feature called SitemapLoader, which scrapes information from various URLs to compile it into a PDF. The vulnerability arises from SitemapLoader's capability to retrieve information from every URL it receives. A supporting utility called scrape_all gathers data from each URL without filtering or sanitizing it. This flaw could allow a malicious actor to include URLs pointing to intranet resources within the provided sitemap, potentially resulting in server-side request forgery and the unintentional leakage of sensitive data when the content from these URLs is fetched and returned. 

Researchers indicated that threat actors could exploit this flaw to extract sensitive information from limited-access application programming interfaces (APIs) of an organization or other back-end environments that the LLM interacts with. To mitigate this vulnerability, LangChain introduced a new function called extract_scheme_and_domain and an allowlist to enable users to control domains. 

Both Palo Alto Networks and LangChain urged immediate patching, particularly as companies hasten to deploy AI solutions. It remains unclear whether threat actors have exploited these flaws. LangChain did not immediately respond to requests for comment.
Read more »
VMware Attacks
APT INC Babuk Locker Cyberattacks CyberCrime Cyberhackers Cybethreat SEXi Ransomware VMware Attacks

SEXi Ransomware Rebrands to APT INC, Continues VMware ESXi Attacks

 


SEXi ransomware group and its affiliates, which have been involved in a series of cyber-attacks that began in February of this year against several organizations, have been operating under the name "APT Inc." since June of this year. To encrypt a VMware ESXi server with a Babuk encryptor, and a Windows server with a LockBit 3 encryptor, the group uses a leaked LockBit encryptor. 

In its rebranded form, the group continues to use its original techniques of encryption whilst wreaking havoc on new victims around the world, issuing ransom demands that range from thousands to millions of dollars, all to obtain access to the victims' data. Often called Babyk, Babuk Locker is a ransomware operation that began targeting businesses in 2021, encrypting their data and stealing it in a double-extortion attack to gain cash. 

As part of the launch, SEXi is being offered as an optional add-on to the platform that targets it, as a play on its name. As noted in a statement issued by CRONUp cybersecurity researcher Germán Fernández, PowerHost CEO Ricardo Rubem confirmed that his servers had been locked up by a ransomware variant called SEXi. It has not yet been revealed exactly how the malware gained access to PowerHost's internal network. However, the ransomware variant was called SEXi. 

During its statement, Rubem said that he was clarifying that Rubem would not be paying the ransom demanded by the attackers as a form of punishment. It is worth noting that after attacking the Washington DC metropolitan police department (MPD), a ransomware gang claimed that they had shut down their operations due to pressure from U.S. law enforcement. There were several attacks carried out by threat actors in February 2024 using the leaked data encryptor Babuk that was targeted at VMware ESXi servers and the lost LockBit 3 encryption system was targeted at Windows systems. 

It was not long after the cybercriminals began their campaign of attacks and gained media attention because of an attack they launched on IxMetro Powerhost, a Chilean hosting service whose VMware ESXi servers were encrypted by the cybercriminals. In an attempt to disguise its victims' identity, the ransomware operation has been given the name SEXi based on the name of the ransom note, SEXi.txt, as well as the extension.SEXi. 

Interestingly, Will Thomas, a cybersecurity researcher, found another variant called SOCOTRA, it also used the name FORMOSA, and it also used the name LIMPOPO. As noted above, the ransomware operation uses a combination of Linux and Windows encryptors, but it is more known to target VMware ESXi-based systems. According to cyber security researcher Rivitna, the ransomware operation has rebranded itself as APT INC and continues to encrypt files with Babuk and LockBit 3 encryptors, which BleepingComputer reported they continued to use until June. 

The experts at BleepingComputer have been receiving numerous reports from victims who have been impacted by APT INC attacks in recent weeks, along with posts on our forums about their similar experiences. Threat actors have gained access to VMware ESXi servers, and they have encrypted files that are related to these virtual machines, including virtual disks, database files, and backup images used in creating the virtual machines.  The rest of the files that are part of the operating system are not encrypted at all. 

Each victim of APT INC ransomware will be assigned a random name that is not associated with their company. This name will be used for both the ransom note and the encrypted file extension. The ransom notes will contain information on how to contact the threat actors using the Session encrypted messaging application.

Notably, the session address remains consistent with the address used in previous SEXi ransom notes. BleepingComputer has reported that ransom demands can range from tens of thousands to millions of dollars. For instance, the CEO of IxMetro Powerhost publicly disclosed that the threat actors demanded two bitcoins per encrypted customer. 

Unfortunately, the encryptors used by Babuk and LockBit 3 ransomware are secure and have no known vulnerabilities, making it impossible to recover files without paying the ransom. The leaked Babuk and LockBit 3 encryptors have been repurposed to power new ransomware operations, including APT INC. The Babuk encryptors, in particular, have gained widespread adoption due to their capability to target VMware ESXi servers, which are heavily utilized in enterprise environments. 

The VMware ESXi hypervisor platform operates on Linux and Linux-like operating systems, capable of hosting multiple, data-rich virtual machines (VMs). This platform has been a favoured target for ransomware actors for several years, partly due to its extensive attack surface. According to a Shodan search, tens of thousands of ESXi servers are exposed to the Internet, most of which run older versions. This figure does not account for servers that become accessible following an initial breach of a corporate network. 

Additionally, the growing interest of ransomware gangs in targeting ESXi is attributed to the platform’s lack of support for third-party security tools. As reported by Forescout last year, unmanaged devices such as ESXi servers are prime targets for ransomware threat actors. This is due to the valuable data stored on these servers, the increasing number of exploitable vulnerabilities affecting them, their frequent exposure to the Internet, and the challenges in implementing security measures such as endpoint detection and response (EDR). 

ESXi servers represent high-value targets since they host multiple VMs, enabling attackers to deploy malware once and encrypt numerous servers with a single command. To mitigate these risks, VMware has published a guide to securing ESXi environments. Key recommendations include ensuring that ESXi software is patched and up-to-date, hardening passwords, removing servers from the Internet, monitoring network traffic and ESXi servers for abnormal activities, and maintaining backups of VMs outside the ESXi environment to facilitate recovery.
Read more »
Mule Accounts Menace
Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Money Laundering Mule Accounts Menace

Unveiling the Mule Accounts Menace in Modern Money Laundering

 


In a recent statement, a member of the RBI's board of governors has urged banks to step up efforts against mule accounts. According to Piyush Shukla, money mules in India do much more than move money. A MULE ACCOUNT IS a bank account that receives funds from illegal activities and then transfers those funds to other accounts, thus serving as a bridge for money laundering and other illegal practices to take place. 

It is not uncommon in India to come across people who are opening mule accounts based on their bank accounts that they are offering in place of money as payment. The account holder's onboarding process is not automated in this way, which makes it more difficult to detect such accounts. Even though there are ways to put a stop to these accounts, the right controls and monitoring of the user's behaviour throughout the lifecycle of the account can be employed to give the user the greatest protection. 

Last November it was reported about the arrests of six people in Bengaluru about the alleged operation of 126 mule accounts. There has been raised concern by the Reserve Bank of India (RBI) earlier this week regarding certain banks having a huge number of fraudster accounts used for fraudulent transactions and loan evergreening by their customers. In a move to curb digital fraud, Shaktikanta Das, the governor of the Reserve Bank of India, has directed banks to crack down on the use of mule accounts as well as increase customer awareness and education initiatives.

Money mules can be generally categorized into five different kinds based on their level of complicity in a money laundering scheme and the way they are employed. A victim mule is a person who is unaware, for example, that his account has been compromised and that it is being abused by a fraudster who wants to launder money through his account. An incident of data breach most likely resulted in the victim's account details being leaked. 

Money mules can also come in the shape of misled parties, who are misled into sending and receiving money on behalf of fraudsters, believing that the money they are sending and receiving is clean. It is not uncommon for mules to respond to job advertisements they find interesting, and they respond to one or more of them that involve them executing transactions on behalf of the employers. One of the most common types of money mules is the deceiver. He or she opens new accounts by using stolen or synthetic identities to send and receive stolen funds. 

One way in which money is mulled is through the use of "peddlers", or people who sell their information to fraudsters, who then use that information to send and receive stolen funds. Mules can also be accomplices, who can open a new account in his name or use an existing one to send and receive funds at the direction of a fraudster, who instructs him to do so. In the study conducted by BioCatch, a digital fraud detection company, it was revealed that nine out of ten accounts were undetected as mule accounts by one of its Indian partners. 

During the first month of documented mule account activity, 86% of the sessions that were posted from within India were documented, however after a month those numbers dropped to just 20%, and 16% of those sessions were using a VPN to access such accounts. Although most of the activity in mule accounts happens in Bhubaneswar—15% —Lucknow and Navi Mumbai are each responsible for 3.4% of the activity. Two cities in West Bengal, Bhagabatipur and Gobindapur, recorded 1.7% and 2.6% of mule account activity, respectively. In comparison, Mumbai and Bengaluru reported 2.2% and 1.8% of such activity, respectively. 

To help customers prevent their bank accounts from becoming mule accounts, the following practices are recommended: 
1. Treat all unexpected communications, especially those offering lucrative, effortless jobs, with scepticism. 
2. Unrealistically high payments for straightforward tasks should raise alarms. 
3. Be wary of job offers with ambiguous descriptions and responsibilities, particularly if money transfers are involved. 
4. Scammers often pressure customers into making swift decisions, such as hurriedly confirming their identity or claiming a reward. Customers must pause and assess their demands carefully. 
5. Be extremely cautious while using unconventional payment methods, such as gift cards or virtual currencies. 

 In October 2023, the Reserve Bank of India (RBI) tightened the customer due diligence (CDD) norms by instructing banks and regulated entities to adopt a risk-based approach for periodic updating of know-your-customer (KYC) data. According to the latest Master Directions, the risk-based approach for periodic updating of KYC has been amended to state: “Registered Entities (REs) shall adopt a risk-based approach for periodic updating of KYC, ensuring that the information or data collected under CDD is kept up-to-date and relevant, particularly where it is high-risk.” 

Furthermore, the Master Directions emphasize that instructions on opening accounts and monitoring transactions should be strictly adhered to, to minimize the operations of money mules. These mules are used to launder the proceeds of fraud schemes, such as phishing and identity theft, by criminals who gain illegal access to deposit accounts. 

Banks are required to undertake diligence measures and meticulous monitoring to identify accounts operated as money mules, take appropriate action, and report suspicious transactions to the Financial Intelligence Unit.
Read more »
Rasomware Attack
Banks Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Rasomware Attack

Major Ransomware Attack Targets Evolve Bank, Impacting Millions

 


An Arkansas-based financial services organization confirmed the incident on July 1 shortly after the ransomware gang published data it claimed had been stolen during the attack and published it on its website. According to the company, there was no payment made to the ransom demand, so the stolen data was leaked online due to the failure to pay the ransom. 

Additionally, the bank also reported that the attackers had exfiltrated personal information from some of the bank's customers, including their names, Social Security numbers, and the bank account numbers associated with their accounts, along with their contact information. One of the nation's largest financial institutions, Evolve Bank & Trust, has shared the news of a data breach posing a massive threat to all 7.64 million individuals impacted by the data breach. 

After a period of system outages started occurring at the Arkansas-based bank in late May, officials initially thought that a "hardware failure" had caused the outages, but an investigation revealed that the outages were caused by a cyberattack. It was confirmed by Evolve that hackers infiltrated the company's network as early as February. This could have had a significant impact on sensitive customer data. 

Understandably, the official notification letter filed with the Maine Attorney General avoids specific details. Still, it is worth noting that the bank has acknowledged that it has lost names, social security numbers, bank account numbers, and contact information. The Maine Attorney General's Office was informed by one of the financial institutions on Monday that the personal information about 7,640,112 individuals was compromised in the attack and that it would provide them with 24 months of credit monitoring and identity protection due to the breach. 

Also on Monday, Evolve Bank started sending out written notifications to the impacted individuals, explaining that the ransomware attack occurred on May 29 and that the attackers had access to its network since at least February. Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers, and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners. 

There are several partners in this list, including Affirm, which recently made a statement assuring customers that the Evolve breach "may have compromised some personal information and data" of its customers." Evolve's partner Mercury, which offers fintech solutions to businesses, made a statement on X in regards to the data breach that affected "some account numbers, deposit balances, and business owner names as well as emails" that were exposed. 

The money transfer company Wise (formerly TransferWise) confirmed last week that there may have been an issue with the confidentiality of some of its customers' personal information. A statement by Evolve confirmed this week that the intrusion was the result of a ransomware attack that was instigated by the Russia-linked LockBit group. LockBit's administrator, who was disrupted earlier this year by a multigovernmental operation, is still at large. 

When the bank discovered the hacker had accessed its systems in May, it was able to identify the intrusion as an attack by hackers. It's no secret that LockBit made a deal with hackers to release the compromised data on its dark web leak site, which has since been revived after Evolve refused to pay the ransom demand.  This letter, sent to customers, expresses Evolve's concern over the hacking of its customer database and a file-sharing system during February and May 2024, during which data about customers was accessed and downloaded. 

RaaS groups, like this one, often deploy misinformation or disinformation campaigns alongside cyberattacks as part of their tactics to cause confusion and add maximum impact to their operations. As a result of the breach at Evolve, financial institutions can be reminded of the critical need for them to take robust cybersecurity measures to prevent data breaches in the future. 

A growing number of open banking platforms are on the rise and several RaaS attacks are ever-present, as well as a growing warning about data security threats. Institutions need to prioritize data security and implement strong access controls, encryption, and incident response protocols to ensure that their data is secure.
Read more »
Technology
Authenticity Cyberattacks CyberCrime Cyberhackers CyberThreat F-15 F-35 Fighter Jets Technology

Chinese Expert Confirms Authenticity of Leaked F-35 and F-15 Documents

 


One of the key findings of a Chinese expert on information security is the authenticity of recent documents that leaked information on the F-35 fighter jet and sensitive US weapons. According to the expert, the documents appear authentic. Ivan Ivanov, an alleged Russian pilot with the handle Fighterbomber, claimed to be a Telegram encrypted messaging service user. He argued that an American company had provided him with 250 gigabytes of US military data between the two countries. 

It was published on July 2 by Fighterbomber on their YouTube channel, which has more than 500,000 subscribers. A day later, on July 3, he uploaded more leaked data to the YouTube channel. There are still a few documents that can be downloaded from the uploaded folder. When it came to gaining information about a potential adversary's military secrets, the intelligence community once had gone to great lengths. 

In the early 1980s, the U.S. Central Intelligence Agency (CIA) spent several years attempting to acquire a Soviet T-72 main battle tank (MBT), while it reportedly paid $5,000 to the Afghan Mujahedeen for capturing the first AK-74 assault rifle. It has been reported that several documents have been leaked, including F-35 aircraft manuals and documents concerning the F-15, its modifications, weapons systems, and the Switchblade drone and precision-guided missiles. 

Tang said, the documents are detailed and their format is similar to other US military information that has also been leaked on the web earlier this year. There is no doubt that these documents are not strictly blueprints or design documents, and only professionals can truly assess their actual value. In response to the leaks, military enthusiasts have been discussing how they could now construct a fighter jet in the garage if they had the right parts. 

 As the Chinese aviation blogger Makayev mentioned on his video channel, there appear to be three distinct categories when it comes to aircraft leaks. First, there are flight manuals, maintenance manuals, and aircrew weapons delivery manuals for the F-15SA, the version of the aircraft sold to Saudi Arabia over a decade ago. There are two types of manuals in the collection: the first is for the engine maintenance manual for the F110 engine that is used in the F-15SA, and the second is for the precision-guided missile user manuals. 

It appears that these texts are more likely to be simplified introductions to the design processes than detailed descriptions. They are likely to be orientated toward maintenance personnel and less likely to offer insights that could benefit China's mature military aviation industry, according to Makayev. As other commentators have pointed out, despite the Russian pilot's claim of having access to 250 gigabytes of data, additional manuals regarding aircraft maintenance and weapon designs may still be released later in the future, including some that may disclose the aircraft's weaknesses, especially given the pilot's assertion that he has access to 250 gigabytes. 

As Tang pointed out, there were several possibilities for the leaks, including a breach from a US defence firm or a third party pretending to be one of them. There were some parts of the F-35 documents that were partially redacted, which may indicate that they had already been declassified by that point. The official secrecy surrounding the older F-15 is lower, according to Tang, because it is regarded as a less valuable model. 

Tang stated that similar leaks were unlikely to occur in China, attributing this to the country's robust data security and confidentiality laws. According to Tang, the effectiveness of these policies, when properly implemented by security departments, would ensure that any potential breaches could be effectively contained. An anonymous expert from a Chinese military research institution emphasized that the institution regularly conducts data security training and evaluations. 

These measures were designed to ensure strict compliance with confidentiality obligations and to maintain the highest standards of data protection. Rising Information Technology, through a WeChat post, advised the public against downloading suspicious documents. The advisory warned that hackers might exploit popular events to disseminate viruses. It cautioned that downloading malicious documents could lead to devices being infected with ransomware or Trojan viruses, thus posing significant risks to users' data security.
Read more »
Privacy
Banks Cyberattacks CyberCrime Cyberhackers CyberThreat Digital Token OTP Passwords Privacy

Singapore Banks Phasing Out OTPs in Favor of Digital Tokens

 


It has been around two decades since Singapore started issuing one-time passwords (OTPs) to users to aid them in logging into bank accounts. However, the city-state is planning to ditch this method of authentication shortly. Over the next three months, major retail banks in Singapore are expected to phase out the use of one-time passwords (OTP) for account log-in by digital token users as part of their transition away from one-time passwords. 

With an activated digital token on their mobile device, customers will need to either use the token to sign in to their bank account through a browser or the mobile banking app on their mobile device. In a joint statement on Tuesday (Jul 9), the Monetary Authority of Singapore (MAS) and The Association of Banks (ABS) said that, while the digital token is designed to authenticate customers' logins, there will not be an OTP needed to prove identity, which scammers can steal or trick victims into disclosing. 

There is also a strong recommendation to activate digital tokens by those who haven't already done so, as this will greatly reduce the chance of having one's credentials stolen by unauthorized personnel. According to The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS), within the next three months, major retail banks in Singapore will gradually phase out the use of One-Time Passwords (OTPs) to log into bank accounts by customers who are using digital tokens. 

By doing this, the banks hope to better protect their customers against phishing attacks - at the very least against scams in which scammers get their customers to divulge their OTPs. To secure bank accounts, MAS and ABS encourage the use of digital tokens - apps that run on smartphones and provide OTPs - as a source of second-factor authentication, as opposed to software programs that are installed on computers. 

There will be better protection for them against phishing scams since they have been among the top five scam types over the past year, with at least SGD 14.2 million being lost to these scams, as outlined in the Singapore Police Force Annual Scams and Cybercrime Brief 2023, which was released in January of this year. When customers activate their digital tokens on their mobile devices, they will have to use these tokens when logging in to their bank accounts through the browser or by using the mobile banking app on their mobile devices. 

With the help of the token, scammers will be unable to steal your OTP, which customers may be tricked into revealing, or steal non-public information about themselves that they will be asked to provide. To lower the chances of having identity credentials phished, MAS and ABS have urged customers who haven't activated their digital token to do so, so that they don't become a victim of identity theft. The use of One Time Passwords (OTPs) has been used since early 2000 as a multi-factor authentication option to strengthen the security of online transactions. 

Nevertheless, technological advancements and more sophisticated social engineering tactics have since made it possible for scammers to manipulate phishing requests for customers' OTPs with more ease, such as setting up fake bank websites that closely resemble real banks' websites and asking for the OTP from them. As a result of this latest step, the authentication process will be strengthened, and it will be harder for scammers to trick customers out of money and funds by fraudulently accessing their accounts using their mobile devices without explicit authorization. 

During the 2000s, one-time passwords were implemented as a means to enhance the security of online transactions to strengthen multi-factor authentication. MAS and ABS have both warned consumers to be cautious about phishing for their OTP as a result of technological improvements and increasingly sophisticated social engineering techniques. There have been several phishing scams in Singapore over the past year, with at least $14.2 million lost to these scams, according to records released by the Singapore Police Force earlier this month. 

It is expected that this latest measure will enhance authentication and will ensure that scammers will not be able to fraudulently access a customer's accounts and funds without the explicit permission of the customer using their mobile devices," they commented. According to ABS Director Ong-Ang Ai Boon, this measure may cause some inconveniences for some consumers, but it is essential to help prevent unscrupulous suppliers and protect customers in the long run. 

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced a collaborative effort to strengthen protections against digital banking scams. This initiative involves the gradual phasing out of One-Time Passwords (OTPs) for bank logins by customers utilizing digital tokens on their mobile devices. This rollout is anticipated to occur over the next three months. MAS, represented by Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime), emphasized their ongoing commitment to safeguarding consumers through decisive action against fraudulent digital banking activities. 

The elimination of OTPs aims to bolster customer security by mitigating the risks associated with phishing attacks. Phishing scams have evolved alongside advancements in technology, enabling fraudsters to more effectively target customer OTPs. They often achieve this by creating deceptive websites that closely mimic legitimate banking platforms. ABS, represented by Director Ong-Ang Ai Boon, acknowledged that this measure might cause minor inconveniences. 

However, they firmly believe such steps are essential to prevent scams and ensure customer protection. MAS, through Ms. Loo, reaffirmed the significance of maintaining good cyber hygiene practices in conjunction with this latest initiative. Customers are urged to remain vigilant and safeguard their banking credentials at all times. MAS and ABS jointly urge customers who haven't activated their digital tokens to do so promptly. 

This action minimizes the vulnerability of their credentials to phishing attempts. By implementing this multifaceted approach, MAS and ABS aim to create a more secure digital banking environment for customers in Singapore.
Read more »
Yemeni
Cyberattacks Cyberhackers CyberThreat Cyebrcrime Military Phones Privacy. SMS Yemeni

Yemeni Hackers Unmasked Spying on Middle Eastern Military Phones

 


According to researchers at MIT, a Yemeni hacking group has been eavesdropping on the phone calls of military personnel in the Middle East, the latest example of mobile surveillance becoming prevalent in conflicts around the world as a result of the proliferation of mobile technologies. According to new research, American Shia Islamist allies of an organization that operates in Yemen have been using surveillance technology to target militaries in a range of countries throughout the Middle East since 2019. It has been discovered that a threat actor aligned with the Houthis has used malware known as GuardZoo to steal photos, documents, and other files from devices infected with the malware, researchers at Lookout reported in a report posted Tuesday. 

A majority of the roughly 450 victims, according to unprotected controller logs, were found in Yemen, Saudi Arabia, Egypt, and Oman. In contrast, a smaller number were found in the United Arab Emirates, Turkey, and Qatar, based on unsecured server logs. There was a civil war between Houthis and Arab soldiers in the city of Sanaa in 2014 when they took control. This led to a famine in the city. According to human rights groups, there have been a series of arbitrary arrests, torture, and enforced disappearances in Yemen since June 2019, following a controversial Saudi-led intervention there. 

According to Lookout, the campaign is believed to have started as early as October and has been attributed to a threat actor aligned with the Houthi militia, based on information such as the application lures, control-and-control server logs, targets, and the location of the attack infrastructure, and Lookout confirmed this. Lookout says its surveillance tool draws its name from a piece of source code that persists on an infected device for a long period. 

According to the report, the malware not only steals photos and documents from an infected device, but it can also "coordinate data files related to marked locations, routes, and tracks" and can identify the location, model number, cellular service provider, and configuration of a Wi-Fi enabled device. Developed by Symantec, the GuardZoo Java application is a modified version of a remote access trojan (RAT) called Dendroid RAT which was originally discovered in March 2014 by Broadcom-owned Symantec. Earlier in August, it had been revealed that there had been a leak of the entire source code for the crimeware solution. 

This piece of malware was first sold for a one-off price of $300, but the capabilities it offers go far beyond what is expected from commodity malware. It is equipped with phone numbers and call logs that can be deleted, web pages that can be accessed, audio and call recordings, SMS messages that can be accessed, and even HTTP flood attacks. The researchers from Lookout said in a report shared with us that the code base underwent many changes, new functionalities were added and unused functions were removed. They added that many changes had been made for the betterment of the code base. As Guardzoo says in a statement, the command and control (C2) backend is no longer based on Dendroid RAT's leaked PHP web panel but rather uses an ASP.NET-based backend created specially for C2. 

After embarking on a military campaign against the then government in 2014, the Houthi movement became internationally known when it caused that government's fall, and set off the post-war humanitarian crisis that followed. Iran backs this group, and they have been fighting against a Saudi-backed military force for years. The militant group recently carried out a series of crippling attacks against international ships transiting the Strait of Hormuz in retaliation for Israel's military operation in Gaza, which has put a strain on international shipping.   

There has been an increase in the use of cyber capabilities by the Houthis in recent years. Researchers from Recorded Future have observed hackers with likely ties to the Houthis carrying out digital espionage campaigns that were carried out using WhatsApp as a method of sending malicious lures to targeted individuals last year.   On Tuesday, Lookout's report revealed that an ongoing campaign not only relied on direct browser downloads but also utilized WhatsApp to infect its targets. Lookout’s senior security researcher, Alemdar Islamoglu, noted that the group behind this campaign, which had not been previously observed by their researchers, showed a particular interest in maps that could disclose the locations of military assets. 

The campaign predominantly employed military themes to attract victims. However, Lookout researchers also identified the use of religious themes and other motifs, including examples such as a religious-themed prayer app or various military-themed applications. Additionally, Recorded Future released a report on Tuesday concerning a group likely affiliated with pro-Houthi activities, which they have named OilAlpha. This group continues to target humanitarian organizations operating in Yemen, including CARE International and the Norwegian Refugee Council. The report noted that military emblems from various Middle Eastern countries, such as the Yemen Armed Forces and the Command and Staff College of the Saudi Armed Forces, were used as lures in military-themed applications. 

Recorded Future’s Insikt Group documented that OilAlpha is targeting humanitarian and human rights organizations in Yemen with malicious Android applications. The group's objective appears to be the theft of credentials and the collection of intelligence, potentially to influence the distribution of aid. The Insikt Group first detected this exploit in May, with CARE International and the Norwegian Refugee Council among the affected organizations.
Read more »
Technology
Artificial Intelligence Cyberattacks CyberCrime Cyberhackers Cyberthreats Robotics South Korea Technology

Robot 'Suicide' in South Korea Raises Questions About AI Workload

 


At the bottom of a two-meter staircase in Gumi City Council, South Korea, a robot that worked for the city council was discovered unresponsive. There are those in the country who label the first robot to be built in the country as a suicide. According to the newspaper, a Daily Mail report claims that the incident occurred on the afternoon of June 20 around 4 pm. When the shattered robot was collected for analysis and sent to the company for examination, city council officials immediately contacted Bear Robotics, a California-based company, that made the robot. 

However, the reason behind the robot's erratic behaviour remains unknown. This robot, nicknamed "Robot Supervisor", was found piled up in a heap at the bottom of a stairwell between the first and second floors of the council building, where it was hidden from view. There were descriptions from witnesses that the robot behaved strangely, "circling in a certain area as if there was something there" before it fell to Earth untimely. It was one of the first robots in the city to be assigned this role in August 2023, with the robot being one of the first to accomplish this task. 

According to Bear Robotics, a startup company based out of California that develops robot waiters, the robot works from 9 am to 6 pm daily. Its civil service card validates its employment status. A difference between other robots and the Gumi City Council robot, which can call an elevator and move independently between different floors, is that the former can access multiple floors at the same time, whereas the latter cannot. 

Following the International Federation of Robotics (IFR), South Korea's industry boasts the highest robot density of any country in the world, with one industrial robot for every ten workers, making it one of the most robotic industries in the world. It has however been announced by the Gumi City Council that as a result of the recent incident, the city will not be adopting a second robot officer at present due to a lack of information. 

During the aftermath of the incident, there has been a debate in South Korea about how much work robots must do to function. Users are seeing a flurry of discussion on social media about what has been reported as a suicidal act by a robot, which has sparked debate about the pressures that humans experience at work. After the incident occurred, a major debate erupted as to how much burden the robot was supposed to handle. 

It has been employed since August 2023, a resident assistant called "Robot Supervisor" has been a very useful employee who can handle a wide range of tasks, from document delivery to assisting residents with their tasks. Following this unexpected event, there have been numerous discussions and focuses regarding the intense workload of this organization and the demands that are placed on it by these demands. South Korea has been taking an aggressive approach to automating society with its ambitious robot - a product developed by Bear Robotics, a California-based startup. 

Despite the large number of robots present in industrial settings in the county, this incident has sparked concern over the possibility that they will expand beyond factories and restaurants to serve a wider range of social functions as well. In the past few years, a growing number of companies have been investing in robots to take on roles beyond that of traditional workplaces, which has sparked public interest in this area. Various media outlets have been speculating about the outcome of the 2018 election, with a wide range of opinions and predictions. In a groundbreaking development, a robot's apparent act of self-destruction in South Korea has triggered profound contemplation and contentious discourse regarding the ethical and operational ramifications of employing robots for tasks traditionally undertaken by humans. 

The incident, believed by some to be a manifestation of excessive workload imposed on the machine, has prompted deliberations on the boundaries and responsibilities associated with integrating advanced technologies into daily life. Following careful consideration, the Gumi City Council has opted to suspend its initiatives aimed at expanding the use of robots. This decision, originating from a municipality renowned for its robust embrace of technological innovation, symbolizes a moment of introspection and critical reevaluation. 

It signifies a pivotal juncture in the ongoing dialogue about the role of automation and the deployment of artificial intelligence (AI) in contemporary societal frameworks. Undoubtedly tragic, the incident has nevertheless catalyzed substantive discussions and pivotal considerations about the future dynamics between robots and humanity. Stakeholders are now compelled to confront the broader implications of technological integration, emphasizing the imperative to navigate these advancements with conscientious regard for ethical, societal, and practical dimensions. The aftermath of this event serves as a poignant reminder of the imperative for vigilance and discernment in harnessing the potential of AI and robotics for the betterment of society.
Read more »
Twilio Alerts
CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Mobile Security Phone number Security Risks Twilio Alerts

Twilio Alerts Authy Users of Potential Security Risks Involving Phone Numbers

 


The U.S. messaging giant Twilio has been accused of stealing 33 million phone numbers over the past week as a result of a hacker's exploit. Authy, a popular two-factor authentication app owned by Twilio that uses the phone numbers of people to authenticate, has confirmed to TechCrunch today that "threat actors" can identify the phone numbers of users of Authy. It was recently reported that a hacker or hacker group known as ShinyHunters entered into a well-known hacking forum and posted that they had hacked Twilio and received the cell phone numbers of 33 million subscribers from Twilio. 

As a spokesperson for Twilio Ramirez explained to TechCrunch, the company has detected that threat actors have been able to identify phone numbers associated with Authy accounts through an unauthenticated endpoint, however, it's yet to be known how this happened. According to a report by TechCrunch earlier this week, someone has obtained phone numbers related to Twilio's two-factor authentication service (2FA), Authy, of which it is a part. 

An alert from Twilio on Monday warned of possible phishing attacks and other scams using stolen phone numbers, which the company described as "threat actors" trying to steal personal information. An incident that happened in 2022 occurred following a phishing campaign that tricked employees into using their login credentials to gain access to the company's computer network. During the attack, hackers gained access to 163 Twilio accounts as well as 93 Authy accounts through which they were able to access and register additional devices. It has been revealed that Twilio traced this leak to an "unauthenticated endpoint" that has since been secured by the company. 

As the dark web was abuzz last week with the release of 33 million phone numbers from Authy accounts, the threat actor ShinyHunters published a collection of the data. The threat actor, as pointed out by BleepingComputer, appears to have obtained the information by using the app's unsecured API endpoint to input a massive list of phone numbers, which would then be checked to see whether the numbers were tied to the application. 

During the investigation into the matter, it was found that the data was compiled by feeding an enormous number of phone numbers into the unsecured API endpoint for an unsecured API. Upon validity of the number, Authy's endpoint will return information about the associated accounts registered with Authy once the request is made. Since the API has been secured, these are no longer able to be misused to verify whether a phone number is being used with Authy because the API has been secured.

Threat actors have used this technique in the past, as they exploited unsecure Twitter APIs and Facebook APIs to compile profiles of tens of millions of users that contain both public and private information about the users. Although the Authy scrape contained only phone numbers, such data can still prove to be valuable to users who are interested in conducting smishing and SIM-swapping attacks to breach the accounts of their consumers. 

A CSV file containing 33,420,546 rows is available for download. Each row contains an account ID, phone number, an "over_the_top" column, the account status of the account, as well as the number of devices according to the site. According to reports on Authy's blog, the company has acknowledged that it was attacked. Twilio has confirmed a recent data breach affecting its Authy two-factor authentication app users. 

While the company experienced two separate cyberattacks in 2022, it emphasized that this latest incident is not related to the previous breaches. In light of this development, Twilio is urging all Authy users to exercise extreme caution when dealing with unsolicited text messages that appear to be from the company. According to Sean Wright, Head of Application Security at Featurespace, the primary threat stemming from this incident is the potential for targeted phishing attacks. Exposure to users' phone numbers significantly increases the risk of such attacks. 

Wright reassures users that direct access to their Authy accounts remains unlikely unless the attackers can obtain the seeds for the multi-factor authentication (MFA) tokens stored within the app. Despite this, he stresses the importance of remaining vigilant. Users should be particularly wary of messages from unknown senders, especially those that convey a sense of urgency or threaten financial loss if no action is taken. 

To enhance security, Wright suggests that users consider switching to an alternative MFA application or opting for more secure hardware keys, such as the Yubico YubiKey. Additionally, if any user experiences difficulty accessing their Authy account, Twilio advises immediate contact with Authy support for assistance. Furthermore, Twilio recommends that users update their Authy app on iOS and Android platforms to address potential security vulnerabilities. 

Keeping the application up-to-date is critical in safeguarding against future threats and ensuring the highest level of protection for user accounts. This proactive approach will help mitigate the risks associated with the recent breach and reinforce the security of the authentication process for all Authy users.
Read more »
Technology
CyberCrime Cyberhackers CyberThreat Fake-Bat Loaders Software Technology

Exploring Fake-Bat Loaders: Distribution Tactics and Cybercrime Networks

 


There has been a significant increase in the number of threats exploiting the drive-by-download method during the first half of 2024, such as the FakeBat loader, formerly EugenLoader or PaykLoader. There has been an increasing emphasis on using this method in the past few years by cyber criminals to spread malware by infecting unsuspecting users while browsing the web. 

A drive-by download is a technique that uses tricks like SEO poisoning, malvertising, and injecting malicious code on websites that have been compromised to promote the download. By using these methods, users are tricked into downloading fake software or updates. As a result, they unwittingly install malware like loaders (such as FakeBat, BatLoader), botnets (such as IcedID, PikaBot) and others. As of right now, video games are usually RPGs (role-playing games) in which players get to immerse themselves in stories or adventure-based adventure games where they take part in some sort of combat. 

It is worth noting, however, that there's a fascinating niche of games that focus on hacking and cybersecurity. These video games allow players to embody the role of hackers, as they simulate hacking and coding terms. There will be a variety of hacking activities that players can get involved in, ranging from breaking into secure networks to creating complex scripts, all while navigating different scenarios and objectives throughout the game. As a result of drive-by-downloads, cybercriminals have been increasingly making use of these methods to upload malware to users' computers via their browsers during recent years. 

To use this technique, you will generally have to poison search engine results, run malicious ads, and inject code into compromised websites to trick users into downloading fake software installers or browser updates that are harmful to their computers. The drive-by download technique is commonly used by multiple intrusion sets to distribute loaders (such as FakeBat, BatLoader), botnets (such as IcedID, PikaBot), information stealers (such as Vidar, Lumma, Redline), post-exploitation frameworks (such as CobaltStrike, Sliver) and reconnaissance systems (such as NetSupport), among many others.

Based on some observations, some of these attacks have been conducted by Initial Access Brokers (IABs) that have resulted in the deployment of ransomware (BlackCat, Royal) in several networks. In the early part of 2024, one of the most popular drive-by-download loaders used to load files was FakeBat (also known as EugenLoader, PaykLoader) which was one of the most widely used loaders. There are many threats out there, including fake bats that are designed to download and execute payloads in a later stage, such as IcedID, Lumma, Redline, SmokeLoader, SectopRAT, and Ursnif. Sekoia Threat Detection & Research (TDR) team was able to discover numerous campaigns distributing FakeBats in 2024 due to its ongoing research. 

Malvertising campaigns are commonly used in these campaigns because they employ landing pages that impersonate legitimate software. They engage in bad-faith web browser updates on compromised websites as well as social engineering schemes through social networking sites. The TDR team kept a close eye on the FakeBat C2 infrastructure to know when new C2 servers were being added and when operations within FakeBat were changing. There is a specific purpose of this FLINT which is to present the activities of the FakeBat operators on cybercrime forums, to analyze campaigns that distributed FakeBat in previously undocumented ways, to provide technical details regarding its distribution campaigns, and to describe its related C2 infrastructure. 

The TDR analysts also share several indicators of compromise (IoCs), YARA rules, as well as heuristics that can be used to detect and track FakeBat distribution and C2 infrastructures to monitor them. On the Exploit forum, Eugenfest (aka Payk_34), a threat actor that has been selling Loader-as-a-Service under the guise of FakeBat, has been selling it at least since December 2022. According to the company's representative, FakeBat comes in the form of a loader malware packaged in MSI format, which is advertised as having "several anti-detection features, such as bypassing Google's Unwanted Software Policy and Windows Defender's alerts and being protected from VirusTotal detection". 

 In recent developments, the Malware-as-a-Service (MaaS) known as FakeBat has emerged as a notable threat, providing tools to Trojanize legitimate software. This tactic aims to deceive potential victims into unwittingly executing the malicious code. The operational framework of FakeBat includes an administration panel equipped with detailed information about infected hosts, encompassing IP addresses, geographic locations, operating systems, web browsers, simulated software identities, and installation statuses. 

Notably, clients utilizing FakeBat can append comments to each bot entry, enhancing management and operational insights. September 2023 marked a significant expansion for FakeBat operators, who launched an aggressive advertising campaign across cybercrime forums and Telegram channels. This initiative introduced MSIX as a novel format for deploying malware builds. Additionally, to circumvent Microsoft SmartScreen security protocols, the operators began embedding a digital signature within the FakeBat installer, backed by a legitimate certificate. This signature is featured prominently in the MSIX format and is optionally available for MSI formats, bolstering the malware's perceived legitimacy and evasive capabilities. 

FakeBat maintains its leadership position in 2024 by employing a diverse array of distribution methods. These include masquerading as legitimate software sites and compromising web domains by injecting malicious code. Notably, cybersecurity firm Sekoia has identified several domains associated with FakeBat's command-and-control (C2) infrastructure, such as 0212top[.]online, 3010cars[.]top, and 756-ads-info[.]site. These domains are frequently registered under obscured or misleading ownership details, underscoring FakeBat's adaptability and the evolving landscape of cyber threats. The malware employs deceptive strategies to proliferate, such as fake software update campaigns. 

Sekoia's investigations have uncovered instances where FakeBat mimicked updates for popular applications like AnyDesk and Google Chrome. Users are led to download malware under the guise of legitimate updates, illustrating the loader's sophisticated methods of system infiltration. Furthermore, FakeBat is recognized for its proficiency in drive-by download attacks, leveraging these tactics to evade detection and exploit system vulnerabilities effectively. In conclusion, FakeBat's expansive distribution strategies and continual evolution highlight its prominence in the realm of cybercrime, underscoring the persistent challenges faced by cybersecurity professionals in combating such threats.
Read more »
CyberThreat
BlackSuit Cyber Attacks Cyber Software CyberCrime Cyberhackers Cybersecurity CyberThreat

CDK Cyberattack Traced to BlackSuit Hackers: U.S. Auto Industry Under Siege

 


Cybercriminals have carried out a series of hacks targeting big companies by breaking into the back ends of their software suppliers, disrupting operations at auto dealerships all over the U.S. This is the latest in a wide-ranging series that targets big companies through the breaching of back-end companies. Dealers commonly use this software system to process sales and other operations, such as purchase orders, in the dealership world. Various reports in local media indicate that many dealers have started processing transactions manually as a result of the hack, which occurred last week. 

According to CDK Global, which provides software to roughly 15,000 car dealerships in North America, the company is anticipating that all 14 dealerships will be up and running by late evening Wednesday or early morning Thursday as a result of the hack. The software of CDK was compromised by two cyberattacks that forced the company's systems to be taken down for days, which resulted in delays in the scheduling of services, repairs, part deliveries, and the purchase of cars at dealerships in both the United States and Canada. 

Customers were notified by the Illinois-based company on June 24 that the disruptions might last until the end of the month since it was signalling that they could persist for a while. In the days following CDK's discovery of the breach and shutdown of systems on June 19, chaos has engulfed dealerships around the country. As an example of CDK's core product, it is a suite of software tools called a dealership management system that underpins almost every aspect of the day-to-day operations of dealerships. 

The shutdown of the system resulted in an industry that experienced $1.2 trillion in U.S. sales last year being affected and necessary repairs being disrupted as a result. As a result of these disruptions, sales are also expected to suffer just before the end of the quarter. A lot is unknown about the organization, but it appears that it emerged in May of 2023. Analysts believe that this was a relatively new cybercrime team that spun off from a well-established hacker group with Russian ties called RoyalLocker, which was older and well-known. 

A formidable hacking gang originating from the Conti gang, RoyalLocker mostly targeted American companies over the ages with sophistication compared to the other prolific attacks. Based on the data gathered by analysts, Royal was thought to rank third among the most persistent ransomware groups behind LockBit and ALPHV. The company's aggressiveness compared to the other three is not as high as BlackSuit's. Kimberly Goody, the head of cybersecurity analysis at Mandiant Intelligence, has said she has found that the number of victims listed on this site indicates that it does not have as many hacking partners as larger ransomware gangs do, based on the number of victims listed on the site. 

The cyberattack on CDK Global that has paralyzed car sales across the U.S. is believed to have been carried out by hackers called BlackSuit, according to a threat analyst for Recorded Future Inc. Allan Liska, the firm's threat analyst. Bloomberg News previously reported that the gang had requested tens of millions of dollars in ransom for the disruptions to end, and CDK was committed to making the payment, at least according to Bloomberg News. In recent decades, there has been a significant amount of consolidation within the sector that has led to a small number of companies that provide 'dealership management systems' for auto sellers. 

 The recent cyberattack on U.S. car dealerships, facilitated through CDK's services, underscores the increasing vulnerability of thousands of retail outlets. These dealerships heavily rely on CDK for essential operations such as financing, insurance management, vehicle, and parts inventory, as well as sales and repair processes. According to a 2023 report by CDK, cybercriminal activity targeting car dealerships is on the rise, with 17% of 175 surveyed dealers reporting incidents within the past year—a notable increase from the previous year's 15%. Of those affected, 46% cited significant financial or operational setbacks due to cyberattacks. 

Dealerships have become prime targets due to the substantial volumes of sensitive customer data they store. From credit applications to financial records, these establishments possess a wealth of valuable information coveted by hackers, as highlighted in a 2023 article by Zurich North America. The group known as BlackSuit has emerged as a prominent threat, employing tactics such as "double extortion," where stolen data is used to coerce victims into paying a ransom. 

According to Mandiant's findings, BlackSuit operates an infrastructure supporting affiliated cybercriminal groups, aiding extortion activities, and exerting pressure on victims through various means, including website disruptions. As the frequency and sophistication of cyber threats continue to escalate, the vulnerability of car dealerships to such attacks underscores the urgent need for enhanced cybersecurity measures across the automotive industry. Efforts to safeguard sensitive customer information and maintain operational continuity are paramount in mitigating the impact of cyber incidents on these critical businesses.
Read more »
Windows
CISA Cyberattacks Cybercirme Cyberhackers CyberThreat HHS Microsoft Vulnerabilities and Exploits Windows

Microsoft Announces New Deadlines for Windows Updates

 


A July 4 deadline for Windows users who have not updated their systems is fast approaching. It was only two weeks ago that a two-week-old security vulnerability found in Windows was found to have been reactivated. Despite Microsoft's claim that CVE-2024-26169 is not exploitable, Symantec's security researchers believe otherwise, finding “some evidence” that attackers might have prepared an exploit for the CVE-2024-26169 vulnerability before patching the vulnerability. 

As of last month, several U.S. government agencies – including CISA and the FBI – have collaborated on a Cybersecurity Alert which warns that “Black Basta affiliates have compromised a wide range of critical infrastructure, businesses, and industries throughout North America, Europe and Australia.” There are over 500 organizations in the world that have been affected by Black Basta affiliates in the year 2024. 

Several organizations have released the joint CSA, including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), to provide information regarding the Black Basta attacks, which are referred to hereafter as the authoring organizations. A variant of ransomware known as Black Basta has encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. 

The FBI has conducted investigations into Black Basta and third parties have reported on these TTPs and IOCs. This is a ransomware-as-a-service variant that was first detected in April 2022 and is considered a ransomware-as-a-service (RaaS) variant. It is believed that the Black Basta ransomware will have affected more than 500 organizations globally by May 2024, affecting a wide range of businesses in North America, Europe, and Australia as well as critical infrastructures. 

Black Basta is a Russian-linked ransomware that originated in early 2022. It was used to attack over 329 organizations around the world and has grown to become one of the fourth most active strains of ransomware based on the number of victims. According to the group, they are using double-extortion tactics to extort victims by threatening to publish stolen data unless the victim is willing to pay a ransom. Several researchers have suggested that BlackBasta may have originated as a part of Conti Group, a ransomware gang that has been in operation for quite some time now. 

It has been revealed through the leak of Conti’s online chats that the group had ties to the Russian government and that it supported the invasion of Ukraine. The group ended in May 2022, but its online chats were leaking this information. Affiliates of Black Basta use common methods for gaining access to a system such as phishing emails and exploiting known vulnerabilities then use a double extortion technique to gain access to the system as well as steal data. There are two types of ransom notes: those which include instructions as to how to pay as well as those which do not.

The ransomware group instead gives victims a one-time use private code and instructs them to contact the group via a website that is only accessible through the Tor browser, a URL that contains a .onion extension. According to the majority of ransom notes, victims are usually given between 10 and 12 days before becoming subject to the publication of their data on the Basta News website, which the Black Basta ransomware group runs. Black Basta attacks businesses in a range of different industries, affecting the construction industry (10% of victims), the legal sector (4%) and the real estate sector (3%). This group of ransomware is known as Black Basta and its victimology is very similar to that of the Conti ransomware group.

Both groups have a shared appetite for many of the same industries as Black Basta. Among the victims of Black Basta, 61% are from organizations that are based in the United States, followed by 15% from the German authorities. There are several high-profile victims of Black Basta, which include Capita, a software services company with billions of dollars worth of UK government contracts, and ABB, a company that has more than US$29 billion in revenue. The information regarding whether or not a ransom was paid by either company has not been publicized.

The healthcare industry is an attractive target for cybercriminals due to the size of the organization, the technological dependence, the access to medical information and the unique impact of disruptions to patient care. There are several ways in which a member of the Black Basta organization will gain access to a system, and these methods include phishing emails, exploiting known vulnerabilities, and then using double extortion techniques to gain access to the system as well as stealing data. A ransom note can be divided into two types: those that provide instructions on how to pay the ransom, and those which do not provide instructions. 

As an alternative to encrypting the victims' files, the ransomware group comprises a group of individuals that give victims an individual one-use private code in addition to instructing them to contact the group via a website only accessible by Tor browsers, one that contains a .onion extension on the URL. There is usually between 10 and 12 days of grace allowed to victims according to ransom notes that are generally released by the Black Basta malware group before their data is exposed on Basta News, which is a website that publishes data from the victims. 

It is not uncommon for Black Basta to attack businesses across a wide range of different industries, with 10 per cent of victims coming from the construction industry, 4 per cent from the legal sector, and 3 per cent from the real estate industry. It seems that the Black Basta ransomware group, which has a victimology very similar to that of the Conti ransomware group, has been seen to distribute a similar type of ransomware. There is a clear affinity between the two groups when it comes to several of the same industries as Black Basta.

Black Basta has been responsible for the murder of 61% of American victims, followed by 16% of German victims, and the vast majority of victims belong to organizations based in the United States and Europe. The Black Basta scam has claimed the lives of several high-profile companies, including Capita, a software company with billions of dollars worth of contracts with the British government, and ABB, a company with one of the world's largest revenue bases within the US$29 billion range. Neither company has provided any information regarding a ransom payment that has been made by one of the companies, which is of concern. 

The healthcare industry represents an appealing target for cybercriminals due to several critical factors. Firstly, the sheer size and scale of healthcare organizations make them lucrative targets. Additionally, their substantial reliance on advanced technology heightens vulnerability to cyberattacks. Furthermore, these organizations possess extensive repositories of sensitive medical information, making them particularly attractive to malicious actors. The potential disruptions to patient care resulting from cyber incidents also underscore the unique and profound impact of such breaches within the healthcare sector.
Read more »
TRANSLATEXT
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat GitHub JavaScript malware TRANSLATEXT

Kimsuky Unleashes TRANSLATEXT Malware on South Korean Academic Institutions

 


An investigation has found that a North Korea-linked threat actor, known as Kimsuky, has been involved in the use of a malicious Google Chrome extension to steal sensitive information to collect information as part of an ongoing intelligence collection effort. Observing the activity in early March 2024, Zscaler ThreatLabz has codenamed the extension TRANSLATEXT, emphasizing its ability to gather email addresses, usernames, passwords, cookies, and screenshots as well as its ability to gather this information. 

This targeted campaign is said to have targeted South Korean academia, specifically those focused on North Korean politics. There is a notorious North Korean hacker group known as Kimsuky that has been active since 2012, perpetrating cyber espionage and financial-motivated attacks against South Korean businesses. Kimsuky is widely known as a notorious hacker crew. In the remote server's PowerShell script, general information about the victim is uploaded as well as creating a Windows shortcut that enables a user to retrieve another script from the remote server through a PowerShell script. TRANSLATEXT's exact delivery method remains unclear, which makes it even more difficult for defenders to protect themselves from it. 

Despite this, Kimsuky is well known for utilizing sophisticated spear-phishing and social engineering attacks to trick the target into initiating the infection process. Two files appear to be connected to Korean military history when the attack begins, a ZIP archive that appears to contain two files, a Hangul Word Processor document and an executable file. Once the executable file has been launched, it retrieves a PowerShell script from the attacker's server. In addition to exporting the victim's information to a GitHub repository, this script also downloads additional PowerShell code via a Windows shortcut (LNK) file and executes it. 

It is clear from this multi-stage attack process that Kimsuky is an extremely sophisticated and well-planned operation. By using a familiar and seemingly legitimate document, the attackers decrease the chances of the targets being suspicious. As well as displaying an innovative method of blending malicious activities into regular internet traffic, GitHub is also utilized in the initial data export process, resulting in a much harder time finding and blocking malicious actions for traditional security systems. There are a few groups that are also associated with the Lazarus cluster or part of the Reconnaissance General Bureau (RGB). 

For instance, APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima are groups that are affiliated with the Lazarus cluster. There have been several incidents in the last few weeks in which the group has weaponized a vulnerability in Microsoft Office (CVE-2017-11882), distributed a keylogger, and used job-themed lures in attacks aiming at the aerospace and defence industries to drop an espionage tool that gathers data and executes secondary payloads. "The backdoor is unknown to the public and the attacker can conduct basic reconnaissance, drop additional payloads, and then take over or remotely control the computer." 

CyberArmor said. Despite Kimsuky's recent involvement in cyber espionage, it has given this campaign the name Niki. It is no secret that Kimsuky is not a new player. Since at least 2012, the group has been active and has developed a reputation for orchestrating cyber-espionage and financial-motivated attacks primarily on South Korean institutions, which has earned them a reputation as a notorious group. It has been reported that the group has stolen classified information, and committed financial fraud, and ransomware attacks. Throughout history, they have been one of the most formidable cyber threat actors associated with North Korea due to their adaptability and persistence. 

There is no doubt that Kimsuky is capable of blending cyber espionage with financially motivated operations, indicating a versatile approach to achieving the North Korean regime's objectives, whether they are to gather intelligence or generate revenue to support it. As of right now, it is not clear what is the exact mechanism for accessing the newly discovered activity, although it is known that the group is known for utilizing spear-phishing and social engineering attacks to launch the infection cycle. 

It is believed that the attack began with the delivery of a ZIP archive with the intent of containing Korean military history at the time, which contains two files: a word processor document in Hangul and an executable at the time of the attack. As soon as the executable is launched, a PowerShell script is extracted from a server controlled by the attacker that downloads additional PowerShell code with the aid of a Windows shortcut file (LNK) and creates a GitHub repository where the compromised victim's information is periodically uploaded. 

After the GitHub repository has been created, the attacker deletes the LNK file in question. This is the statement posted by Zscaler, a security company that found a GitHub account, created on February 13, 2024, that briefly hosted the TRANSLATEXT extension under the name "GoogleTranslate.crx," regardless of how it is distributed at the moment. TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It's also designed to fetch commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
Read more »
Security Alert
CUHK Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach Security Alert

Major Data Breach at CUHK Affects Over 20,000 Students and Staff

 


Over 20,000 individuals from the Chinese University of Hong Kong (CUHK) were impacted by a data breach at one of the institution's schools in the city that resulted in their personal information being stolen. This is just the latest in a string of data breaches in this city. According to a statement released by the School of Continuing and Professional Studies (CUSCS) on Thursday, the server of an online learning system that the school uses was hacked on June 3. A statement was released by the School of Continuing and Professional Studies (CUSCS) on Thursday notifying us that the server for an online learning system they use has been hacked, as announced by the school. 

There were 20,870 Moodle accounts involved in the study, including employees, part-time tutors, students, graduates and some visitors, who provided names, email addresses and student numbers. As a result of the three unsuccessful login attempts, the college stated that it had deactivated the related account, reset the password, moved the online learning platform away from the responsible server, and strengthened security measures to block the account. 

There was a hacking attack on the school's name and email address, but an investigation by cybersecurity professionals showed that their information had not been leaked to any public websites or dark websites. It has been reported to the police and the Office of the Privacy Commissioner for Personal Data (PCPD), the city’s privacy watchdog, that the incident happened. A report sent by CUHK on Wednesday and a complaint regarding the data breach were received by the PCPD on Thursday. 

Moodle is an open-source learning management system that allows teachers, administrators, and students to create individualized learning environments for online projects in schools, colleges and workplaces. The PCPD has said that they received a report and complaint regarding the data breach on Thursday. A custom website can be created with Moodle containing an online course as well as community-sourced plugins that can be added to the website as well. 

In addition to establishing a crisis management team containing the dean, deputy dean, director of information technology services, director of administration, and director of communications and public relations, the college has established a crisis management team to assess the risks that may arise. CUSCS said the incident has also been reported to CUHK. It was the responsibility of the college to hire a security consultant who conducted an immediate investigation into the matter and discovered that there were no large amounts of data that had been exposed, and the relevant information was not found on the dark web. 

It has also been reported to the police, as well as to the Office of the Privacy Commissioner for Personal Data (PCPD) for the university, which follows established procedures, to notify them of this incident. There was a complaint received by the PCPD regarding the incident on Thursday, the police department announced. The CUSCS stated that through the leak of data, 22,873 Moodle accounts of tutors, students, graduates, and visitors including their names, emails, and student numbers were compromised. In the recent past, there has been a massive theft of personal information from one of the institution's schools after a server had been breached. 

It was discovered on the dark web domain BreachForums that the breached information was readily available on a dark web domain known as BreachForums despite statements made by the university management that they were unaware of any leaks on public platforms. There was a post on the dark web posted by a Threat Actor (TA) who went by the alias "Valerie," in which she claimed to be a hacker who was willing to sell their data to a buyer. "Approximately 75 per cent of the stolen information was sold to a private party, and the breach was financed in this way by the private party," TA stated.  There was no sharing of the rest of the data. 

Following multiple offers, it was decided to take the initiative and make a public sale." This is the third educational institute in Hong Kong this year to have been struck by a cyber attack as a result of multiple offers. It has been reported that the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, was hit by a ransomware attack in May when data belonging to more than 600 students and faculty members were compromised. 

In April, Union Hospital, a private medical facility, experienced a ransomware attack that compromised its servers and reportedly resulted in operational paralysis. Similarly, in February, the Hong Kong College of Technology faced a ransomware attack, leading to a data breach affecting approximately 8,100 students.
Read more »
Subscribe to: Posts (Atom)