Search This Blog

Showing posts with label Data Safety. Show all posts

Terminator Antivirus Killer: Vulnerable Windows Driver Masquerading as Threat


Spyboy, a threat actor, has been actively advertising the "Terminator" tool on a hacking forum predominantly used by Russian speakers. The tool supposedly possesses the ability to disable various antivirus, XDR, and EDR platforms. However, CrowdStrike has dismissed these claims, stating that the tool is merely an advanced version of the Bring Your Own Vulnerable Driver (BYOVD) attack technique. 

According to reports, Terminator allegedly has the capacity to evade the security measures of 24 distinct antiviruses (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) solutions. These include well-known programs such as Windows Defender, targeting devices operating on Windows 7 and later versions.

Spyboy, a seller specializing in software, offers a range of products designed to bypass security measures. Their software is available at various price points, starting at $300 for a single bypass and going up to $3,000 for a comprehensive all-in-one bypass solution.

"The following EDRs cannot be sold alone: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance," the threat actor says, with a disclaimer that "Ransomware and lockers are not allowed and I'm not responsible for such actions."

To utilize Terminator, the "clients" need to have administrative privileges on the targeted Windows systems and must deceive the user into accepting a User Account Controls (UAC) pop-up when executing the tool.

However, according to a CrowdStrike engineer's Reddit post, Terminator employs a technique where it places the legitimate and signed Zemana anti-malware kernel driver, known as zamguard64.sys or zam64.sys, into the C:\Windows\System32\ folder with a randomly generated name consisting of 4 to 10 characters.

Once the malicious driver is written to the disk, Terminator loads it to exploit its kernel-level privileges and terminate the user-mode processes of antivirus (AV) and endpoint detection and response (EDR) software running on the targeted device.

The exact method by which the Terminator program interacts with the driver remains unclear. However, a proof-of-concept (PoC) exploit was made available in 2021, which exploits vulnerabilities in the driver to execute commands with Windows Kernel privileges. This capability could be utilized to terminate security software processes that are typically safeguarded.

According to a VirusTotal scan, currently only one anti-malware scanning engine has detected a driver as vulnerable. To assist defenders in identifying this vulnerable driver used by the Terminator tool, Florian Roth, the head of research at Nextron Systems, and threat researcher Nasreddine Bencherchali have shared YARA and Sigma rules that can be used.

This method is commonly employed by threat actors who aim to evade security software on compromised machines. They achieve this by escalating privileges, installing vulnerable Windows drivers, executing malicious code, and delivering additional harmful payloads.

These attacks, known as Bring Your Own Vulnerable Driver (BYOVD) attacks, involve dropping legitimate drivers with valid certificates onto victims' devices. These drivers can operate with kernel privileges, effectively disabling security solutions and taking control of the system.

Various threat groups, including financially motivated ransomware gangs and state-sponsored hacking organizations, have utilized this technique for several years. Recently, security researchers at Sophos X-Ops discovered a new hacking tool called AuKill being used in the wild. This tool disables EDR software by utilizing a vulnerable Process Explorer driver before launching ransomware attacks in BYOVD scenarios.

What B2C Service Providers can Learn From Netflix's Accidental Model


Netflix made a policy error last month that might provide consumers with long-term security benefits. For other business-to-consumer (B2C) firms wishing to enhance client account security, this unintentional pro-customer safety action may serve as a lesson. 

On May 23, the streaming giant made its new "household" policy available to US consumers. Accounts will now be limited (with few exceptions) to a single Wi-Fi network and associated mobile devices. After months of stagnation and investor apprehension, it's a shot in the arm to treat the aftereffects of COVID and promote user growth. By banning the widespread practise of password sharing, the restriction may unintentionally enhance streamers' account security. 

"Sharing a password undermines control over who has access to an account, potentially leading to unauthorized use and account compromise," stated Craig Jones, vice president of security operations at Ontinue. "Once shared, a password can be further distributed or changed, locking out the original user. Worse yet, if the shared password is used across multiple accounts, a malicious actor could gain access to all of them. The practice of sharing passwords can also make users more susceptible to phishing and social engineering attacks."

With this new policy, Netflix is demonstrating how businesses may encourage or simply force its users to adopt better login practices, whether on purpose or not. However, changing client behaviour for the better isn't always as easy as it looks. 

Use of the gold biometric standard restricted for cloud services 

The mobile phone business is one area of tech that has long since found out how to assist users in logging in safely without sacrificing their experience.

Smartphone users have been selecting simple passcodes for years simply out of laziness or forgetfulness. When Apple debuted TouchID for the iPhone 5S in 2013, drawing inspiration from the Pantech GI100, things started to change. FaceID will soon make it even simpler for consumers to check in securely without slowing down anything, even if facial recognition technology wasn't nearly available at that point.

Even if biometric login is ideal, most businesses lack access to a ready-made solution, according to John Gilmore, head of research at DeleteMe.

"'Face unlock' on iPhones is an example of how this can be done in practice, but it is contingent on a specific device. For services which rely on users being able to access a service on multiple platforms, it is not yet feasible," he explained.

The main issue is that secure authentication frequently reduces usability when it comes to services. 

"Online services tend to resist implementing stronger security protocols because they see that it complicates the user experience. If you create a multistep barrier to entry, such as two-factor authentication (2FA), it is less likely people will actually engage with your platform," Gilmore added. 

Does this arrangement compel service providers to be clunky or unreliable? Experts argue against this. 

How to promote better account security behaviours

Both a carrot and a stick can be used for motivation. Epic Games, the maker of the online game Fortnite, is one business that has achieved success in the former. Epic developed new in-game awards for players who enabled two-factor authentication (2FA) on their accounts after a succession of security problems that affected thousands of the game's (sometimes very young) users. 

Never before have so many children "boogied down" over good internet behaviour! 

Consider Twitter as a case study in practise. Twitter said on February 15 that SMS-based 2FA would only be available to paid members. The decision was received with mixed feelings in the cybersecurity world because it seemed to discourage the usage of a crucial second layer of security, as explained by Darren Guccione, CEO and co-founder of Keeper Security. Although SMS 2FA is still an option, Twitter has switched to using the authenticator app or security key as the default for ordinary accounts. 

All of these instances show that businesses have a significant amount of control over how their customers interact with their security. All of these instances show that businesses have a significant amount of control over how their customers interact with their security.

In the end, Guccione says, "the ethical responsibility falls on the leaders of these companies to support and usher in changes that will ultimately protect their customers."

Deepfake Deception: Man Duped of Rs 5 Crore as Chinese Scammer Exploits AI Technology


A recent incident has shed light on the alarming misuse of artificial intelligence (AI) through the deployment of advanced 'deepfake' technology, in which a man was deceived into losing a substantial amount of money exceeding Rs 5 crore. Deepfakes, which leverage AI capabilities to generate counterfeit images and videos, have raised concerns due to their potential to spread misinformation.

According to a recent report by Reuters, the perpetrator employed AI-powered face-swapping technology to impersonate the victim's close acquaintance. Posing as the friend, the scammer engaged in a video call with the victim and urgently requested a transfer of 4.3 million yuan, falsely claiming the funds were urgently needed for a bidding process. Unaware of the deception, the victim complied and transferred the requested amount.

The elaborate scheme began to unravel when the real friend expressed no knowledge of the situation, leaving the victim perplexed. It was at this point that he realized he had fallen victim to a deepfake scam. Fortunately, the local authorities in Baotou City successfully recovered most of the stolen funds and are actively pursuing the remaining amount.

This incident has raised concerns in China regarding the potential misuse of AI in financial crimes. While AI has brought significant advancements across various domains, its misapplication has become an increasingly worrisome issue. In a similar occurrence last month, criminals exploited AI to replicate a teenager's voice and extort ransom from her mother, generating shockwaves worldwide.

Jennifer DeStefano, a resident of Arizona, received a distressing call from an unknown number, drastically impacting her life. At the time, her 15-year-old daughter was on a skiing trip. When DeStefano answered the call, she recognized her daughter's voice, accompanied by sobbing. The situation escalated when a male voice threatened her and cautioned against involving the authorities.

In the background, DeStefano could hear her daughter's voice pleading for help. The scammer demanded a ransom of USD 1 million in exchange for the teenager's release. Convinced by the authenticity of her daughter's voice, DeStefano was deeply disturbed by the incident.

Fortunately, DeStefano's daughter was unharmed and had not been kidnapped. This incident underscored the disconcerting capabilities of AI, as fraudsters can exploit the technology to emotionally manipulate and deceive individuals for financial gain.

As AI continues to advance rapidly, it is imperative for individuals to maintain vigilance and exercise caution. These incidents emphasize the significance of robust cybersecurity measures and the need to raise public awareness regarding the risks associated with deepfake technology. Authorities worldwide are working tirelessly to combat these emerging threats and protect innocent individuals from falling victim to such sophisticated scams.

The incident in China serves as a stark reminder that as technological progress unfolds, increased vigilance and understanding are essential. Shielding ourselves and society from the misuse of AI is a collective responsibility that necessitates a multifaceted approach, encompassing technological advancements and the cultivation of critical thinking skills.

These cases illustrate the potential exploitation of AI for financial crimes. It is crucial to remain cognizant of the potential risks as AI technology continues to evolve.

Undiscovered Attacks Against Middle Eastern Targets Conducted Since 2020


Over the last few years, companies in the Middle East have faced a series of targeted attacks using an open-source tool used by threat actors as kernel drivers. Fortinet researchers discovered a sample of the so-called Donut tool while scanning suspicious executables that used open-source technologies. 

This open-source shellcode-generation tool, as well as a variant of the Wintapix driver, were found to have been used in targeted cyberattacks against Saudi Arabia and other Middle Eastern countries. Fortinet researchers Geri Revay and Hossein Jazi stated in a blog post about their research that they believe this driver has been operational in the wild since at least mid-2020, was not reported until now, and has been employed in multiple campaigns over the previous few years.

In accordance with Fortinet's data, there is a noteworthy increase in the number of lookups — or peaks in activity — for this driver in August and September 2022, as well as again in February and March 2023. This could imply that the threat actor behind the driver was running large-scale campaigns these days. According to the data, 65% of the lookups for the driver were from Saudi Arabia, showing that it was a primary focus.

Jazi notes that other malware families have been identified employing similar attack methods (i.e., kernel drivers), but this was a detection of a new malicious driver.

"It has new functionalities such as targeting IIS [Internet Information Services] servers, which is unique in its own accord," Jazi says.

While Jazi cannot to provide any information on the exact verticals targeted, he does highlight that Iranian threat groups have a long history of attacking Saudi Arabia and other governments in the region.

According to Fortinet analysts, it is unclear how the driver was spread, and they have no idea who was behind this operation. "Observed telemetry shows that, while this driver has primarily targeted Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are classic targets of Iranian threat actors," according to the research.

Since Iranian threat actors have been known to use Microsoft Exchange Servers to distribute other malware, it is probable that this driver was used in conjunction with Exchange attacks. "To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities," the researchers stated.

At this point, it's unknown whose organizations were targeted or what the attackers were after. According to Ciarán Walsh, associate research engineer at Tenable, it is entirely possible for a campaign to go undetected for an extended period of time, as this one did. 

"APT1 (CommentCrew) has been noted as maintaining a presence on victim networks without detection for years during its cyberespionage campaigns," he says.

When asked if he believes the time spent undiscovered is indicative of an attacker's sophistication, Walsh answers it depends on a variety of things, including the campaign's aims.

"In espionage, the aim would be to go undetected for however long it takes to achieve those objectives," he says, "but in campaigns that aim to cause disruption such as Anonymous Sudan and its DDoS campaigns, being stealthy and maintaining a foothold in a target network is not a priority."

Walsh observes that open source tools are more likely to be identified because the security community is aware of them and countermeasures and remediation strategies to fight them have been created.

"Custom tooling is much more difficult to detect as automated systems have little, if any, information about the tool to use as part of their detection mechanisms," he says. "Attackers do sometimes adopt an approach of using tools already on target systems or within target networks."

Volt Typhoon, an APT ascribed to China that Microsoft reported last week had obtained access to telecom networks and other critical infrastructure targets in the US, took this strategy.

"Living-off-the-land allows for stealth as there is no execution of any suspicious programs or scripts, which would trigger an alert," Walsh says. "The attackers instead use tools built into operating systems, which are less likely to trigger an alert, or even be deemed suspicious."

PyPI Enforces the Usage of Two-factor Authentication for All Software Publishes


The Python Package Index (PyPI) has stated that by the end of the year, every account that maintains a project on the system will be compelled to enable two-factor authentication (2FA). PyPI is a software repository for Python programming language packages. 

The index contains 200,000 packages, allowing developers to identify existing packages that meet specific project needs, saving time and effort. The PyPI team said the decision to make 2FA required for all accounts is part of their long-term commitment to strengthening platform security, and it supports earlier steps such as barring compromised credentials and enabling API tokens.

The reduced danger of supply chain assaults is one advantage of 2FA protection. These attacks occur when an intruder obtains authority over a software maintainer's account and installs a backdoor or malware to a package that is used as a dependency in other software projects.

Depending on the popularity of the product, such attacks may affect millions of people. While developers are responsible for thoroughly checking the building components of their projects, PyPI's measures should make it easier to avoid this type of issue.

Furthermore, in recent months, the Python project repository has been plagued by frequent virus uploads, famous package imitations, and the re-submission of dangerous code using hijacked identities.

The problem became so severe that PyPI was forced to temporarily halt new user and project registrations last week until an adequate defense solution could be designed and implemented. 2FA protection will help to lessen the problem of account takeover attempts, and it should also limit the number of new accounts a suspended user may create in order to re-upload dangerous packages. The deadline for implementing 2FA on all project and organization maintainer accounts is the end of 2023.

In the next months, impacted customers should prepare for and implement the additional security precaution, which may be accomplished using either a hardware key or an authentication app.

“The most important things you can do to prepare are to enable 2FA for your account as soon as possible, either with a security device (preferred) or an authentication app, and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.” - PyPI

In accordance to the PyPI team, the preparatory work performed in previous months, such as introducing 'Trusted Publishing,' combined with parallel initiatives from platforms such as GitHub that have helped developers familiarise themselves with 2FA requirements, make this year an ideal time to introduce the measure.

How is 3-2-1 Backup Policy now Out-dated?

With the growing trend of ransomware attacks, it has become important for individuals and organizations to adopt efficient backup policies and procedures.

According to reports, in year 2022 alone, around 236.1 million ransomware attacks have been detected globally. Cyber criminals have evolved into using innovative tactics malware, cryptography and network infiltration to prevent companies from accessing their data. As a result of these emerging ransomware attacks, companies are required to strengthen their security and data backup procedures which compel companies to financial constrains in exchange for the release of their systems and backups.

Current Status of Backups

Systems compromised with ransomware can be swiftly restored with the right backups and disaster recovery techniques, thwarting the attackers. However, Hackers now know how to lock and encrypt production files while simultaneously deleting or destroying backups. Obviously, their targets would not have to pay the ransom if they can restore their computers from backups.

Conventional The 3-2-1 Backup Policy

The 3-2-1 backup policy has been in place for many years and is considered the "gold standard" for guaranteeing the security of backups. Three data copies must be produced utilizing two different types of storage media, with at least one backup occurring offsite. The backup should ideally also be immutable, which means that it cannot be deleted, altered, or encrypted within the time period specified.

The "two diverse media" has typically indicated one copy on traditional hard drives and the other copy on tape for the past 20 years or so. The most popular methods for achieving immutability involved physically storing the tape in a cardboard box or destroying the plastic tab on the tape cartridge, which rendered the tape unwritable. While most often done by replicating the backup files between two company data centers to create the offsite copy.

Growing Popularity of Cloud Security

The cloud has grown in popularity as a place to store backups in recent years. Since its launch, the majority of businesses have reconsidered the conventional 3-2-1 policy. The majority of firms are using a mixed strategy. Backups are first sent to a local storage appliance because the cloud has a limited amount of bandwidth, which is typically faster than backing up directly to the cloud. In the same way, restoring from backups works. Always, restoring from a local copy will be quicker. However, what if the local backup was deleted by the hackers? in that case, one may have to turn to the copy stored in the cloud.

Today, the majority of cloud storage providers offer "immutable" storage, which is secured and cannot be changed or deleted. You actually need this immutability to prevent hackers from eliminating your backups. Additionally, since the cloud is always "off-site," it satisfies one of the key demands of the 3-2-1 backup scheme. one may still have the cloud backup even if there is a fire, flood, or other event that damages the local backup. People no longer see a need for two different types of media, especially the third copy. 

Replicating the cloud copy to a second cloud site, preferably one that is at least 500 kilometers away, is the practice used most frequently nowadays. The two cloud copies ought to be immutable.

In comparison to on-premises storage systems, cloud storage providers typically offer substantially higher levels of data durability. Amazon, Google, Microsoft, and Wasabi have all chosen the gold standard of 11 nines of durability. If you do the arithmetic, 11 nines of durability indicates that you will statistically lose one object every 659,000 years if a user offers you one million objects to store. Because of this, you never hear about cloud storage providers losing client information. 

The likelihood of losing data due to equipment failure is nearly zero if there are two copies spread across two distinct cloud data centers. The previous requirement of "two different media" is no longer necessary at this level of durability.

Moreover, alongside the added durability, the second cloud copy considerably improves backup data availability. Although the storage system may have an 11-nine durability rating, communications issues occasionally cause entire data centers to fall offline. A data center's availability is typically closer to 4 nines. If one cloud data center goes offline, one can still access their backups at the second cloud data center since they consist of two independent cloud copies. 

One may anticipate that the local copy will be lost during the course of a ransomware attack, thus they would be depending on cloud restoration. A company may as well shut down until the backups are accessed if the cloud goes offline for any reason. This thus makes two having two cloud copies a good investment.  

Ethical Issues Mount as AI Takes Bigger Decision-Making Role in Multiple Sectors


Even if we don't always acknowledge it, artificial intelligence (AI) has ingrained itself so deeply into our daily lives that it's difficult to resist. 

While ChatGPT and the use of algorithms in social media have received a lot of attention, law is a crucial area where AI has the potential to make a difference. Even though it may seem far-fetched, we must now seriously examine the possibility of AI determining guilt in courtroom procedures. 

The reason for this is that it calls into question whether using AI in trials can still be done fairly. To control the use of AI in criminal law, the EU has passed legislation.

There are already algorithms in use in North America that facilitate fair trials. The Pre-Trial Risk Assessment Instrument (PTRA), the Public Safety Assessment (PSA), and Compas are a few of these. The employment of AI technology in the UK criminal justice system was examined in a study produced by the House of Lords in November 2022. 

Empowering algorithms

On the one hand, it would be intriguing to observe how AI can greatly improve justice over time, for example by lowering the cost of court services or conducting judicial proceedings for small violations. AI systems are subject to strict restrictions and can avoid common psychological pitfalls. Some may even argue that they are more impartial than human judges.

Algorithms can also produce data that can be used by lawyers to find case law precedents, streamline legal processes, and assist judges. 

On the other hand, routine automated judgements made by algorithms might result in a lack of originality in legal interpretation, which might impede or halt the advancement of the legal system. 

The artificial intelligence (AI) technologies created for use in a trial must adhere to a variety of European law documents that outline requirements for upholding human rights. Among them are the Procedural European Commission for the Efficiency of Justice, the 2018 European Ethical Charter on the use of Artificial Intelligence in Judicial Systems and their Environment, and other laws passed in previous years to create an effective framework on the use and limitations of AI in criminal justice. We also need effective supervision tools, though, including committees and human judges. 

Controlling and regulating AI is difficult and involves many different legal areas, including labour law, consumer protection law, competition law, and data protection legislation. The General Data Protection Regulation, which includes the fundamental principle for justice and accountability, for instance, directly applies to choices made by machines.

The GDPR has rules to stop people from being subject to decisions made entirely by machines with no human input. This principle has also been discussed in other legal disciplines. The problem is already here; in the US, "risk-assessment" technologies are used to support pre-trial determinations of whether a defendant should be freed on bond or detained pending trial.

Sociocultural reforms in mind? 

Given that law is a human science, it is important that AI technologies support judges and solicitors rather than taking their place. Justice follows the division of powers, exactly like in contemporary democracies. This is the guiding principle that establishes a distinct division between the legislative branch, which creates laws, and the judicial branch, which consists of the system of courts. This is intended to defend against tyranny and protect civil freedoms. 

By questioning human laws and the decision-making process, the use of AI in courtroom decisions may upend the balance of power between the legislative and the judiciary. As a result, AI might cause a shift in our values. 

Additionally, as all forms of personal data may be used to predict, analyse, and affect human behaviour, using AI may redefine what is and is not acceptable activity, sometimes without any nuance.

Also simple to envision is the evolution of AI into a collective intelligence. In the world of robotics, collective AI has silently emerged. In order to fly in formation, drones, for instance, can communicate with one another. In the future, we might envision an increasing number of machines interacting with one another to carry out various jobs. 

The development of an algorithm for fair justice may indicate that we value an algorithm's abilities above those of a human judge. We could even be willing to put our own lives in this tool's hands. Maybe one day we'll develop into a civilization like that shown in Isaac Asimov's science fiction book series The Robot Cycle, where robots have intelligence on par with people and manage many facets of society. 

Many individuals are afraid of a world where important decisions are left up to new technology, maybe because they think that it might take away what truly makes us human. However, AI also has the potential to be a strong tool for improving our daily lives. 

Intelligence is not a state of perfection or flawless rationality in human reasoning. For instance, mistakes play a significant part in human activity. They enable us to advance in the direction of real solutions that advance our work. It would be prudent to keep using human thinking to control AI if we want to expand its application in our daily lives.

Hacker Marketplace Remains Operational Despite Police 'Takedown' Claim


A hacker marketplace notorious for stealing accounts from popular services such as Netflix and Amazon is still operational despite claims by authorities that it had been shut down. Last month, an international police operation declared that Genesis Market had been seized and removed from the regular internet. However, an identical version of the marketplace is still accessible on the darknet. 

Recently, a post on the unaffected darknet version of Genesis Market stated that it was fully functional. Genesis Market, characterized by law enforcement as a dangerous website, specializes in selling login credentials, IP addresses, and browsing cookie data that comprise victims' "digital fingerprints." Prior to the police operation, the service was regarded as one of the largest facilitators of criminal activities, with over two million stolen online identities available for sale. 

Dubbed Operation Cookie Monster, the initiative was led by the FBI and Dutch police and was publicly announced on April 5th. Multiple agencies worldwide celebrated the takedown of the website, revealing that 119 individuals had been apprehended and claiming that the criminal service had been dismantled. However, cybersecurity company Netacea has been closely monitoring the darknet version of Genesis Market and reports that the website experienced only a brief disruption of approximately two weeks.

"Taking down cyber-crime operations is a lot like dealing with weeds. If you leave any roots, they will resurface," says Cyril Noel-Tagoe, Netacea's principal security researcher.

"The roots of Genesis Market's operation, namely the administrators, darknet website and malicious software infrastructure, have survived," he said.

Since then, criminal administrators have updated the marketplace, stating that they have launched a new version of their specialist hacking browser, resumed data collection from hacked devices, and added over 2,000 new victim devices to the market. Trellix experts, who assisted authorities in disrupting some of the hacking tools provided on Genesis Market, concurred that the website's founders were still at large.

"It is true that the Genesis administrators quickly responded on Exploit [hacker] forums stating that they would be back online shortly with improvements," said John Fokker, head of threat intelligence at Trellix, adding that the darknet site was still accessible. 

An FBI spokesperson has told the BBC that efforts are being made to "ensure that users who use services like Genesis Marketplace face justice."

According to the UK's National Crime Agency, the operation struck a "huge blow" to cyber criminals. "Although a dark web version of the site remains active, the volume of stolen data and users has been significantly reduced. I have no doubt that the operation damaged criminal trust in Genesis Market," Paul Foster, deputy director of the NCA's National Cyber Crime Unit, told the BBC.

In addition to lowering the marketplace's exposure by removing it from the mainstream internet, authorities and many experts agree that the high number of arrests of users will have a chilling effect on hackers considering utilizing the site.

However, it is unclear how many of those arrested will face charges. According to the NCA, just one of the 30 people apprehended in the UK has been charged with any crime.

Research from Trellix and Netacea hacker forums indicates apprehension about the market following the operation, although it is unclear whether cyber-criminals have been deterred in the short term or permanently. User comments are still appearing on the marketplace's news page, but in limited numbers.

Taking down illicit websites hosted on the darknet is widely challenging since their servers are either difficult to locate or are located in places that do not respond to Western law enforcement requests, such as Russia.

Genesis Market has been sanctioned by the US Treasury, which believes it is run from Russia. It is unknown for certain, however, the website provides Russian and English translations. Over the previous year, police have been successful in completely eradicating some darknet markets, such as the drug websites Monopoly and Hydra. Website in Russian Hydra was the world's highest-grossing dark web market, supposed to be based in Russia but actually housed in Germany, allowing German law authorities to shut it down.

WhatsApp Users Alerted About Possible Scam Calls From International Numbers


As per experts, if you're receiving missed calls, messages, or WhatsApp calls from international numbers starting with +254, +84, +63, or others, it's advised to "report and block" them. The Indian Cybercrime Coordination Centre (I4C) of the Home Ministry is spreading this alert to protect people from falling prey to cybercrime. Forensics and data analysis experts, who are actively working to combat this issue for the government, have cautioned that these numbers may be originating from countries such as Singapore, Vietnam, and Malaysia. These international numbers may be used by malicious individuals to obtain financial information unlawfully.

"This is a new cybercrime trend. People across India irrespective of their profession have been receiving calls and missed calls on WhatsApp from +254, +84, +63, +1(218) or other international numbers, and some of them have become victims of cybercrime. It has become more frequent," an expert in cyber intelligence and digital forensics told ANI on condition of anonymity.

"Cyber awareness and hygiene are one of the important aspects in policing and it is a much-appreciated initiative," the official added.

"From early morning between 6 am to 7 am or late in the night, such calls are being received by people from all groups whether he or she is a private employee, businessman, retired government officer or even school and college boy or girl. We need to be just aware of such calls."

A message received from a number starting with +243 said: "Hello, my name is Allena, may I take a few minutes of your time?"

"Now that the 5G era of the Internet has arrived, there are already many people who make money through the Internet. I believe you know it too. I must be added to make money. If you don't speak, you may miss an opportunity at a turning point in your life. There are not many opportunities. I hope you see and then respond to my message," the message said.

If a person or organization is the victim of a cyber-attack, the situation can be reported on the website, according to the experts, who added that "focused work is being done by the central agencies with the help of I4C to curb the cyber menace."

In March, Union Home Minister Amit Shah visited the Indian Cyber Crime Coordination Centre (I4C) and stated that the wing is trying to realize Prime Minister Narendra Modi's goal of a cyber-success society. He went on to say that the I4C allows for effective and seamless cooperation among all agencies and states in the fight against cybercrime.

Since its inauguration in 2018, the Indian Cyber Crime Coordination Centre, a "special purpose unit" of the Centre, has saved over Rs 12 crore from cybercrime victims.

UK Banks Issue a Warning Regarding an Upsurge in Internet Scams


Banks have issued a warning about a sharp rise in fraud in 2022, much of it coming from online sources. 77% of frauds now take place on dating apps, online markets, and social media., Barclays reported.

According to TSB, the major causes of this were an enormous rise in impersonation, investment, and purchase fraud instances. It was discovered that fraudulent listings on Facebook Marketplace had doubled, while impersonation frauds on WhatsApp had increased thrice in a year. 

Additionally, it claimed that there had been "huge fraud spikes" on Meta-owned platforms including Facebook and WhatsApp. Fraud, according to a spokesperson for Meta, is "an industry-wide issue," the BBC reported. 

"Scammers are using increasingly sophisticated methods to defraud people in a range of ways, including email, SMS, and offline," the company stated. "We don't want anyone to fall victim to these criminals, which is why our platforms have systems to block scams, financial services advertisers now have to be FCA (Financial Conduct Authority)-authorised and we run consumer awareness campaigns on how to spot fraudulent behaviour." 

"Epidemic of scams" 

Banks are dealing with an "epidemic of scams," according to Liz Ziegler, director of fraud protection for Lloyds Banking Group. 

"With more than 70% of fraud starting with contact through the main tech platforms, these companies must be held responsible for stopping scams at source and putting things right for innocent victims," she explained. 

Three million people in the UK would become victims of fraud in 2022, NatWest CEO Alison Rose previously warned a Treasury Select Committee. 

She stated, "we have seen an 87% increase in fraud," noting that NatWest believed that 60% of frauds started on social media and other internet platforms. 

Meanwhile, TSB stated 60% of purchase fraud cases of which it is aware - where a fraudster offers an item they never intend to send to the customer - occurs on Facebook Marketplace, and two-thirds of impersonation fraud cases it sees are happening on WhatsApp, The bank claims that 2,650 refunds covering these incidents were given out last year. 

According to Paul Davis, TSB's director of fraud prevention, social media companies "must urgently clean up their platforms" to safeguard users. 

Returned funds 

56% of the total money was lost to scammers in the first half of 2022, according to the most recent data from UK Finance, which represents the banking and finance industry. 

The Contingent Reimbursement Model Code, which intends to pay consumers if they fall victim to an Authorised Push Payment (APP) scam "and have acted appropriately," has been endorsed by many institutions, including NatWest, Lloyds, and Barclays. 

A consumer may be duped into sending money to a fraudulent account through an APP scam. However, TSB asserts that it reimburses victims in 97% of the fraud incidents it observes and is urging other organisations to do the same.

CERT-In Warns Of 'Royal Ransomware' Virus Attacking India's Critical Sectors


Indian citizens and organisations have been alerted about the Royal Ransomware virus by the Indian Computer Emergency Response Team (CERT-In). 

This malicious malware targets key infrastructure industries, such as manufacturing, communications, healthcare, and education, as well as individuals, encrypting their files and requesting payment in Bitcoin to prevent the release of private information to the public. 

The CERT-In advisory claims that the RDP (remote desktop protocol) abuse, phishing emails, malicious downloads, and other forms of social engineering are all ways the Royal Ransomware infection spreads. This virus was discovered for the first time in January 2022, and it started to spread around September of last year, at which point the US government began to issue advisories against its expansion.

The report also disclosed that the threat actors employ a number of strategies to trick victims into installing remote access malware as part of callback phishing. In order to prevent recovery, the virus encrypts the data and deletes shadow copies once it has infected the system. 

The Royal Ransomware virus contacts the victim directly via a.onion URL route (dark web browser), thus it doesn't reveal information like the ransom amount or any instructions. Additionally, the malware gains access to the domain controller exfiltrates a sizable amount of data before encryption, and disables antivirus protocols.

Prevention Tips

CERT-In has suggested a set of countermeasures and internet hygiene guidelines protect against this and similar ransomware attacks. These precautions include keeping backup data offline, frequently maintaining backup and restore, enabling protected files in Windows, blocking remote desktop connections, utilising least-privileged accounts, and restricting the number of users who can access resources via remote desktop. 

Other best practices include keeping anti-virus software up to current on computer systems, avoiding clicking on links in unwanted emails, and encrypting all backup data such that it is immutable (cannot be changed or removed) and covers the entire organization's data architecture. 

People and organisations should exercise caution and take the appropriate safety measures to protect themselves from this deadly virus. Following the suggested rules can help prevent data loss and lower your chances of suffering financial and reputational harm.

Hackers Leak Photos to Mock Western Digital's Cyberattack Response


The ALPHV ransomware operation, also known as BlackCat, has shared screenshots of internal emails and video conferences seized from Western Digital, revealing that they likely continued to have access to the firm's systems even while the company responded to the incident. 

The release comes after the threat actor informed Western Digital on April 17th that if a ransom was not paid, they would harm them until they "could not stand anymore." Western Digital was the victim of a cyberattack on March 26th, in which threat actors infiltrated its internal network and stole company data. However, no ransomware was installed, and no files were encrypted.

In response, the company suspended its cloud services, including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and SanDisk Ixpand Wireless Charger, as well as related mobile, desktop, and online apps, for two weeks.

According to TechCrunch, an "unnamed" hacking group accessed Western Digital and claimed to have stolen ten terabytes of data. The threat actor allegedly shared examples of the stolen data with TechCrunch, including files signed with stolen Western Digital code-signing keys, unlisted corporate phone numbers, and images of other internal data.

In addition, the hackers claimed to have stolen data from the company's SAP Backoffice implementation. While the hacker claimed to be unrelated to the ALPHV ransomware operation, a message soon surfaced on the gang's data leak site, alerting that Western Digital's data would be spilled if a ransom was not paid.

Western Digital is mocked by ALPHV. Security researcher Dominic Alvieri informed BleepingComputer that the hackers revealed twenty-nine screenshots of emails, documents, and video conferences connected to Western Digital's response to the attack in an additional attempt to humiliate and disgrace the corporation.

When an organization is compromised, one of the first measures is to figure out how the threat actor obtained access to the network and block the path. However, there can be a delay between identification and response, enabling the adversary's access to continue even after an attack is detected. This access permits them to watch the company's response and steal additional data.

The threat actors appear to have sustained access to parts of Western Digital's systems in the screenshots supplied by ALPHV since they show video conferences and emails concerning the attack. The "media holding statement" is depicted in one image, and an email regarding staff leaking information about the attack to the press is depicted in another.

Another message from the threat actors is included with the exposed material, claiming to have customers' personal information as well as a comprehensive backup of WD's SAP Backoffice implementation.

While the data appears to be Western Digital's, BleepingComputer was unable to independently confirm its source or whether it was stolen during the attack. Western Digital is not currently negotiating a ransom to halt the publication of stolen data, which has prompted fresh threats from hackers.

"We know you have the link to our onion site. Approach with payment prepared, or [redacted] off. Brace yourselves for the gradual fallout," reads ALPHV's new warning to Western Digital.

Western Digital declined to comment on the stolen screenshots and threat actors' assertions.

Top 5 Reasons Why Cybersecurity is Essential For Organisations


A company's information is its focal point, around which everything else revolves. Therefore, the significance of information security cannot be understated. By maintaining a strict cybersecurity policy, your organisation can prevent data breaches, unauthorised access, and other serious dangers that could endanger your digital assets. 

After the economies of China and the United States, cybercrime's economy would rank third in size. By 2025, it might grow to $17.65 trillion yearly. We must take action to prevent becoming a victim of cyberattacks given this startling statistic. 

The following are some salient justifications for why modern businesses should prioritise cyber security: 

An uptick in cybercrimes 

A cyber-attack can have a negative impact on your business, no matter how big or little it is. This is due to the fact that every business has numerous valuable assets that hackers might exploit. Occasionally, it relates to the private data of clients or clients of businesses. Other times, it is just money that is at issue. There were 270 cyberattacks last year (unauthorised access to data, applications, services, networks, or devices) per organisation, a 31% increase from 2021. Strong cybersecurity is the only answer because cybercrimes are only becoming worse every year.

Cryptocurrency and the deep web 

The deep web, commonly referred to as the dark web, is a collection of websites that are hidden from search engines by passwords or other security measures. Only specialised web browsers can access these websites or pages, keeping users' identities private.

The dark web is similar to a secret room where criminal activity can be carried out, including the distribution of software, the sale of personal information, the trafficking of people and drugs, the sale of illicit weapons, and many other unimaginable crimes.

The preferred currency of the attackers is now cryptocurrency. Attacks are escalating as threat actors seek profits as the price of Bitcoin reaches an all-time high. End users have long struggled with phishing scams, data thieves, and malware that switches wallet addresses in memory. Attacks on the core software of cryptocurrencies, smart contracts, are now more frequently launched. These new marketplaces present chances for sophisticated attacks (such as the flash loan attack), which might give attackers access to liquidity pools for cryptocurrencies worth millions of dollars. The significance of cyber security has grown as a result of these vulnerabilities. 

Excessive use of technology 

We all spend a lot of time using technology, so fraudsters have a wealth of opportunities. Serverless computing, edge computing, and API services are all booming, just like cloud services. Processes may be effectively automated and dynamically changed to diverse situations when used in conjunction with container orchestrations such as Kubernetes. Attackers are attempting to stop this hyper-automation by going against such APIs, which have a significant impact on a company's business processes. 

Increased use of IoT devices 

The development of Internet of Things (IoT) technology has made our duties easier, but it has also made us a target for hackers. IoT devices present greater surface areas for data breaches due to the variety of sensors they are fitted with and the innovative technology they employ for constant communication and data exchange. No matter how sophisticated your security measures are, if you don't properly manage these internet-connected gadgets, you'll find a way to get around them. 

Rise in ransomware

Currently, ransomware is one of the most lucrative cyberattacks. Due to the intense focus of law enforcement and the millions of dollars in profits at stake, ransomware tactics, in particular, are changing significantly. Cloud, virtual systems, and OT/IoT environments have all been impacted by ransomware. Anything that is part of a network that can be accessed could be a target. The new standard will soon be data theft for double extortion and the disabling of security mechanisms, but it will also become more intimate with insider threats and personal data. 

FEMA estimates that 25% of firms that experience a disaster never reopen. Therefore, it's critical that we take cybersecurity seriously if we want to protect our systems from viruses. 

Mitigation Tips 

Everyone is subject to major cyberthreat. You should take efforts to make yourself cyber secure if you are a business owner or any other type of online user in order to protect your information from hackers.

In order to stop bad actors from abusing your system, anti-malware and antivirus defences are essential. As previously indicated, cybercriminals target companies of all kinds, including small firms, in a variety of methods, and in exchange, they demand ransomware payments of $100,000 or more. You may get real-time protection from malware, viruses, and ransomware with advanced cybersecurity systems that use AI and machine learning. 

Additionally, you must have a backup and disaster recovery plan if you want to protect your company against unanticipated cybersecurity incidents. Acronis is a dependable backup programme that automatically backs up all of the photographs and files on your computer, not just a subset of them. It offers a strong backup and guarantees that your files are accessible when you require them. 

Cyberattacks have impacted businesses of all sizes in every sector of the global economy, including Uber and social media giant Facebook. Because of the ongoing advancement of technology, we are all now susceptible to cyber-attacks. The rate of cybercrime is constantly increasing and will never stop. Hackers can thus take our data, money, and reputation if there is no cybersecurity. You can defend your company from cyberattacks in a variety of ways; all you have to do is recognise its significance and take appropriate action. Contact our staff right now to protect your company.

Utilising Multiple Solutions Makes Your Zero Trust Strategy More Complex


According to BeyondTrust, business operational models are much more complicated now than they were a few years ago. 

Integration with zero trust

More applications, information stored and moving through the cloud, remote personnel accessing critical systems and data, and other factors are all contributing to this complexity. 

Threat to supply chain security 

As a result of a company's growing reliance on its supply chain, partners, suppliers, and shippers are now frequently directly linked to its systems. This has increased the demand for identity solutions and a zero trust strategy. 

The results of this study suggest that integration needs could prevent timely implementation. The research for the survey centred on comprehending the adoption rates, occurrences, solutions, obstacles, and new areas of attention for identification and zero trust.

“Today’s business operating models are highly complex, with remote employees accessing critical systems using dozens, and even hundreds of applications,” stated Morey Haber, Chief Security Officer at BeyondTrust. 

“Data is transmitted between clouds and corporate data centers, with third-party contractors and supply chain partners, suppliers, and shippers directly connecting to these corporate systems. Legacy security architectures and network defenses are less effective at managing this extended perimeter. Zero trust principles and architectures are being adopted by public and private sectors because they have become one of the most effective approaches to mitigating the heightened risks to highly sensitive identities, assets, and resources,” concluded Haber. 

Data breaches and identity theft skyrocket 

The study discovered that 81% of respondents had two or more identity-related occurrences in the previous 18 months, making up virtually all of the sample. A sizable portion of these instances included privileged accounts. 

A zero-trust strategy is still being implemented by more than 70% of businesses in order to secure an expanding security perimeter brought on by increased cloud usage and remote workers. 

For their zero trust strategy, almost all businesses said they were utilising multiple vendors and solutions, with the majority citing four or more. 70% of the businesses that were interviewed rely on expensive third-party services, frequently specialised coding, for integration. The deployment procedure was complicated by the fact that 84% of those had zero trust defenses that required several integration strategies. 

Native integration is needed for zero trust solutions 

Over 70% of respondents to a survey stated that they had to remove a security solution because it didn't integrate well, demonstrating how critical integration has become for many businesses. According to those questioned, flaws in their zero trust strategy led to a variety of problems, including a slower rate of issue resolution, poorer user experiences, erroneous access privileges, human intervention, and compliance problems. 

A faster reaction to security risks and enhanced compliance are two benefits of better integration that save time in addition to resources, according to more than 90% of businesses. Important issues affecting businesses 


  • 93% report having identity troubles as a result of integration concerns in the past 18 months
  • 81% of people have reported two or more identity concerns 
  • 63% of respondents claim that identification issues directly included privileged users and credentials, while 5% are unsure.

Zero trust related

  • 76% of businesses are still working to establish a zero-trust strategy to protect their environment
  • 96% of businesses employ several zero-trust strategies, with 56% utilising four or more. 


  • 70% of businesses are forced to rely on vendor bespoke code for the integration of zero trust solutions
  • 84% of businesses use a variety of integration techniques to implement their zero-trust strategy
  • 99% of businesses say zero trust solutions must be integrated with a wide range of other programmes. 
  • Easy integration is rated as "very important" or "important" by 94% of participants, with none saying it isn't.
To lessen the burden of integration processes, practically every organisation said that a zero trust approach requires integration with multiple other business and collaboration apps. Most have made native integration a crucial consideration for choosing zero-trust solutions due to integration problems. 

The Media & Entertainment Industries' Major Public Cloud Security Issues


As reported by Wasabi, media and entertainment (M&E) organizations are swiftly resorting to cloud storage to improve their security procedures. While M&E organizations are still fairly new to cloud storage (69% had been using cloud storage for three years or less), public cloud storage use is on the rise, with 89% of respondents looking to increase (74%) or maintain (15%) their cloud services.
On average, M&E respondents reported they spend 13.9% of their IT spending on public cloud storage services. Overdrawn budgets due to hidden fees, as well as cybersecurity and data loss worries, continue to be issued for M&E organizations.

“The media and entertainment industry is a key vertical for cloud storage services, driven by the need for accessibility to large media files among multiple organizations and geographically distributed teams,” said Andrew Smith, senior manager of strategy and market intelligence at Wasabi Technologies, and a former IDC analyst.

“While complex fee structures and cybersecurity concerns remain obstacles for many M&E organizations, planned increases in cloud storage budgeting over the next year, combined with a very high prevalence of storage migration from on-premises to cloud; clearly shows the M&E industry is embracing and growing their cloud storage use year on year,” concluded Smith.

In the previous year, more than half of M&E organizations spent more than their planned amount on cloud storage services. The fees accounted for 49% of M&E firms' public cloud storage expense, with the other half going to actual storage capacity utilized. Understanding the charges and fees connected with cloud usage has been identified as the most difficult cloud migration barrier for M&E organizations.

Since M&E organizations rely substantially on data access, egress, and ingress, M&E respondents reported the highest occurrence of API call fees when compared to the global average. The respondents reported a very high incidence of cloud data migration, with 95% reporting that they migrated storage from on-premises to the public cloud in the previous year.

M&E respondents who plan to expand their public cloud storage budgets in the next 12 months identified new data protection, backup, and recovery requirements as the primary driver, compared to the global average, which rated third. More than one public cloud provider is used by 45% of M&E organizations. One of the major reasons M&E organizations chose a multi-cloud strategy was data security concerns, which came in second (44%) behind different buying centers within the organization making their own purchase decisions (47%).

The following are the top three security concerns that M&E organizations have with a public cloud:
  • Lack of native security services (42%)
  • Lack of native backup, disaster and data protection tools and services (39%)
  • Lack of experience with cloud platform or adequate security training (38%)
“Organizations in the media and entertainment industry are flocking to cloud storage as their digital assets need to be stored securely, cost-effectively and accessed quickly,” said Whit Jackson, VP of Media and Entertainment at Wasabi.

The US Cyber Command is Deploying Experts Abroad to Assist Collaborators in Detecting Hackers


The US government's Cyber National Command Force (CNCF) is deploying professionals abroad in "hunt forward" operations to assist partner countries in tackling cybercrime and has undertaken 47 operations in 20 countries in the last three years. Though this could aid the global fight against cybercriminals, one expert believes it should be supplemented by increased data sharing between the US and its allies. 

The CNCF's commander, Major General William Hartman, unveiled details of the operations during a speech at the RSA security conference in San Francisco on Monday.   The US actions were carried out at the request of the partner countries, according to Hartman, who added that the CNCF recently sent 43 of its specialists to Ukraine to the cyber battle against Russia.

Emily Taylor, CEO of Oxford Information Labs and a Chatham House associate fellow, praised the CNCF's actions. On Monday, she spoke before Parliament's National Security Strategy Committee as part of a hearing on the subject of ransomware, emphasizing the significance of international data sharing.

“Barriers to the free flow of evidence across borders” need to be removed to compile cases against these criminals quickly, she told the committee. “If there can’t be international cooperation on cyber crime, then there must be some sort of response from the international community that does abide by the rules,” Taylor added.

While countries like Russia are unlikely to prosecute their own cybercriminals, other countries must be able "to call them out for failing" to do so, according to Taylor. 

Taylor added. “International cooperation at this time is incredibly challenging, but we will need something if we actually want these criminals to go to jail,” she said. Other countries, including the United Kingdom, are carrying out similar operations. Last year, Foreign Office minister Leo Docherty told Sky News that UK spies were "already on the frontline" assisting Ukraine's efforts to repel Russian forces.

Taylor believes that more cross-border sharing of digital evidence will be necessary to connect these missions.

“The US, EU and UK are really close allies, you shouldn’t be able to put a piece of paper between them, let alone have international cyber crime investigations thwarted because of lack of data sharing or lack of confidence,” she said.