Search This Blog

Showing posts with label Hackers. Show all posts

Welcome “Frappo”: Resecurity Discovered a New Phishing-as-a-Service

 

The Resecurity HUNTER squad discovered "Frappo," a new underground service available on the Dark Web. "Frappo" is a Phishing-as-a-Service platform that allows fraudsters to host and develop high-quality phishing websites that imitate significant online banking, e-commerce, prominent stores, and online services in order to steal client information. 

Cybercriminals created the platform in order to use spam campaigns to spread professional phishing information. "Frappo" is widely advertised on the Dark Web and on Telegram, where it has a group of over 1,965 members where hackers discuss their success in targeting users of various online sites. The service first appeared on the Dark Web on March 22, 2021, and has been substantially updated. The most recent version of the service was registered on May 1, 2022. 

"Frappo" allows attackers to operate with stolen material in an anonymous and encrypted manner. It offers anonymous billing, technical assistance, upgrades, and a dashboard for tracking acquired credentials. "Frappo" was created as an anonymous cryptocurrency wallet based on a Metamask fork. It is totally anonymous and does not require a threat actor to create an account. 

Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi, and Bank of America are among the financial institutions (FIs) for which the service creates phishing pages. The authors of "Frappo" offer hackers a variety of payment options based on the length of their subscription.  "Frappo," works like SaaS-based services and platforms for legitimate enterprises, enabling hackers to reduce the cost of developing phishing kits and deploy them on a larger scale. Notably, the phishing page deployment procedure is totally automated, since "Frappo" uses a pre-configured Docker container and a secure route to gather compromised credentials through API. 

Once "Frappo" is properly configured, statistical data such as how many victims opened the phishing page, accessed authorisation and input credentials, uptime, and the server status will be collected and visualised. Compromised credentials will appear in the "Logs" area alongside further information about each victim, such as IP address, User-Agent, Username, Password, and so forth. The phishing pages (or "phishlets") that have been discovered are of high quality and include interactive scenarios that fool victims into providing authorization credentials. 

Threat actors have successfully leveraged services like "Frappo" for account takeover, business email compromise, and payment and identity data theft. Cybercriminals use sophisticated tools and methods to assault consumers all over the world. Digital identity protection has become one of the top objectives for online safety, and as a result, a new digital battleground emerges, with threat actors looking for stolen data.

Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc. stated, “Resecurity is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed.”

OpenSea Warns of Discord Channel Hack

 

The nonfungible token (NFT) marketplace OpenSea had a server breach on its primary Discord channel, with hackers posting phoney "Youtube partnership" announcements. A screenshot shared on Friday reveals a phishing site linked to fraudulent collaboration news. 

The marketplace's Discord server was hacked Friday morning, according to OpenSea Support's official Twitter account, which urged users not to click links in the channel. OpenSea has "partnered with YouTube to bring their community into the NFT Space," according to the hacker's original post on the announcements channel. 

It also stated that they will collaborate with OpenSea to create a mint pass that would allow holders to mint their project for free. The attacker appeared to have been able to stay on the server for a long time before OpenSea staff was able to recover control. The hacker uploaded follow-ups to the initial totally bogus statement, reiterating the phoney link and saying that 70% of the supply had already been coined, in an attempt to generate "fear of missing out" in the victims. 

The scammer also tried to persuade OpenSea users by claiming that anyone who claimed the NFTs would receive "insane utilities" from YouTube. They state that this offer is one-of-a-kind and that there would be no other rounds to engage in, which is typical of scammers. As of this writing, on-chain data indicates that 13 wallets have been infiltrated, with the most valued stolen NFT being a Founders' Pass worth about 3.33 ETH ($8,982.58). 

According to initial reports, the hacker used webhooks to get access to server controls. A webhook is a server plugin that lets other software get real-time data. Hackers are increasingly using webhooks as an attack vector since they allow them to send messages from official server accounts. The OpenSea Discord server isn't the only one that uses webhooks. 

In early April, a similar flaw enabled the hacker to utilise official server identities to post phishing links on several popular NFT collections' channels, including Bored Ape Yacht Club, Doodles, and KaijuKings.

Anonymous Hacks Russian Energy Companies, Leaking 1Million+ Emails

 

Anonymous claims to have hacked into Russian energy businesses in order to expose emails and continue its cyberwar on Ukraine. On Twitter, the hacker collective claimed to have exposed over 1 million emails from ALET, a Russian customs broker for gasoline and energy firms. 

The tweet stated, "NEW: #Anonymous hacked nearly 1.1 million emails (1.1 TB of data) from ALET, a Russian customs broker for companies in the fuel and energy industries, handling exports and customs declarations for coal, crude oil, liquefied gases and petroleum products."

DDoSecrets, an organisation co-founded by Emma Best and dedicated to comprehensive data transparency in the public interest, disclosed the breach. 

What is ALET? 

ALET is a customs broker based in Russia. It manages exports and customs declarations for petroleum products, coal, liquefied gases, and crude oil for enterprises in the fuel and energy industry. It has worked with 400 businesses and filed 119,000 customs declarations since 2011 with oil products accounting for the majority of its revenues. Gazprom, Gazprom Neft, and Bashneft have all recommended it.

Anonymous has threatened to fight a cyberwar against Putin since the start of the Russia-Ukraine conflict. So far, it has lived up to that promise. Not only has the organisation disclosed Russian information, but it has also infiltrated Russian organisations in order to inform citizens about what is happening outside the nation. 

Anonymous is best known for hacking Russian streaming sites and TV networks in order to show Russian residents what was going on in Ukraine. Last week, the group hacked Enerpred, Russia's largest hydraulic equipment manufacturer dealing in the energy, coal, gas, oil, and construction industries, and stole 645,000 emails (up to 432GB of data).

The company's headquarters are in Irkutsk, Eastern Siberia's capital, and offices in major Russian cities including Moscow and St. Petersburg. DDoSecrets' (Distributed Denial of Secrets) website has the leaked data.

Hackers Sneak 'More_Eggs' Malware Into Resumes Sent to Corporate Hiring Managers

 

A year after potential candidates looking for work on LinkedIn were tempted with weaponized job offers, a new series of phishing assaults carrying the more eggs malware has been detected attacking corporate hiring supervisors with false resumes as an infection vector. 

Keegan Keplinger, eSentire's research and reporting lead said in a statement, "This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting job seekers with fake job offers."
 
Four separate security events were identified and disrupted, according to the Canadian cybersecurity firm, three of which happened towards the end of March. A U.S.-based aerospace company, a U.K.-based accounting firm, a legal firm, and a hiring agency, all based in Canada, are among the targets. 

The malware, which is thought to have been created by a threat actor known as Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing sensitive data and lateral movement across a hacked network. 

Keplinger stated, "More_eggs achieves execution bypassing malicious code to legitimate windows processes and letting those windows processes do the work for them."
 
The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection. Apart from the role reversal in the mode of operation, it's unclear what the attackers were after, given that the attacks were stopped before they could carry out their intentions. However, it's worth noting that, once deployed, more eggs might be used as a launchpad for further assaults like data theft and ransomware. 

"The threat actors behind more_eggs use a scalable, spear-phishing approach that weaponizes expected communications, such as resumes, that match a hiring manager's expectations or job offers, targeting hopeful candidates that match their current or past job titles," Keplinger stated.

New Spear Phishing Campaign Targets Russian Dissidents

 

In Russia, a new spear-phishing campaign targeting dissenters with alternative views to those presented by the state and national media over the war in Ukraine is underway. The campaign distributes emails to government personnel and public servants, alerting them about software and online platforms that are illegal in the country. 

The mails contain a malicious attachment or link that sends a Cobalt Strike beacon to the recipient's computer, allowing remote operators to execute eavesdropping on the victim. The campaign was discovered and reported on by Malwarebytes Labs threat analysts, who were able to sample some of the bait emails. 

Various phishing methods

To persuade recipients to open the attachment, the phishing emails pretend to be from a Russian state organisation, ministry, or federal service. The main two spoofed organizations are the "Russian Federation Ministry of Information Technologies and Communications" and the "Russian Federation Ministry of Digital Development, Communications, and Mass Communications." 

To attack their targets with Cobalt Strike, the threat actors use three different file types: RTF (rich text format) files, archive attachments of malicious documents, and download links inserted in the email body. Since it involves the exploitation of CVE-2021-40444, a remote code execution flaw in the rendering engine used by Microsoft Office documents, the case of RTFs is the most interesting. 

All of the phishing emails are written in Russian, as expected, and they appear to have been created by native speakers rather than machine translated, implying that the campaign is being spearheaded by a Russian-speaking individual. Malwarebytes discovered simultaneous attempts to spread a deeply obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities in addition to Cobalt Strike. 

The campaign's targets are mostly employed by the Russian government and public sector, including the following organisations: 
  • Portal of authorities of the Chuvash Republic Official Internet portal
  • Russian Ministry of Internal Affairs
  • ministry of education and science of the Republic of Altai
  • Ministry of Education of the Stavropol Territory
  • Minister of Education and Science of the Republic of North Ossetia-Alania
  • Government of Astrakhan region
  • Ministry of Education of the Irkutsk region
  • Portal of the state and municipal service Moscow region
  • Ministry of science and higher education of the Russian Federation
As per the aforementioned organisations, phishing actors target persons in crucial positions who could cause problems for the central government by stirring anti-war movements.

Ukraine’s “IT Army” Struck with Info-stealing Malware

 

Pro-Ukrainian actors should be cautious of downloading DDoS tools to attack Russia, according to security experts, because they could be booby-trapped with data-stealing malware. 

Mykhailo Fedorov, Ukraine's vice prime minister, called for a volunteer "IT army" of hackers to DDoS Russian targets in late February. Cisco Talos, on the other hand, claims that opportunistic cyber-criminals are attempting to take advantage of the subsequent outpouring of support for the Eastern European country. It specifically detected Telegram posts offering DDoS tools that were actually malware-loaded. An organisation calling itself "disBalancer" offers one such tool, named "Liberator,". Although authentic, has been spoofed by others, according to Cisco. 

It explained, “The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users. The malware, in this case, dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).” 

Since none of the malicious spoofs is digitally signed, there is no way to distinguish them apart from the real DDoS tool, according to the vendor. Because the perpetrators of this harmful behaviour have been disseminating infostealers since November, Cisco concluded that it is not the work of fresh people, but rather those aiming to profit from the Ukraine conflict. 

However, Cisco warned that if Russia is subjected to a continuous DDoS attack, such techniques could proliferate. 

It concluded, “In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.” 

The discovery comes as the Russian government revealed this week that hackers targeted an externally loaded widget used to collect visitor statistics and caused temporary disruptions on numerous agency websites. 

Pro-Ukrainian hacktivists have also been seen searching for and deleting Russian cloud databases, according to security researchers.

 Cyberattack Logan Health and Server Intrusion 

 

A sophisticated intrusion on the IT systems resulted in the compromise of a file server containing protected health information of Logan Health Medical Center which recently notified 213,543 patients, workers, and business associates warning the personal and health data may have been accessed by criminals.

Logan Health Medical Center, according to a letter, first observed evidence of illegal behavior on one of its servers on November 22, 2021. As a result, the hospital solicited the help of outside forensic experts to investigate the magnitude of the event and as to whether any sensitive personal information had been exposed. 

Logan Health CEO Craig Lambrecht reminded staff of its "vital responsibility in protecting patients' sensitive health information" in an email to employees, as well as a series of reminders on password security and responding with emails from unknown senders. 

Logan Health Medical Center confirmed on January 5, 2022, how an unauthorized party had gained access to files containing protected health information about specific staff and patients. On February 22, 2022, Logan Health began sending out data breach notification letters to all factions whose knowledge was contained in the affected files. 

After gaining access to a computer network, a cybercriminal can see and delete any data stored on the stolen servers. While most organizations can determine which files were accessed in the event of a data breach, it may not be able to determine which files the hacker really visited or whether any data was removed. 

The investigation into the Logan Health Medical Center data breach is still in its early stages. There is currently no proof of Logan Health being legally liable for the data breach. However, as more information about the breach surfaces, this could change. 

You can defend oneself from data theft or other forms of fraud by doing the following:

  • Determine what information has been tampered with.
  • Limit Who Has Access to Your Accounts in the future. 
  • Take steps to safeguard your credit and financial accounts.
  • Monitor your credit report and financial accounts regularly.

Researchers Disclosed Details of NSA Equation Group’s Bvp47 Backdoor

 

Pangu Lab researchers have revealed information of a Linux top-tier APT backdoor dubbed as Bvp47, which is linked to the US National Security Agency (NSA) Equation Group. 

The term "Bvp47" is derived from several references to the string "Bvp" and the numerical figure "0x47" used in the encryption algorithm. The Bvp47 backdoor was first identified in 2013 during a forensic examination into a security breach at a Chinese government entity. The backdoor was discovered on Linux computers after an in-depth forensic assessment of a host in a key domestic department, according to the experts. The malware seemed to be a top-tier APT backdoor, but to further investigate the malicious code needed the attacker’s asymmetric encrypted private key to activate the remote control function.

The hacking group, The Shadow Brokers disclosed a trove of data reportedly taken from the Equation Group in 2016 and 2017, including a slew of hacking tools and exploits. The hackers disclosed a new dump at the end of October 2016, this time featuring a list of systems compromised by the NSA-linked Equation Group. The Bvp47 backdoor was identified by Pangu Lab researchers within material exposed by The Shadow Brokers. In ten years, the Equation Group attacked over 287 targets in 45 countries, including Russia, Japan, Spain, Germany, and Italy, according to stolen data. 

Governments, telecommunications, aircraft, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies researching encryption technologies were among the industries targeted by the group. The attacks involving the Bvp47 backdoor have been termed "Operation Telescreen" by Pangu Lab. The malicious code was created to allow operators to gain long-term control over compromised devices. 

The report published by the experts stated, “The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process”  

Experts believe there was no security against the backdoor's network attack capacity, which is loaded with zero-day vulnerabilities. The Pangu Lab research covers technical specifics about the backdoor as well as information about the Equation Group's relationship with the US National Security Agency. The Equation Group's engagement is based on exploits found in the encrypted archive file "eqgrp-auction-file.tar.xz.gpg" released by the Shadow Brokers following a failed 2016 auction.

Spanish Police Arrested SIM Swappers who Stole Money from Victims Bank Accounts

 

The Spanish National Police have arrested eight suspected members of a criminal organisation who used SIM swapping assaults to steal money from the victims' bank accounts. 

SIM switching assaults are used by criminals to get control of victims' phone numbers by duping mobile operator workers into transferring their numbers to SIMs controlled by the fraudsters. The attackers can steal money, cryptocurrency, and personal information, including contacts linked with online accounts, once a SIM has been stolen. Criminals could take over social media accounts and utilise SMS to circumvent 2FA services utilized by online services, including financial services. 

In the incident under investigation by Spanish police, the cybercriminal gained the victims' personal information and bank details via fraudulent emails in which they pretended to be their bank. The fraudsters were able to falsify the victims' official documents and use them to dupe phone store staff into issuing them with replica SIM cards. They were able to overcome SMS-based 2FA needed to access bank accounts and take the money once they had the SIM cards. 

The press release published by the Spanish National Police stated, “Agents of the National Police have dismantled a criminal organization dedicated, presumably, to bank fraud through the duplication of SIM cards. There are eight detainees based in Catalonia and acting throughout Spain who, through malicious messages and posing as a bank, obtained personal information and bank details to access the accounts of the victims whose identity they usurped through the falsification of official documents. With this, they deceived the employees of phone stores to obtain duplicate SIM cards and, in this way, have access to the bank’s security confirmation messages. In this way they could operate in online banking and access bank accounts to empty them after receiving security confirmation messages from the banks.”

The first SIM swapping attack linked to this group occurred in March 2021, when Spanish authorities received two reports about fraudulent transactions in different parts of the country. Crooks used bank transfers and digital quick payment services based in the region of Barcelona to launder the stolen funds. Seven people were arrested in Barcelona and one in Seville as a byproduct of the operation. The suspects' bank accounts were also banned by the authorities. 

The FBI announced this week that SIM swap attacks have increased, with the objective of stealing millions of dollars from victims by hijacking their mobile phone numbers. According to the FBI, US individuals have lost more than $68 million as a result of SIM switching assaults in 2021, with the number of complaints and damages nearly doubling since 2018. The FBI's Internet Crime Complaint Center (IC3) received 1,611 SIM switching assault reports in 2018, compared to 320 complaints between 2018 and 2002, resulting in a total loss of $12 million. 

Individuals should take the following steps, as per the FBI: 

• Do not post details regarding financial assets, such as bitcoin ownership or investment, on social networking platforms or forums. 
• Do not disclose the mobile number account details to representatives who ask for the account password or pin over the phone. Verify the call by calling the mobile carrier's customer support number. • Posting personal information online, such as your phone number, address, or other identifying information, is not a good idea. 
• To access online accounts, use a variety of unique passwords. 
• Any changes in SMS-based connectivity should be noted. 
• To gain access to online accounts, use strong multi-factor authentication solutions such as biometrics, physical security tokens, or standalone authentication software. 
• For easy login on mobile device applications, do not save passwords, usernames, or other information. 

On the other hand, mobile providers should take the following safety measures, according to the FBI: 

• Employees should be instructed and training sessions on SIM swapping should be held. 
• Examine incoming email addresses containing formal correspondence for minor differences that could make fraudulent addresses appear real and match the names of actual clients. 
• Establish stringent security standards that allow workers to effectively check customer credentials before transferring their phone numbers to a new device.

A Cyber-Attack has Disrupted Slovenia's Most Popular TV Channel

 

In what appears to be an extortion attempt, a cyber-attack has crippled the operations of Pop TV, Slovenia's most popular TV channel. The attack, which occurred on Tuesday, disrupted Pop TV's computer network, preventing the firm from displaying computer graphics for the evening edition of 24UR, the station's daily news broadcast. 

Pop TV said in a statement on Tuesday, the day of the attack, that the night edition of the same show was canceled entirely, albeit a truncated version of the news appeared on the company's website. While news broadcasts were resumed the following day, the attack had an impact on other aspects of the network's operation. 

"At Pro plus media house, we are rebuilding a business that has been disrupted by a recent cyber-attack. We cannot yet estimate the full extent of the attack, we are currently focusing all our efforts on putting our main systems back into their original operation as soon as possible, which will enable the smooth operation of television programs and websites," the company said. 

Pop TV stated in a second statement on Wednesday that the attack also targeted several of its online servers, including VOYO, an on-demand streaming platform that includes channels from its parent firm as well as licensed movies and TV shows. The attack, according to the firm, stopped its employees from contributing new content to the site as well as broadcasting any of its channels or live sporting events, such as the Winter Olympics, which enraged many of its paid users. 

According to the Slovenian news outlet Zurnal24, Pop TV is being extorted by international hackers in what looks to be a ransomware-style attack. Slovenia's Computer Emergency Response Team, SI-CERT, also published a statement, saying that it was assisting the TV station in dealing with the incident but refused to provide any further insights.

Several prominent TV stations have been targeted by cyber-attacks in recent years, including France's M6 (October 2019), The Weather Channel (April 2019), the Cox Media Group (June 2021), the Sinclair Broadcast Group in the United States (October 2021), Portugal's SIC (January 2021), and Iran's IRIB (February 2021). 

With the exception of the IRIB incident, most of these were ransomware assaults on the stations' backend IT infrastructure, causing broadcasts to go offline for hours while engineers worked to restore systems, implying that Pop TV got off easier than the majority of the previous incidents.

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware

 

An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."

Meter Claimed that a Hack on the Platform Resulted in the Theft of $4.4 Million

 

Meter, a blockchain infrastructure firm, says $4.4 million was stolen after an assault on the platform that began at 9 a.m. ET on Saturday. According to the company, it administers infrastructure that enables smart contracts to scale and transit across heterogeneous blockchain networks. The hack had an impact on both the Meter and Moonriver networks. PeckShield, a blockchain research company, verified that 1391 ETH and 2.74 BTC were stolen during the attack.

On Saturday about 2 p.m. ET, the firm announced that it had been hacked and advised users not to trade unbacked meterBNB circulating on Moonriver. "We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience. However, the contract did not block direct interaction of the wrapped ERC20 tokens for the native gas token and did not properly transfer and verify the correct number of WETH transferred from the callers' address. We are working on compensating funds to all affected users," the company explained.

Meter said that about 6 a.m. Pacific time, they discovered that someone had exploited a bridge vulnerability to mint a significant number of BNB and WETH tokens, depleting the bridge reserve for BNB on WETH. They promptly halted all bridge transactions and launched an investigation. Within 30 minutes, they determined that the problem was caused by a flaw in the Meter team's automatic wrap and wrap of native tokens such as BNB and ETH. 

All of the other tokens and reserves are SAFU. Meter discovered some early indications of the hacker and are cooperating with authorities. They urged the hacker to return the funds. 

"We are working on taking snapshots and designing a compensation plan to the WETH and BNB holders and LP providers. We urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team," they added. 

On February 2nd, $324 million was stolen via the widely used decentralised cross-chain message-passing protocol Wormhole. Researchers discovered proof of an 80,000 ETH transfer from Wormhole, as well as the hacker selling another 40,000 ETH on Solana. They have offered $10 million in restitution to the hacker and the same sum to anyone who can provide information "leading to the arrest and conviction of those responsible for the hack."

Hackers Steal Around $320M+ from Crypto Firm Wormhole

 

A threat actor abused a vulnerability in the Wormhole cryptocurrency platform to steal $322 million worth of Ether currency. 

Wormhole Portal, a web-based application—also known as a blockchain "bridge"—that enables users to change one type of bitcoin into another, was the target of the attack earlier. Bridge portals transform an input cryptocurrency into a temporary internal token, which they then turn into the user's preferred output cryptocurrency using "smart contracts" on the Ethereum blockchain. 

The attacker is suspected to have taken advantage of this method to deceive the Wormhole project into releasing significantly more Ether (ETH) and Solana (SOL) tokens than they originally provided. The attacker allegedly stole crypto-assets worth $322.8 million at the time of the attack, according to reports. As per reports, the attacker acquired crypto-assets worth $322.8 million at the time of the incident, which have since depreciated to $294 million due to price swings since the breach became public. 

While a Wormhole official is yet to respond to a request for comment on today's incident. The firm verified the incident on Twitter and put its site on maintenance while it investigates. The Wormhole attack is part of a recent pattern of abusing [blockchain] bridges, according to Tal Be'ery, CTO of bitcoin wallet app ZenGo who informed The Record about the Wormhole Attack. 

A hacker stole $80 million from Qubit Finance just a week ago, in a similar attack against another blockchain bridge. As per data compiled by the DeFiYield project, if Wormhole officially acknowledges the number of stolen funds, the incident will likely become the biggest hack of a cryptocurrency platform so far this year, and the second-largest hack of a decentralised finance (DeFi) platform of all time. 

Wormhole offered a $10 million "bug bounty" to a hacker. Be'ery pointed out that, similar to the Qubit hack, Wormhole is now appealing to the attacker to return the stolen funds in return for a $10 million reward and a "whitehat contract," which indicates that the platform will most likely not file any criminal complaints against the attacker. 

As per Wormhole's most recent Twitter update, posted on Thursday, February 3, the vulnerability has been fixed. However, as one former Uber executive discovered, such contracts exonerating hackers are illegal in some areas, and authorities may still investigate the hacker.


Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.

During a Live Stream Ceremony, the Nobel Foundation Disclosed a DDoS attack

 

The Nobel Foundation and the Norwegian Nobel Institute have revealed a cyberattack on its network intended at sabotaging last month's award ceremony Livestream. 

The cyberattack put the websites under great stress in an attempt to prevent updating and publishing fresh information on the Nobel Prize and Nobel Laureates' accomplishments It is "a long-term threat to freedom of expression," according to the foundation. It stated that it had reported the incident to authorities, however, no information as to who was responsible for the cyberattack had been provided. 

As the Nobel community has pointed out, the perpetrators of the DDoS assault are unknown at the moment. However, given the charges against the Nobel panel for making arbitrary selections in the past, an assumption of state-backed hackers were behind the security incident.

On January 21, in a press release, the institution said, "During the Nobel Day while the prize ceremonies were being live-streamed from Oslo and Stockholm, a so-called distribution denial-of-service (DDoS) attack disrupted the www.nobelprize.org and www.nobelpeaceprize.org sites."
 
DDoS assaults swamp websites with fictitious traffic, causing outages and obstructing access to information. It has also emerged as a weapon for intimidating and harassing websites. Furthermore, the Nobel Prize committee has been chastised for omitting scholars who made a significant contribution to awarded studies or for overlooking groundbreaking discoveries in favor of rewarding small findings. 

Journalist Dmitry Muratov and Rappler CEO Maria Ressa were among the Nobel laureates at Nobel Day 2021, and his keynote speeches emphasized the importance of press freedom and its role in preserving democracy in an era of fake news, disinformation, and the rise of authoritarianism around the world. 

Given the political controversies surrounding some of the Nobel Prizes bestowed by the normally prestigious Nobel Foundation, the involvement of a state-backed actor in such attacks would not be unusual.

Hackers Infect macOS with a New Backdoor Known as DazzleSpy

 

A previously unknown cyber-espionage malware targeting Apple's macOS operating system used a Safari web browser exploit as part of a watering hole attack targeting politically engaged, pro-democracy Hong Kong residents. ESET, a Slovak cybersecurity firm, ascribed the infiltration to an actor with "high technical capabilities," noting similarities between the campaign and a similar digital offensive published by Google Threat Analysis Group (TAG) in November 2021. 

Between September 30 and November 4, 2021, the attack chain entailed compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, in order to inject malicious inline frames (aka iframes). Separately, a bogus website called "fightforhk[.]com" was registered to entice liberation activists. The altered code then served as a conduit to load a Mach-O file by exploiting a remote code execution bug in WebKit, which Apple rectified in February 2021. (CVE-2021-1789). 

"The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely," ESET researchers said. It's worth noting that some of the code shows that the vulnerability might have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices like the iPhone XS and newer. 

The exploit uses two primitives to gain memory read and write access: one to leak an object's address (addrof) and the other to generate a bogus JavaScript object from a specified memory address (fakeobj). Using these two functions, the attack constructs two arrays of different kinds that overlap in memory, allowing it to set a value in one that is considered as a pointer when accessed with the other. 

The exploit makes use of a side effect generated by altering an object property to make it accessible via a "getter" function while enumerating the object's properties in JIT-compiled code. The JavaScript engine incorrectly assumes that the property value is cached in an array and is not the result of calling the getter function.

The successful execution of the WebKit remote code execution triggers the execution of the intermediate Mach-O binary, which in turn leverages a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as the root user. 

While Google TAG's infection sequence resulted in the installation of an implant known as MACMA, the malware transmitted to D100 Radio site visitors was a new macOS backdoor known as DazzleSpy, according to ESET. DazzleSpy is a full-featured backdoor that gives attackers a wide range of capabilities for controlling and exfiltrating files from a compromised computer.

Hackers Hit 483 Users in Crypto.com Attack That Witnessed $31M+ Coins Withdrawn

 

Crypto.com has issued an official remark on the situation that saw it halt its users' ability to withdraw money after hinting at final numbers earlier in the week. Unauthorized bitcoin withdrawals on 483 individuals' accounts were reported by the firm on Monday.

The company stated, "In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies." 

The value of ether was just shy of $14 million at the time of writing, whereas the fiat worth of bitcoin was just over $17 million. Overall, depending on the unpredictable cryptocurrency pricing on any given day, the entire sum may be approximately $31 million. Users' two-factor authentication was not used, according to Crypto.com, which noticed transactions early Monday morning UTC. 

"Crypto.com revoked all customer 2FA tokens and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours," it stated.

"In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure." 

The company also announced a new policy requiring customers to wait 24 hours before withdrawing funds to a whitelisted address, as well as a scheme that will reimburse consumers up to $250,000 if unauthorised withdrawals are made and certain requirements are fulfilled. 

Users must employ multi-factor authentication on all transactions when possible, set an anti-phishing code at least 21 days before the unauthorised withdrawal, make a police report and send a copy to the corporation, and undertake a "questionnaire to facilitate a forensic investigation," among other terms. 

"Terms and conditions may vary by market according to local regulations. Crypto.com will make the final determination of eligibility requirements and approval of claims," the company said.

Flaw in IDEMIA Biometric Readers Enables Intruders to Unlock Doors

 

To unlock doors and turnstiles, a significant vulnerability affecting various IDEMIA biometric identity devices can be exploited. 

If the TLS protocol is not enabled, an attacker on the system can transmit particular commands without verification to unlock doors or turnstiles that are directly controlled by a vulnerable device. 

According to an advisory issued by IDEMIA, a France-based tech business that specialises in identity-related physical security services, the attacker may potentially use the bug to trigger a denial of service (DoS) condition by sending a reboot order to the susceptible device. 

The issue was discovered by researchers at Positive Technologies, a Russian cybersecurity firm that was sanctioned by the US last year for potential ties to Russian intelligence. It has a CVSS score of 9.1 and yet no CVE identification number has been issued for it until now. 

MorphoWave Compact MD/MDPI/MDPI-M, VisionPass MD/MDPI/MDPI-M, all variants of SIGMA Lite/Lite+/Wide, SIGMA Extreme, and MA VP MD are among the products affected. 

Critical infrastructure sites, financial institutions, healthcare organisations, and colleges are among the institutions that depend on vulnerable IDEMIA biometric identification devices. 

IDEMIA stated, “Activation, proper configuration of TLS protocol and installation of the TLS certificate on the device fixes the aforementioned vulnerability,” 

To entirely eliminate the danger of biometric identification circumvent, the business aims to make TLS the default in future firmware versions for vulnerable devices. 

Vladimir Nazarov, head of ICS Security at Positive Technologies, said, “The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns. An attacker can potentially exploit the flaw to enter a protected area or disable access control systems.”

Omicron Test Scam : A Free Test Is Available

 

Cybercriminals send emails containing malicious links and data, according to police sources. When individuals click on such a link or download a file, their system — whether it's a phone or a computer — is compromised, and hackers have access to sensitive data. The government recommended citizens examine the domain name and URL of websites to ensure their validity, and to report any such incidents to the cybercrime.gov.in portal. 

A warning has been issued by the Ministry of Home Affairs (MHA) against cybercriminals about offering free testing to potential victims in order to detect the Omicron variant. TheMHA's cyber and information security branch has issued the following advisory: "Due to the shift in focus to the health crisis, cybercriminals are taking advantage of the weakening of cyber defenses. Cybercriminals are always devising new methods of defrauding citizens. As time goes on, Omicron-themed cybercrime is becoming more prevalent. Cybercriminals are using a variety of strategies to commit cybercrime in order to take advantage of the continuously changing scenario and scam innocent victims."

Hackers in the United Kingdom have already begun to take advantage of the virus by sending out phishing emails offering free COVID-19 testing that claims to detect the new variant. In reality, hackers are attempting to dupe unwary users into divulging their personal data. According to a consumer watchdog group, the scam emails appear to come from the UK's National Health Service. The subject line of one email reads, "Get Your Free Omicron PCR Test - Apply Now to Avoid Restrictions. People who do not consent to a COVID-19 test and refuse to have a swab must be segregated," the email continues, in an attempt to terrify the user into complying. 

Users who fall for the ruse will be directed to a fake NHS website, which will ask for their full name, date of birth, address, phone number, and email address – all of which can be used to commit identity theft. The phishing emails are embellished with official-looking NHS logos by hackers. The scam emails were also received from the address "contact-nhs[AT]nhscontact.com."

Ukraine Hosts Massive Scale Simulation of Cyber-attack Against Energy Grid

 

Cybersecurity experts from throughout Ukraine took part in a large-scale cyber-attack simulation that echoed the destructive real-world strike on Ukraine's power infrastructure in 2015. 

With 250 participants, 49 teams battled – either digitally or in person at a Kiev venue – to earn points by resolving an attack against an imaginary energy provider after it had multiple unexpected system failures. Security experts from Ukraine's governmental and private sectors, as well as higher education institutions, worked for five and a half hours to determine the nature of a hostile network penetration before dismissing the intruder and recovering systems to normal operation. 

The winning team was Berezha Security Group from Kiev, and cybersecurity engineer Dmitry Korzhevin was the best-performing individual participant. The competition, which took place on December 2, was the latest Grid NetWars event hosted by SANS Institute, a US information security training organisation, with previous tournaments held in Singapore, India, Japan, and Australia. 

The event was also coordinated by Ukraine's National Security and Defense Council, State Service of Special Communication and Information Protection, and the Cybersecurity Critical Infrastructure project for the US Agency for International Development (USAID). 

Ihor Malchenyuk, head of cybersecurity regulatory assistance and institutional development at the USAID Cybersecurity for Critical Infrastructure in Ukraine project stated, “Every day 560,000 new malicious programs are detected in the world, therefore it is necessary to constantly improve qualifications and ‘pump’ the skills of cybersecurity specialists.” 

“Such competitions as Grid NetWars provide an opportunity to practice not only the knowledge and skills of each specialist separately but also train joint interaction. After all, the training conditions are as close to reality as possible.” 

Tim Conway, technical director of the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) programs at SANS, assisted event participants with the help of two other US-based infosec experts. 

“Grid NetWars is a product that has existed for a number of years and has been used in country-level exercises since its creation,” Conway told The Daily Swig. 

“It has also been leveraged by practitioners around the world who attend critical infrastructure or industrial control system-specific events like the SANS ICS Summit where Grid NetWars competitions are conducted in the evenings after courses.” 

The latest, Ukraine-based event had successfully enabled “participants to face real-world challenges, develop skillsets, gain exposure to technical tools, and most importantly ‘practice the way they play through collaboration, and provided the opportunity to work together in teams just like they would in a real-world incident response”, he added. 

Conway assisted in the investigation of the 2015 attack on three Ukrainian power distribution centres, which knocked out power for up to six hours and left 225,000 people without power. A year later, the country's electrical grid was hit again, and Ukraine's then-president, Petro Poroshenko, said that thousands of recent cyberattacks on state institutions were proof that Russian secret agencies were waging a cyberwar against the country.