Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hackers. Show all posts
Spear Phishing
Cyber Crime cyber espionage Hackers Russia Spear Phishing

Inside the Espionage: How Nobelium Targets French Diplomatic Staff


Cybersecurity threats have become increasingly sophisticated, and state-sponsored actors continue to target government institutions and diplomatic entities. One such incident involves a Russian threat actor known as “Nobelium,” which has been launching spear phishing attacks against French diplomats.

ANSSI Issued an Alert

France's cybersecurity agency, ANSSI, has issued a notice outlining a Russian spear phishing attempt aimed at French diplomats, the Record writes. The CIA connects the campaign to "Nobelium," a threat actor linked to Russia's Foreign Intelligence Service (SVR).

The Campaign

Nobelium, believed to have ties to Russia’s Foreign Intelligence Service (the SVR), primarily uses compromised legitimate email accounts belonging to diplomatic staff to conduct these attacks. The goal is to exfiltrate valuable intelligence and gain insights into French diplomatic activities.

Compromising Email Accounts of French Ministers

These events included the penetration of email accounts at the French Ministry of Culture and the National Agency for Territorial Cohesion, but according to ANSSI, the hackers were unable to access any elements of those networks other than the compromised inboxes.

However, the hackers subsequently used those email addresses to target other organizations, including France's Ministry of Foreign Affairs. ANSSI stated that Nobelium attempted to acquire remote access to the network by installing Cobalt Strike, a penetration testing system infamous for being abused by bad actors, but was unsuccessful.

Other occurrences reported by ANSSI included the use of a French diplomat's stolen email account to send a malicious message falsely proclaiming the closure of the French Embassy in South Africa due to an alleged terror assault.

Tactics and Techniques

Nobelium’s spear phishing campaigns are highly targeted. They craft convincing lure documents tailored to specific individuals within diplomatic institutions, embassies, and consulates. Here are some tactics and techniques they employ:

Email Spoofing: Nobelium impersonates trusted senders, often using official-looking email addresses. This makes it challenging for recipients to discern the malicious intent.

Lure Documents: The threat actor attaches seemingly innocuous files (such as PDFs or Word documents) to their emails. These files contain hidden malware or exploit vulnerabilities in software applications.

Social Engineering: Nobelium leverages social engineering techniques to manipulate recipients into opening the attachments. They might use urgent language, reference official matters, or create a sense of curiosity.

Credential Harvesting: Once the recipient opens the attachment, the malware may attempt to steal login credentials or gain unauthorized access to sensitive systems.

Read more »
IT Infrastructure
Australia Australian Businesses Cyberattack cybercriminals Data Breach Fortinet Hacker attack Hackers IT Infrastructure

The Growing Threat of Data Breaches to Australian Businesses

 

Data breaches are now a significant threat to Australian businesses, posing the risk of "irreversible brand damage." A cybersecurity expert from Fortinet, a global leader in the field, has raised alarms about cybercriminals increasingly targeting the nation’s critical infrastructure. Cybercriminals are continually finding new ways to infiltrate Australia’s infrastructure, making businesses highly vulnerable to attacks. 

The Australian federal government has identified 11 critical sectors under the Security of Critical Infrastructure Act, which was amended in 2018 to enforce stricter regulations. Businesses in these sectors are required to complete annual reporting to notify the federal government of any attempts to access their networks. Michael Murphy, Fortinet’s Head of Operational Technology and Critical Infrastructure, recently discussed the severity of cyber threats on Sky News Business Weekend. During the 2022-2023 financial year, 188 cybersecurity incidents were reported across critical sectors, highlighting ongoing risks to national networks like water and energy supplies. 

Additionally, the Australian Bureau of Statistics found that 34 percent of businesses experienced resource losses managing cybersecurity attacks in the 2021-2022 financial year, and 22 percent of Australian businesses faced a cybersecurity attack during that period—more than double the previous year’s figure. Even small businesses are now vulnerable to cybercrime. Murphy pointed out that among entities with mandatory reporting, 188 incidents were reported, with 142 incidents reported by entities outside of critical infrastructure, demonstrating the widespread nature of the threat. He explained that hackers are motivated by various factors beyond financial gain, including the desire for control. 

The consequences of cyber attacks can be severe, disrupting systems and causing significant downtime, which leads to revenue loss and irreversible brand damage. Critical infrastructure sectors face unique challenges compared to the IT enterprise. Quick restoration of systems is often not an option, and recovery can take considerable time. This extended downtime not only affects revenue but also damages the reputation and trustworthiness of the affected organizations. Murphy noted that many incidents are driven by motives such as financial profiteering, socio-political influence, or simply the desire of hackers and syndicates to boost their credibility. 

As cyber threats evolve, it is crucial for businesses, especially those in critical infrastructure sectors, to strengthen their cybersecurity measures. While annual reporting and adherence to federal regulations are essential, proactive strategies and advanced security technologies are necessary to mitigate risks effectively.
Read more »
US
Cyber Security Europe financial organizations Hackers malicious scripts Minesweeper game Python clone US

Hackers Use Trojanized Minesweeper Clone to Phish Financial Organizations

 

Hackers are exploiting code from a Python clone of Microsoft's classic Minesweeper game to conceal malicious scripts in attacks targeting financial institutions in Europe and the US.

Ukraine's CSIRT-NBU and CERT-UA have identified the threat actor 'UAC-0188' as responsible for these attacks. They are using the legitimate game code to hide Python scripts that download and install the SuperOps RMM (Remote Monitoring and Management) software. SuperOps RMM, though legitimate, provides remote actors with direct access to compromised systems.

CERT-UA's investigation into the initial discovery has uncovered at least five breaches in financial and insurance sectors across Europe and the United States linked to these same files.

The attack initiates with an email from "support@patient-docs-mail.com," posing as a medical center with the subject "Personal Web Archive of Medical Documents." The email prompts recipients to download a 33MB .SCR file from a Dropbox link. This file includes harmless code from a Python clone of Minesweeper, alongside malicious Python code designed to download additional scripts from a remote source, "anotepad.com."

Incorporating Minesweeper code within the executable helps disguise the 28MB base64-encoded string containing the malicious code, making it seem benign to security software. The Minesweeper code features a function named "create_license_ver," repurposed to decode and execute the hidden malicious code, using legitimate software components to mask and facilitate the attack.

The base64 string decodes to a ZIP file containing an MSI installer for SuperOps RMM, which is extracted and executed using a static password. While SuperOps RMM is a legitimate tool, in this scenario, it grants attackers unauthorized access to the victim's computer.

CERT-UA advises organizations not using SuperOps RMM to treat its presence or related network activity, such as connections to "superops.com" or "superops.ai" domains, as indicators of a compromise.

The agency has also provided additional indicators of compromise (IoCs) associated with this attack at the end of their report.
Read more »
rewards
cryptocurrency Cyber Attacks FBI Hackers LockBit LockBit ransomware group ransomware attacks rewards

LockBit Ransomware Group Challenges FBI: Opens Contest to Find Dmitry Yuryevich

 

LockBitSupp, the alleged administrator of the notorious LockBit ransomware group, has responded publicly to recent efforts by the Federal Bureau of Investigation (FBI) and international law enforcement to identify and apprehend him. 

Following the restoration of previously seized domains, law enforcement authorities identified Dmitry Yuryevich Khoroshev as the mastermind behind LockBit operations in a recent announcement. This revelation was accompanied by official sanctions from the U.S., U.K., and Australia, along with 26 criminal charges that collectively carry a maximum sentence of 185 years imprisonment. 

Furthermore, the U.S. Justice Department has offered a substantial $10 million reward for information leading to Khoroshev's capture. Despite these developments, LockBitSupp has vehemently denied the allegations, framing the situation as a peculiar contest on the group's remaining leak site. LockBitSupp has initiated a contest on their leak site, encouraging individuals to attempt contact with Dmitry Yuryevich Khoroshev. They assert that the FBI has misidentified the individual and that Khoroshev is not associated with LockBitSupp. 

The ransomware admin suggests that the alleged identification mistake may have arisen from cryptocurrency mixing with their own funds, attracting the attention of law enforcement. The contest invites participants to reach out to Khoroshev and report back on his well-being, with a reward of $1000 offered for evidence such as videos, photos, or screenshots confirming contact. Submissions are to be made through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.  

Additionally, LockBitSupp has shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive details and submit as contest entries. They have also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address, passport, and tax identification numbers. Amidst the contest announcement, LockBitSupp expressed concern for the individual mistakenly identified as them, urging Khoroshev, if alive and aware, to make contact. 

This unusual move by LockBitSupp challenges the assertions made by law enforcement agencies and highlights the complex dynamics of the cyber underworld, where hackers openly taunt their pursuers. LockBitSupp emphasized that the contest will remain active as long as the announcement is visible on the blog. They hinted at the possibility of future contests with larger rewards, urging followers to stay updated for further developments. 

The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and cybersecurity community anticipating further developments. Recent indictments have identified Khoroshev as the mastermind behind LockBit operations since September 2019. The LockBit group is alleged to have extorted over $500 million from victims in 120 countries, with Khoroshev reportedly receiving around $100 million from his involvement in the activities.
Read more »
Technology INdustry
Cyberattacks CyberCrime Data Breach Data Security Breach EMBARGO Hackers Login Credentials Non Bank Lender Stock Exchange Technology INdustry

Australia's Premier Non-Bank Lender Suffers Data Security Breach

 


One of Australia's largest non-bank mortgage lenders, Firstmac, has suffered a cyberattack, which resulted in customer information such as credit card and passport numbers, Medicare numbers and driver's licence numbers being stolen and published on the dark web. In a letter sent to its customers, the Brisbane-based lender informed them that one of its information technology systems had been successfully breached by an unauthorised third party, making it one of Australia's largest non-bank lenders. 

According to the non-bank lender, hackers have taken possession of nearly ten thousand driver's licenses and two hundred and fifty thousand "customer records" over the last few days. The company notified the Australian Stock Exchange of the incident. As a result of the unusual activity it has detected on its systems "in the last few days," the company has suspended trading until Monday. The hackers were said to be very sophisticated.

There is no indication that the hackers gained access to Latitude information held at two separate service providers by using employee login credentials - whether they have been stolen or if this was a credential stuffing attack - which they were not aware of. A consortium of investors, including KKR and Deutsche Bank, acquired Latitude from GE in 2015 to sell its credit cards and instalment payment plans to retailers. In 2021, the company became public. 

Firstmac Limited, one of the largest firms in the country, has informed its customers that it has suffered a data breach the day after an alleged theft of 500GB of data from the company by the new Embargo cyber-extortion group was uncovered. In the financial services industry of Australia, Firstmac is primarily known for its mortgage lending, investment management, and securitization services, which it provides to its clients. 

Based in Brisbane, Queensland, the company employs 460 people and has issued 100,000 home loans. At the moment, the firm manages around $15 billion in mortgage loans. Troy Hunt, the creator of Have I Been Pwned, published on X yesterday a sample of the notice letter sent to Firstmac's customers informing them of a major data breach. 

Cyberdaily, the technology industry publication, reported that a large amount of data was posted on the dark web by the hackers behind the attack. EMBARGO, a ransomware gang with roots in the Netherlands, is credited with the hack – which was carried out sometime in April, according to the publication. As a report points out, Firstmac was given a ransom deadline of May 8 by the gang, a deadline that seems to have lapsed since the gang did not appear to have met that deadline. 

Cyberdaily posted screenshots of the dark website EMBARGO, which provided customer information such as their loan and financial information, as well as their email addresses. Several FirstMac executives and IT departments were also published by the gang. It is unclear how many customers and employees have been affected by the breach. 

FirstMac has been contacted for further information. While Firstmac's security systems have been strengthened in recent months, it still assured its beneficiaries that their funds and accounts are safe, and the firm's systems have been bolstered to ensure this. There has been a new requirement that everyone who wants to change an account or add a card to an account will need to provide their two-factor authentication code or biometric information to verify their identity as one of the measures that increased security.

IDCare is offering free identity theft protection services for recipients of the notices. Users are advised to be cautious when responding to unsolicited correspondence and to regularly check their account statements for any unusual activity or transactions. As a resOn the newly formed threat group's extortion page, it appears that only two victims have been identified, and it is unclear whether or not the new threat group is doing their own data breaches, or if they have been buying stolen data from others intending to blackmail the owners. 

A sample of Embargo encryption has still not been found, so it is unknown if this is a ransomware group, or if they are simply aiming to profit by extorting funds. A large number of hacks against Australian servers were recorded in the 2022-23 financial year, which is an increase of more than 300 per cent compared to the previous financial year, according to the Australian Signals Directorate, an agency under the federal government responsible for security and information. 

A data breach was discovered late last year affecting Melbourne travel agency Inspiring Vacations, in which approximately 112,000 records, totalling 26.8 gigabytes of data, were exposed online as a result of an insecure database that couldn't be password protected. The recent data breach of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks has been labelled a "new normal" of constant attacks and breaches which have affected millions of Australians including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks among others. 

There have now been significant increases in penalties for serious or repeated breaches of customer data, largely due to the Optus breach in particular. As a result of the Embargo extortion group having announced the attack online on its site, there was extensive coverage by Australian media outlets about the attack on Firstmac which occurred at the end of April. Earlier this week, Embargo published all of the data they claimed to have stolen from Firstmac's systems, including documents, source code, email addresses, phone numbers, and database backups, one day after they made a claim it had been stolen.
Read more »
University Hack
Bitfinex Cyber Attacks Data Safety Data Theft Hackers Ransom Demands Ransomware threats University Hack

Assessing F Society's Latest Ransomware Targets: Are They at Risk?

 

In recent developments, the F Society ransomware group has once again made headlines by listing four additional victims on its leak site. The alleged targets include Bitfinex, Coinmoma, Rutgers University, and SBC Global Net. Bitfinex, a renowned cryptocurrency exchange platform, and Coinmoma, offering cryptocurrency-related data, are among the victims. 

Rutgers University, one of the oldest universities in the US, and SBC Global Net, an email service once provided by SBC Communications, are also allegedly affected. While the attacks are yet to be officially confirmed, the ransomware group has provided unique descriptions for each victim, along with links to sample data obtained from the attacks. 

Bitfinex was reportedly targeted with the theft of 2.5 TB of information and personal details of 400K users. Rutgers University faced an alleged theft of 1 TB of data, with the specific type of information not disclosed. Coinmoma was claimed to have sensitive data, including user information and transaction histories, compromised, with a file size of 2TB and 210k user records. 

Similarly, SBC Global Net was stated to have unauthorized access, leading to the theft of personal user details, with a file size of 1 TB. Despite these claims, no ransom amount has been publicly mentioned, and the victims are given seven days to comply with the demands, failing which the obtained data will be leaked. 

As of now, there have been no official responses from the victims, and the claims remain unverified. While the authenticity of F Society's claims is uncertain, Bitfinex had previously experienced a significant hacking incident in 2016. During this incident, approximately 119,754 bitcoins were stolen from the platform due to a breach, leading to unauthorized transactions. The stolen bitcoins were later recovered by law enforcement after a thorough investigation, marking one of the largest recoveries in the history of the US Department of Justice. 

However, the perpetrator behind the hack remains unidentified, although it is known that they attempted to cover their tracks using a data destruction tool. The previous security lapse experienced by Bitfinex highlights the importance of robust cybersecurity measures, especially in the realm of cryptocurrency exchanges. As cyber threats continue to evolve, organizations must prioritize the implementation of stringent security protocols to safeguard sensitive data and mitigate the risk of ransomware attacks.
 
Additionally, prompt response and collaboration with law enforcement agencies are essential in investigating such incidents and holding perpetrators accountable for their actions. The recent targeting of prominent entities by the F Society ransomware group underscores the persistent threat posed by cybercriminals. As organizations strive to fortify their defenses against such attacks, proactive measures and swift action are imperative to protect valuable assets and maintain trust among stakeholders in an increasingly digital landscape.
Read more »
Microsoft 365
Command and Control(C2) Cyber Security Google Microsoft Hackers Microsoft 365

Rising Threat: Hackers Exploit Microsoft Graph for Command-and-Control Operations

 


Recently, there has been a trend among nation-state espionage groups they are tapping into native Microsoft services for their command-and-control (C2) operations. Surprisingly, different groups, unrelated to each other, have reached the same conclusion that It is smarter to leverage Microsoft's services instead of creating and managing their own infrastructure. This approach not only saves them money and hassle but also lets their malicious activities blend in more seamlessly with regular network traffic. In this regard, the Microsoft graph plays a major role. 
 
Microsoft Graph is like a toolbox for developers, offering an interface to connect to various data like emails, calendars, and files stored in Microsoft's cloud services. While it is harmless in its intended use, it has also become a tool for hackers to set up their command-and-control (C2) infrastructure using these same cloud services. Recently, Symantec found a new type of malware called "BirdyClient" being used against an organization in Ukraine. This malware sneaks into the Graph API to upload and download files through OneDrive. However, we are still waiting to hear from Microsoft about this.   
 
O'Brien emphasizes that organisations must be vigilant regarding unauthorized cloud account usage. Many individuals access personal accounts, like OneDrive, from work networks, which poses a risk as it makes it harder to detect malicious activities. To mitigate this risk, organizations should ensure that connections are limited to their enterprise accounts and implement strict access controls. 

In response to the concerning trend of hackers exploiting Microsoft Graph for command-and-control operations, organizations must prioritize proactive measures to fortify their cybersecurity posture. Firstly, staying vigilant with updates and patches for all Microsoft applications, particularly those related to Microsoft Graph, is imperative. Regularly monitoring network traffic for any anomalies or unauthorized access attempts can also help in the early detection of suspicious activities. Implementing robust access controls and multi-factor authentication protocols can significantly mitigate the risk of unauthorized access to sensitive data through Microsoft Graph. 

Additionally, conducting thorough employee training programs to raise awareness about the potential threats posed by such exploits and promoting a culture of cybersecurity consciousness throughout the organization are indispensable steps in bolstering defenses against cyber threats. By adopting these preventive measures, organizations can effectively safeguard their systems and data from the nefarious intentions of cyber adversaries.
Read more »
Sweden
Cyber Security Cyberattacks DDOS Attacks Hackers NATO Safety Sweden

Sweden Faces Influx of DDoS Attacks Following NATO Membership

 


A significant uptick in distributed denial of service (DDoS) attacks has plagued Sweden as the nation navigates its path towards joining NATO, reports network performance management provider Netscout.

The onslaught commenced notably in May 2023, following a colossal 500 Gbps attack targeting Swedish government infrastructure. Subsequent to this initial strike, the frequency and intensity of DDoS assaults against Swedish entities have steadily escalated, reaching a peak in late 2023 with attacks soaring to 730 Gbps.

However, the year 2024 witnessed a further exacerbation of the situation, particularly intensifying from February onwards. On February 14, Sweden’s Foreign Minister hinted at Hungary's support for their NATO bid, serving as a catalyst for a significant event. 

Netscout documented an astounding 1524 simultaneous DDoS attacks targeting Swedish organizations the subsequent day. This surge indicated a marked escalation in tensions and retaliatory actions from various politically motivated hacker groups, as underscored in Netscout's public statement.

The climax of the attacks occurred on March 4, 2024, when Netscout observed an unprecedented 2275 attacks in a single day, marking a staggering 183% increase compared to the same date in the previous year. Remarkably, this surge transpired merely three days before Sweden's formal admission into NATO.

Netscout's analysis has identified several hacker groups involved in these assaults, including NoName057, Anonymous Sudan, Russian Cyber Army Team, and Killnet, all of which are aligned with Russian interests.
Read more »
Security Breach
Avast Cyber Attacks DLL hijacking eScan GuptiMiner malware Hackers HTTP Malware Attack North Korea Hackers Security Breach

The GuptiMiner Attack: Lessons Learned from a Five-Year Security Breach

 

In a startling revelation, security researchers from Avast have uncovered a sophisticated cyberattack that exploited vulnerabilities in the update mechanism of eScan, an antivirus service, for a staggering five years. The attack, orchestrated by unknown hackers potentially linked to the North Korean government, highlights critical flaws in cybersecurity infrastructure and serves as a cautionary tale for both consumers and industry professionals. 

The modus operandi of the attackers involved leveraging the inherent insecurity of HTTP protocol, enabling them to execute man-in-the-middle (MitM) attacks. By intercepting the update packages sent by eScan's servers, the perpetrators clandestinely replaced genuine updates with corrupted ones containing a nefarious payload known as GuptiMiner. This insidious malware facilitated unauthorized access and control over infected systems, posing significant risks to end users' privacy and security. 

What makes this breach particularly alarming is its longevity and the level of sophistication exhibited by the attackers. Despite efforts by Avast researchers to ascertain the precise method of interception, the exact mechanisms remain elusive. However, suspicions linger that compromised networks may have facilitated the redirection of traffic to malicious intermediaries, underscoring the need for heightened vigilance and robust cybersecurity measures. 

Furthermore, the attackers employed a myriad of obfuscation techniques to evade detection, including DLL hijacking and manipulation of domain name system (DNS) servers. These tactics, coupled with the deployment of multiple backdoors and the inclusion of cryptocurrency mining software, demonstrate a calculated strategy to maximize the impact and stealth of their operations. 

The implications of the GuptiMiner attack extend beyond the immediate scope of eScan's compromised infrastructure. It serves as a stark reminder of the pervasive threat posed by cyber adversaries and the imperative for proactive defense strategies. Moreover, it underscores the critical importance of adopting industry best practices such as delivering updates over secure HTTPS connections and enforcing digital signing to thwart tampering attempts. 

For users of eScan and other potentially affected systems, vigilance is paramount. Avast's detailed post provides essential information for identifying and mitigating the threat, while reputable antivirus scanners are likely to detect the infection. Additionally, organizations must conduct thorough security assessments and implement robust cybersecurity protocols to safeguard against similar exploits in the future. 
 
Ultimately, the GuptiMiner attack serves as a wake-up call for the cybersecurity community, highlighting the pressing need for continuous innovation and collaboration in the fight against evolving threats. By learning from this incident and implementing proactive measures, we can bolster our defenses and mitigate the risk of future breaches. Together, we can strive towards a safer and more resilient digital ecosystem.
Read more »
Hackers
antivirus updates Cyber Attacks Cybersecurity eScan GuptiMiner malware Hackers

Hackers Utilize Antivirus Update Mechanism to Deploy GuptiMiner Malware

 

North Korean hackers have been utilizing the updating system of the eScan antivirus to infiltrate major corporate networks and distribute cryptocurrency miners via the GuptiMiner malware, according to researchers.

GuptiMiner, described as a highly sophisticated threat, possesses capabilities such as performing DNS requests to the attacker's DNS servers, extracting payloads from images, signing its payloads, and engaging in DLL sideloading.

The delivery of GuptiMiner through eScan updates involves a technique where the threat actor intercepts the normal virus definition update package and substitutes it with a malicious one labeled 'updll62.dlz.' This malicious file contains both the required antivirus updates and the GuptiMiner malware disguised as a DLL file named 'version.dll.'

Upon processing the package, the eScan updater unpacks and executes it as usual. At this stage, the DLL is sideloaded by legitimate eScan binaries, granting the malware system-level privileges.

Following this, the DLL retrieves additional payloads from the attacker's infrastructure, establishes persistence on the host through scheduled tasks, manipulates DNS settings, injects shellcode into legitimate processes, utilizes code virtualization, encrypts payloads in the Windows registry, and extracts PEs from PNGs.

To evade sandbox environments, GuptiMiner checks for systems with more than 4 CPU cores and 4GB of RAM, and it also detects the presence of certain security tools such as Wireshark, WinDbg, TCPView, and others, deactivating them if found.

Researchers from Avast suggest a potential link between GuptiMiner and the North Korean APT group Kimsuki, noting similarities in information stealing functions and the use of common domains.

The hackers deployed multiple malware tools, including enhanced versions of Putty Link as backdoors targeting Windows 7 and Windows Server 2008 systems, and a modular malware designed to scan for private keys and cryptocurrency wallets.

Additionally, the XMRig Monero miner was used in some instances, possibly to divert attention from the primary attack.

Following disclosure of the vulnerability to eScan, the antivirus vendor confirmed that the issue was addressed. eScan has implemented more robust checking mechanisms for updates and transitioned to HTTPS for secure communication with clients.

However, despite these measures, new infections by GuptiMiner persist, potentially indicating outdated eScan clients. A list of GuptiMiner indicators of compromise (IoCs) has been provided to aid defenders in mitigating this threat.
Read more »
Social Engineering
AI Cyber Attacks Hackers Intelligence Social Engineering

Where Hackers Find Your Weak Spots: A Closer Look


Social engineering is one of the most common attack vectors used by cyber criminals to enter companies. These manipulative attacks often occur in four stages: 

  1. Info stealing from targets
  2. Building relationships with target and earning trust
  3. Exploitation: Convincing the target to take an action
  4. Execution: Collected info is used to launch attack 

Five Intelligence Sources

So, how do attackers collect information about their targets? Cybercriminals can employ five types of intelligence to obtain and analyze information about their targets. They are:

1. OSINT (open-source intelligence)

OSINT is a hacking technique used to gather and evaluate publicly available information about organizations and their employees. 

OSINT technologies can help threat actors learn about their target's IT and security infrastructure, exploitable assets including open ports and email addresses, IP addresses, vulnerabilities in websites, servers, and IoT (Internet of Things) devices, leaked or stolen passwords, and more. Attackers use this information to conduct social engineering assaults.

2. Social media intelligence (SOCMINT)

Although SOCMINT is a subset of OSINT, it is worth mentioning. Most people freely provide personal and professional information about themselves on major social networking sites, including their headshot, interests and hobbies, family, friends, and connections, where they live and work, current job positions, and a variety of other characteristics. 

Attackers can use SOCINT software like Social Analyzer, Whatsmyname, and NameCheckup.com to filter social media activity and information about individuals to create tailored social engineering frauds. 

3. ADINT (Advertising Intelligence)

Assume you download a free chess app for your phone. A tiny section of the app displays location-based adverts from sponsors and event organizers, informing users about local players, events, and chess meetups. 

When this ad is displayed, the app sends certain information about the user to the advertising exchange service, such as IP addresses, the operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. 

Ad exchanges typically keep and process this information to serve appropriate adverts depending on user interests, behavior, and geography. Ad exchanges also sell this vital information. 

4. DARKINT (Dark Web Intelligence)

The Dark Web is a billion-dollar illegal marketplace that trades corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, and so on. The Dark Web sells billions of stolen records, including personally identifiable information, healthcare records, financial and transaction data, corporate data, and compromised credentials. 

Threat actors can buy off-the-shelf data and use it for social engineering campaigns. They can even hire professionals to socially engineer people on their behalf or identify hidden vulnerabilities in target businesses. In addition, there are hidden internet forums and instant messaging services (such as Telegram) where people can learn more about possible targets. 

5. AI-INT (artificial intelligence)

In addition to the five basic disciplines, some analysts refer to AI as the sixth intelligence discipline. With recent breakthroughs in generative AI technologies, such as Google Gemini and ChatGPT, it's easy to envisage fraudsters using AI tools to collect, ingest, process, and filter information about their targets. 

Threat researchers have already reported the appearance of dangerous AI-based tools on Dark Web forums such as FraudGPT and WormGPT. Such technologies can greatly reduce social engineers' research time while also providing actionable information to help them carry out social engineering projects. 

What Can Businesses Do to Prevent Social Engineering Attacks?

All social engineering assaults are rooted in information and its negligent treatment. Businesses and employees who can limit their information exposure will significantly lessen their vulnerability to social engineering attacks. Here's how.

Monthly training: Use phishing simulators and classroom training to teach employees not to disclose sensitive or personal information about themselves, their families, coworkers, or the organization.

Draft AI-use policies: Make it plain to employees what constitutes acceptable and unacceptable online activity. For example, it is unacceptable to prompt ChatGPT with a line of code or private data, as well as to respond to strange or questionable queries without sufficient verification.

Utilize the same tools that hackers use: Use the same intelligence sources mentioned above to proactively determine how much information about your firm, its people, and its infrastructure is available online. Create a continuous procedure to decrease this exposure.

Good cybersecurity hygiene begins with addressing the fundamental issues. Social engineering and poor decision-making are to blame for 80% to 90% of all cyberattacks. Organizations must prioritize two objectives: limiting information exposure and managing human behavior through training exercises and education. Organizations can dramatically lower their threat exposure and its possible downstream impact by focusing on these two areas.

Read more »
password managers
Cyber Security Cybersecurity Digital Security Hackers master passwords password managers

Numerous LastPass Users Fall Victim to Highly Convincing Scam, Losing Master Passwords

 

The hackers now have their eyes set on a crucial target: master passwords. These passwords serve as the gateway to password managers, where users store all their login credentials in one secure location. While these managers provide convenience by eliminating the need to remember numerous passwords, they also pose a significant risk. If hackers obtain the master password, they gain access to all associated accounts, potentially wreaking havoc on users' digital lives.

The latest threat, known as CryptoChameleon, has caught the attention of cybersecurity experts. Unlike many cyberattacks, CryptoChameleon doesn't blanket the internet with its malicious activities. Instead, it selectively targets high-value entities like enterprises. David Richardson, vice president of threat intelligence at Lookout, notes that this focused approach makes sense for attackers aiming to extract maximum value from their efforts. For them, gaining access to a password vault is a goldmine of sensitive information ripe for exploitation.

CryptoChameleon's modus operandi involves a series of sophisticated manoeuvres to deceive its victims. Initially, it appeared as just another phishing kit, targeting individuals and organizations with tailored scams. However, its tactics evolved rapidly, culminating in a highly convincing impersonation of legitimate entities like the Federal Communications Commission (FCC). By mimicking trusted sources, CryptoChameleon managed to lure even security-conscious users into its traps.

One of CryptoChameleon's recent campaigns targeted LastPass users. The attack begins with a phone call from a spoofed number, informing the recipient of unauthorized access to their account. To thwart this breach, victims are instructed to press a specified key, which leads to further interaction with a seemingly helpful customer service representative. These agents, equipped with professional communication skills and elaborate scripts, guide users through a series of steps, including visiting a phishing site disguised as a legitimate support page. Unbeknownst to the victims, they end up divulging their master password, giving the attackers unrestricted access to their LastPass account.

Despite LastPass's efforts to mitigate the attack by shutting down suspicious domains, CryptoChameleon persists, adapting to evade detection. While the exact number of victims remains undisclosed, evidence suggests that the scale of the attack could be larger than initially estimated.

Defending against CryptoChameleon and similar threats requires heightened awareness and scepticism. Users must recognize the signs of phishing attempts, such as unsolicited calls or emails requesting sensitive information. Additionally, implementing security measures like multifactor authentication can provide an additional layer of defense against such attacks. However, as demonstrated by the experience of even seasoned IT professionals falling victim to these scams, no defense is foolproof. Therefore, remaining vigilant and promptly reporting suspicious activity is paramount in safeguarding against cyber threats.
Read more »
Middle East
CR4T backdoor Cyber Attacks Cyberattack Cybersecurity evasive governments Hackers Middle East

Cyberattackers Employ Elusive "CR4T" Backdoor to Target Middle Eastern Governments

 

A recent revelation by Russian cybersecurity firm Kaspersky sheds light on a covert cyber campaign dubbed DuneQuixote, which has been clandestinely targeting government bodies in the Middle East. This campaign involves the deployment of a newly identified backdoor called CR4T.

Kaspersky's investigation, initiated in February 2024, suggests that the operation might have been underway for at least a year prior. The perpetrators have taken sophisticated measures to evade detection, employing intricate methods to shield their implants from scrutiny and analysis.

The attack commences with a dropper, available in two versions: a standard executable or a DLL file, and a manipulated installer for a legitimate software tool called Total Commander. Regardless of the variant, the dropper's main task is to extract a concealed command-and-control (C2) address, utilizing a unique decryption technique to obfuscate the server's location and thwart automated malware analysis tools.

The decryption process involves combining the dropper's filename with snippets of Spanish poetry embedded in its code, followed by calculating an MD5 hash to decode the C2 server address. Upon successful decryption, the dropper establishes connections with the C2 server and fetches a subsequent payload, employing a hardcoded ID as the User-Agent string in HTTP requests.

Kaspersky notes that the payload remains inaccessible unless the correct user agent is provided, indicating a deliberate effort to restrict access. Additionally, the payload may only be downloaded once per victim or for a limited time following the malware's release.

Meanwhile, the trojanized Total Commander installer exhibits some variations while retaining the core functionality of the original dropper. It omits the Spanish poem strings and incorporates additional anti-analysis checks to detect debugging or monitoring tools, monitor cursor activity, check system RAM and disk capacity, among other measures.

CR4T, the central component of the campaign, is a memory-only implant written in C/C++, facilitating command-line execution, file operations, and data transfers between the infected system and the C2 server. Kaspersky also identified a Golang version of CR4T with similar capabilities, including executing arbitrary commands and creating scheduled tasks using the Go-ole library. The Golang variant employs COM objects hijacking for persistence and utilizes the Telegram API for C2 communication, indicating a cross-platform approach by the threat actors.

The presence of the Golang variant underscores the threat actors' ongoing efforts to refine their techniques and develop more resilient malware. Kaspersky emphasizes that the DuneQuixote campaign poses a significant threat to entities in the Middle East, showcasing advanced evasion tactics and persistence mechanisms through the use of memory-only implants and disguised droppers masquerading as legitimate software.
Read more »
Hacking
Cyber Crime cybercriminals data security Ethical Hacking Hackers Hacking

Unveiling the New Era of Hacking Ethics: Profit Over Principles

 

Hacking, once a realm of curiosity-driven exploration, has morphed into a complex ecosystem of profit-driven cybercrime. Originating in the 1960s, hacking was fueled by the insatiable curiosity of a brilliant community known as "hackers." These early pioneers sought to push the boundaries of computing and digital technology, driven by a passion for discovery rather than malicious intent. 

However, the perception of hacking has since undergone a dramatic transformation. Today, the term "hacking" often conjures images of lone individuals in hoodies, exploiting vulnerabilities to steal data or wreak havoc from the safety of dimly lit rooms. While this stereotype may be exaggerated, it reflects a disturbing reality: the rise of cybercriminals who exploit technology for personal gain. 

In recent years, there has been a notable shift in the attitudes and behaviours of hackers, particularly within criminal cyber rings. Once governed by unwritten codes of ethics, these groups are now redefining the rules of engagement, prioritizing profit above all else. What was once considered off-limits—such as targeting hospitals or critical infrastructure—is now fair game for profit-driven hackers, posing significant risks to public safety and national security. 

One of the most alarming trends is the rise of ransomware attacks, where hackers encrypt sensitive data and demand payment for its release. These attacks have become increasingly brazen and aggressive, targeting organizations of all sizes and industries. The Colonial Pipeline attack, while technically not disrupting deliveries, sent shockwaves through the cybersecurity community, highlighting the audacity and impunity of modern cybercriminals. 

Moreover, hackers are no longer content with targeting individuals or businesses just once. Exploiting vulnerabilities multiple times has become commonplace, reflecting a growing sophistication and ruthlessness among cyber criminals. Several factors have contributed to this evolution of hacking ethics. Global tensions, technological advancements, and the proliferation of online platforms have all played a role in shaping the behaviour of modern hackers. 

The accessibility of hacking tools and information has lowered the barrier to entry, attracting individuals of all ages and skill levels to the world of cybercrime. Despite efforts by law enforcement and cybersecurity professionals, the threat of cybercrime continues to loom large. 

Businesses and individuals must remain vigilant, investing in robust cybersecurity measures and staying informed about evolving threats. By understanding the changing landscape of hacking ethics, we can better defend against cyber attacks and protect our digital assets and identities in an increasingly connected world.
Read more »
Hackers
AI AI Chatbot Cyber Security Google Gemini AI Hackers

Private AI Chatbot Not Safe From Hackers With Encryption


AI helpers have assimilated into our daily lives in over a year and gained access to our most private information and worries. 

Sensitive information, such as personal health questions and professional consultations, is entrusted to these digital companions. While providers utilize encryption to protect user interactions, new research raises questions about how secure AI assistants may be.

Understanding the attack on AI Assistant Responses

According to a study, an attack that can predict AI assistant reactions with startling accuracy has been discovered. 

This method uses big language models to refine results and takes advantage of a side channel present in most major AI assistants, except for Google Gemini.

According to Offensive AI Research Lab, a passive adversary can identify the precise subject of more than half of all recorded responses by intercepting data packets sent back and forth between the user and the AI assistant.

Recognizing Token Privacy

This attack is centered around a side channel that is integrated within the tokens that AI assistants use. 

Real-time response transmission is facilitated via tokens, which are encoded-word representations. But the tokens are delivered one after the other, exposing a flaw known as the "token-length sequence." By using this route, attackers can infer response content and jeopardize user privacy.

The Token Inference Assault: Deciphering Cryptographic Reactions

Researchers use a token inference attack to refine intercepted data by using LLMs to convert token sequences into comprehensible language. 

Yisroel Mirsky, the director of the Offensive AI Research Lab at Ben-Gurion University in Israel, stated in an email that "private chats sent from ChatGPT and other services can currently be read by anybody."

By using publicly accessible conversation data to train LLMs, researchers can decrypt responses with remarkably high accuracy. This technique leverages the predictability of AI assistant replies to enable contextual decryption of encrypted content, similar to a known plaintext attack.

An AI Chatbot's Anatomy: Understanding of Tokenization

AI chatbots use tokens as the basic building blocks for text processing, which direct the creation and interpretation of conversation. 

To learn patterns and probabilities, LLMs examine large datasets of tokenized text during training. According to Ars Technica, tokens enable real-time communication between users and AI helpers, allowing users to customize their responses depending on environmental cues.

Current Vulnerabilities and Countermeasures

An important vulnerability is the real-time token transmission, which allows attackers to deduce response content based on packet length. 

Sequential delivery reveals answer data, while batch transmission hides individual token lengths. Reevaluating token transmission mechanisms is necessary to mitigate this risk and reduce susceptibility to passive adversaries.

Protecting the Privacy of Data in AI Interactions

Protecting user privacy is still critical as AI helpers develop. Reducing security threats requires implementing strong encryption techniques and improving token delivery mechanisms. 

By fixing flaws and improving data security protocols, providers can maintain users' faith and trust in AI technologies.

Safeguarding AI's Future

A new age of human-computer interaction is dawning with the introduction of AI helpers. But innovation also means accountability. 

Providers need to give data security and privacy top priority as vulnerabilities are found by researchers. Hackers are out there; the next thing we know, they're giving other businesses access to our private chats.
Read more »
Technology
Cyber Threats Risk Cyberattacks CyberCrime Device Security Hackers Hacking Rises Internet IoT Operatinoal Technology Technology

Unveiling the Underbelly of IoT: An In-Depth Analysis of Hacking Risks

 


In terms of versatility, the Internet of Things (IoT) is a technology that is easily one of the most versatile technologies in the world today. In the era of the internet, the network connection capacity is increasing and the number and diversity of connected devices are enabling the IoT to be scaled and adapted to meet the changing needs of the user. Among the industries the Internet of Things (IoT) has revolutionized are several sectors such as food production, manufacturing, finance, healthcare, and energy. 

Furthermore, it has led to the development of smart buildings, homes, and even cities at the same time. Generally, IoT attacks are malicious attempts to exploit vulnerabilities in devices connected to the internet, for example, smart homes, industrial control systems, and medical devices. There is a possibility that hackers may gain control of the device, steal sensitive information from it, or use the device as part of a botnet to accomplish other malicious acts. 

The term "IoT hacking" is frequently used by researchers to describe the process of removing gadgets, examining their software, and learning how they work. However, there are more challenges involved with IoT hacking than just technical ones. Cyber threats are evolving to reveal a world of virtual battles that go on behind the scenes. Hackers are increasingly targeting IoT (Internet of Things) and OT (Operational Technology) systems, which are extremely important for the future. 

In addition to tech gadgets, they are also the foundation for many services that keep us running in our society and economy. Hackers are not just messing with machines when they target these systems, they are threatening the very services that nations rely on every day. IoT devices can introduce several new and preventable attack vectors when not properly secured. Researchers who work in cybersecurity keep showing that critical systems are being attacked more frequently than they realize.

The risks are not that complicated to identify and understand, for example, operating systems that are not patched or insecure passwords that make it easy for brute force attackers to find them. A security team must take into account both simple and complex risk factors specific to the world of IoT to manage the operational reliance on these devices in virtually every industry. There are a few security risks and attacks associated with IoT that people should be aware of. 

Botnets 

Since IoT devices have no built-in security mechanisms, they are particularly vulnerable to malware attacks compared to more advanced machines and computers that have these security mechanisms. In general, they are machines that are primarily focused on functionality, which means they usually do not provide the same level of storage space or processing power that computers offer. In light of this, attackers tend to view IoT devices as a low-hanging fruit attack vector that they can easily attack. 

IoT devices should be secured properly to protect them from botnets, and to prevent them from getting into the wrong hands. Companies must keep a plan in place to detect and respond to DDoS attacks, as well as to change default passwords, keep firmware up to date, and limit access to the device. 

Ransomware 

While IoT devices do not typically store valuable data locally, that doesn’t mean they are immune to ransomware attacks. Instead of threatening an organization with a ransom payment, ransomware attacks on IoT devices usually disable their core functionality instead of stealing information. Possibly the best way to accomplish that is to shut down the operation of an industrial device, without which fundamental business operations would not be possible, or to stop the recording of the feed being monitored by a camera or microphone. 

Several security flaws in IoT devices can affect companies. One of the researchers' keen-eyed researchers discovered that a big security hole existed in a popular broadcasting device that sent audio over the internet. It's important to note that the researchers did the right thing, and notified the device manufacturer that the problem was caused by an OS Command Injection, which is a serious issue because hackers can take control of a device by doing so. This was done by researchers who did the right thing since it was an OS Command Injection. 

There was a problem with the software on the device, and they were trying to fix it by updating it so that someone from the outside would not be able to exploit it anymore. Companies often take quick measures to fix security gaps when they find out about them. The problems these companies have faced are similar to putting band-aids on a wound without actually treating it. 

Many people have witnessed how a company patched a device so that it looked safe from the outside, but the same problems were still there once people got inside. In some cases, fixes do not solve the problem. They just hide it and do not take care of it. As a result, it is as if one locks the front door and leaves the back door wide open at the same time. 

In today's digital world, ensuring the safety of the IoT world cannot be done by one individual. For this to work, it needs to be a team effort between the manufacturers, security experts, and even the government itself. The biggest priorities should be setting strict security rules, being open about the problems they find, and helping all of the people in the organization understand how they can be protected. 

As people move through the tricky territory of this online and offline world, they must do a lot more to look after the two worlds simultaneously to get the best outcome. To make sure that their connected devices are protected and managed effectively, they must be proactive and take an all-in approach.
Read more »
Software Protection
API API Integration Secure cyber attack Data Theft Hackers Software Protection

5 Simple Steps to Bulletproof Your API Integrations and Keep Hackers at Bay


In today's tech-driven world, APIs (Application Programming Interfaces) are like the connective tissue that allows different software to talk to each other, making our digital experiences seamless. But because they are so crucial, they are also prime targets for hackers. 

They could break in to steal our sensitive data, mess with our systems, or even shut down services. That is why it is super important for companies to beef up their API security, protecting our info and keeping everything running smoothly and this is where API Integration Secure name comes up. 

Let’s Understand What is API Integration Secure and Why Is It Important 

API integrations are made secure through a combination of measures designed to protect the data and systems involved. This includes using encryption to safeguard information as it travels between systems, implementing authentication and authorization protocols to ensure that only authorized users and applications can access the API, and regularly monitoring for any suspicious activity or attempted breaches. 

Additionally, following best practices in API design and development, such as limiting the data exposed through the API and regularly updating and patching any security vulnerabilities, helps to further enhance security. Overall, a multi-layered approach that addresses both technical and procedural aspects is key to ensuring the security of API integrations. 

Here Are Five Ways to Keep API Integrations Secure: 


Use an API Gateway: Think of it as the guardian of your APIs. It keeps an eye on who is trying to access your data and blocks anyone suspicious. Plus, it logs all the requests, so you can check who has been knocking on your digital door. 

Set Scopes for Access: Just because someone was allowed in does not mean they can see everything. Scopes make sure they only get access to the stuff they really need, like a limited view of a database. It is like giving someone a key to one room instead of the whole house. 

Keep Software Updated: You know those annoying software updates that pop up? They are actually super important for security. They fix any holes that hackers might try to sneak through. So, always hit that update button. 

Enforce Rate Limits: Imagine a crowded street during rush hour. Rate limits make sure not too many cars (or requests) clog up the road at once. It helps prevent crashes and slowdowns, making sure everyone can get where they need to go smoothly. 

Monitor Logs with SIEM: It is like having a security guard watching CCTV cameras for any suspicious activity. SIEM collects all the logs from API calls and flags anything fishy. So, if someone is trying to break in, you will know right away and stop them in their tracks.
Read more »
Trade comminssion
Cyber Attacks CyberCrime Cybersecurity Hackers Scammers Tax Scams Trade comminssion

Tax Season Vigilance: Guarding Against Fraudulent Schemes

 


When people think about filing taxes, they get stressed out and intimidated. In this respect, they may be more susceptible to deception, including scammers' attempts to obtain valuable personal information from them, claim refunds under their names, and trick them into paying for fraudulent tax services, among others.

It is at the beginning of the tax season, which began on Jan. 29, when the Internal Revenue Service began processing and accepting federal income tax returns for 2023, that scammers will begin to attack us with scams. Tax season is coming up and the IRS is expecting more than 146 million individual returns to be filed by April 15, the due date. 

The Federal Trade Commission's Division of Financial Practices, led by an attorney who is a former employee of the agency, says that scammers use tax time to steal personal and financial information from individuals. 

To accomplish this, they pose as representatives of the Internal Revenue Service (IRS) and make people hand over their Social Security number and bank account information by contacting them over the phone using various high-pressure tactics. 

To maintain the trust of consumers, the IRS will not use aggressive techniques to obtain a taxpayer's personal information. They will initiate contact by letter and not use aggressive tactics to obtain the taxpayer's personal information. There are certain circumstances where the IRS may call users, but in most cases, they will send them mail messages or notices as a prelude to making the call. 

There have been a disturbing number of instances where people have been defrauded through the mail as well. It has been reported that in 2023 a scam in the mail was perpetrated by spoofing the IRS masthead, informing recipients that they had unclaimed refunds. There was a request in the letter for taxpayers to call a number to figure out more details, and also a request to provide sensitive information such as a photograph of the taxpayer's driver's license. 

Besides spoofing IRS caller IDs as well as other sophisticated tricks for fooling consumers, Dwyer says there are other methods for fooling consumers. A scammer in this case has altered the caller ID so that it appears as though the IRS is calling rather than some other unknown number. 

When the caller calls you, Dwyer advises that you let it go to voicemail and then search online to see if the number has already been reported as part of a scam before waiting to answer it. A scammer is also capable of sending emails that masquerade as IRS correspondence, with e-mail addresses, signatures, and logos that appear to be authentic, but are fakes. 

They may ask recipients to enter personal information on fraudulent websites when they click on the links in these emails. If a consumer has not heard back from the government agency about their tax filing or refund, they should generally view any phone calls or emails claiming to come from the IRS as highly suspicious. 

The IRS pays the consumer electronically in the form of a refund when they file a return in their name and provide the IRS with their bank account information, and the scammer then receives the refund by filing a return in the name of the consumer. There is no way they can accomplish this without possessing stolen personal information, including a Social Security number, which they can use to commit this crime. 

By filing your taxes as soon as possible, you can help prevent this outcome from occurring in the future. The consumer would not be made aware of the theft of their refunds until they attempt to file their tax returns after the refund has been stolen. Moreover, it would be a good idea to avoid sharing any personal information with identity thieves which would allow them to file a fake tax return to claim a refund that is not theirs. 

Scammers who ask for sensitive information by posing as people are not restricted to tax season only, so be mindful of their requests throughout the year. Individuals who have fallen victim to identity theft or are aware of a breach in their sensitive data are advised to exercise heightened caution and consider utilizing a credit monitoring service to ascertain if their information has been used for unauthorized account openings. 

Those affected by identity theft can leverage the services offered by the Federal Trade Commission's (FTC) website, IdentityTheft.gov, to formally report the theft and access a comprehensive recovery plan. This plan guides individuals through crucial tasks such as closing compromised accounts, rectifying inaccuracies in credit reports, and reporting the misuse of a Social Security number. 

For taxpayers grappling with the repercussions of a scam affecting their tax returns, seeking assistance from the federal Taxpayer Advocate Service is recommended. This independent organization, affiliated with the Internal Revenue Service (IRS), extends support to taxpayers unable to independently resolve tax-related issues. Advocates from this service are available to provide guidance and assistance in navigating challenges stemming from fraudulent activities.
Read more »
security measures
Axie Infinity co-founder crypto community cryptocurrency theft Cyber Security Cybersecurity Breach Digital Assets Hackers personal accounts security measures

Hackers Steal Nearly $10 Million from Axie Infinity Co-founder’s Personal Accounts

 

A significant amount of cryptocurrency, valued at nearly $10 million, has been reported stolen from personal accounts belonging to Jeff "Jihoz" Zirlin, one of the co-founders associated with the video game Axie Infinity and its affiliated Ronin Network.

According to reports, Zirlin's wallets were compromised, resulting in the theft of 3,248 ethereum coins, equivalent to approximately $9.7 million. Zirlin took to social media to confirm the incident, stating that two of his accounts had been breached. 

However, he emphasized that the attack solely targeted his personal accounts and did not affect the validation or operations of the Ronin chain or Axie Infinity,as reiterated by Aleksander Larsen, another co-founder of the Ronin Network.

The method through which the intruders gained access to Zirlin's wallets remains unclear. The Ronin Network serves as the underlying infrastructure for Axie Infinity, a game renowned for its play-to-earn model based on ethereum, particularly popular in Southeast Asia. 

Notably, the system had previously fallen victim to a $600 million cryptocurrency heist in March 2022, an attack attributed by U.S. prosecutors to the Lazarus Group, a cybercrime operation allegedly backed by North Korea.

Analysts tracking the recent theft traced the stolen funds to activity on Tornado Cash, a cryptocurrency mixer designed to obfuscate the origin of funds. It's worth noting that Lazarus had previously utilized this mixer to launder proceeds from the 2022 hack. The U.S. government, in response, had separately imposed sanctions on Tornado Cash.

Blockchain investigator PeckShield described the incident as a "wallet compromise," indicating a breach in security measures. Despite the breach, Zirlin assured stakeholders of the stringent security protocols in place for all activities related to the Ronin chain.
Read more »
Malware Distribution
banking trojan campaign Cisco Talos Cyber Security Cyber Threats Cybersecurity Google Cloud Run Hackers Malware Distribution

Cybercriminals Exploit Google Cloud Run in Extensive Banking Trojan Scheme

 

Security experts have issued a warning about hackers exploiting Google Cloud Run to distribute significant amounts of banking trojans such as Astaroth, Mekotio, and Ousaban.

Google Cloud Run enables users to deploy various services, websites, or applications without the need to manage infrastructure or worry about scaling efforts.

Starting from September 2023, researchers from Cisco Talos observed a notable surge in the misuse of Google's service for spreading malware. Brazilian actors initiated campaigns utilizing MSI installer files to distribute malware payloads. According to the researchers' findings, cybercriminals are increasingly drawn to Google Cloud Run due to its cost efficiency and its ability to circumvent conventional security measures.

The attack methodology typically begins with phishing emails sent to potential victims, disguised to resemble authentic communications such as invoices, financial statements, or messages from local government and tax authorities. While most emails in these campaigns are in Spanish to target Latin American countries, some also use Italian. These emails contain links that redirect to malicious web services hosted on Google Cloud Run.

In certain instances, the malware payload is delivered through MSI files, while in others, the service redirects to a Google Cloud Storage location, housing a ZIP archive containing a malicious MSI file. Upon execution of these malicious files, additional components and payloads are downloaded and executed on the victim's system.

Furthermore, the malware establishes persistence on the victim's system to survive reboots by creating LNK files in the Startup folder, configured to execute a PowerShell command that triggers the infection script.

The campaigns exploiting Google Cloud Run involve three primary banking trojans: Astaroth/Guildma, Mekotio, and Ousaban. Each of these trojans is designed to infiltrate systems covertly, establish persistence, and extract sensitive financial data, which can be utilized for unauthorized access to banking accounts.

Astaroth employs advanced evasion techniques and has expanded its targets beyond Brazil to encompass over 300 financial institutions across 15 Latin American countries. It has recently begun targeting credentials for cryptocurrency exchange services.

Similarly, Mekotio, active for several years, focuses on the Latin American region, specializing in stealing banking credentials, personal information, and executing fraudulent transactions.

Ousaban, another banking trojan, conducts keylogging, captures screenshots, and engages in phishing for banking credentials using counterfeit banking portals. Cisco Talos suggests a potential collaboration between the operators of Astaroth and Ousaban due to the latter being delivered in the later stages of the former's infection chain.

In response to these findings, Google has taken action by removing the malicious links and is exploring ways to enhance its mitigation efforts to combat such malicious activities.
Read more »
Subscribe to: Posts (Atom)