Search This Blog

Showing posts with label Hackers. Show all posts

A Catastrophic Mutating Event Will Strike the World in 2 Years, Claims WEF


The World Economic Forum (WEF) in Devos, Switzerland has come up with its set of uplifting predictions for 2023. The latest report warns of a global catastrophic cyber event in the near future. 

The WEF Annual Meeting includes government leaders, businesses, and civil society addressing the state of the world, while also discussing the priorities of the year ahead. 

“The most striking finding that we’ve found is that 93 percent of cyber leaders, and 86 percent of cyber business leaders, believe that the geopolitical instability makes a catastrophic cyber event likely in the next two years. This far exceeds anything that we’ve seen in previous surveys,” says WEF managing director Jeremy Jurgens during a presentation, highlighting the WEF Global Security Outlook Report 2023. 

Adding to the unpredictability of the turn of events, Jurgens cited a recent cyberattack that was intended to disable Ukrainian military capabilities but inadvertently also shut down a portion of the production of energy across Europe. 

In regards to this, Jürgen Stock, Secretary-General of Interpol, says that “This is a global threat[…]It calls for a global response and enhanced and coordinated action.” 

According to him, the increased profit that various bad actors acquire from cybercrime should encourage world leaders into working in a collaborative manner, making it a top priority as they face "new sophisticated tools." 

Albania Set to Combat Cybercrime 

Albania, which recently experienced a significant cyberattack is now collaborating with larger allies to thwart the criminals, acting as a sort of laboratory for people to understand what is to come. 

During the presentation, Edi Rama, the Prime Minister of Albania, illustrated on the industry's growth— from $3 trillion in 2015 to an anticipated $10.5 trillion in 2025. This, according to Rama means that if cybercrime were a state, it would have the third-largest global economy after the U.S. and China. 

Expected Cybercrime Trends in the Next Two Years 

Cyber threats are evolving at a faster rate, with cybercrime underground turning into an organized cybercrime ecosystem. In order to effectively combat these threats, it has become essential to stay up-to-date on the trends in cybercrime, which will eventually reflect its future status in the cyber world. 

Here, we are listing some of the trends that are likely to be prevalent in cybercrime tactics in the coming years: 

  • Artificial Intelligence/ Machine Learning 

AI and machine learning have the ability to boost attack automation, speed, frequency, and efficiency while also enabling the possibility of targeted attacks that are specifically aimed at particular groups. They might also speed up cyber detection, protection, and recovery systems from a cybersecurity perspective. 

  • Computing and Data Storage Technology 

The innovation and immense usage of computing and data storage technologies in all sectors and services will eventually give threat actors more chances to exploit, gain unauthorized access to and disseminate illicit data. 

  • Blockchain and Distributed Ledger Technologies (DLTs) 

Digitalized transactions could be manipulated for nefarious purposes, such as blocking them from being processed, since they are digitalized and processed by DLTs. DLTs may also be used to store inappropriate or disruptive content that is difficult to get rid of. 

  • Botnets and Automated Malware Deployment Tools 

The rapid expansion of the Internet of Things (IoT), which is connecting more and more devices to the internet, is also giving a massive opportunity for threat actors to conduct malicious activities. The increasing inclination towards bots and automated malware deployment tools have as well contributed as an aid to the attackers. These inexpensive and easy-to-use tools lower the skill level barrier for hackers to launch attacks. 

A $100 Million Theft Has Been Attributed to the Lazarus Group by the FBI

 


A $100 million cryptocurrency heist was committed by the Lazarus Group last June, which has been blamed by the FBI for the crime. Known for stealing cryptocurrency to help support the military and weapons programs of the North Korean government, this team is associated with the North Korean government. 

A statement released by the FBI on Tuesday identified Lazarus Group, which is also known as APT38, as the perpetrators of the June 24 attack on the Harmony Horizon bridge. The FBI released this information. In the course of this attack, $100 million worth of Ethereum was lost. Harmony Horizon is a bridge that allows you to connect Ethereum, Bitcoin, Binance Chain, and Harmony with the aforementioned cryptocurrency systems. The Ethereum bridge was accessed by attackers in June of this year and the cryptocurrency was stolen. 

There has been a reported theft on the Horizon bridge this morning for approximately $100MM, which was discovered by the Harmony team. At the time of the incident, Harmony said that they had begun to work with national authorities and forensic specialists to identify the perpetrator. In addition, they had begun to regain the funds that had been stolen. 

As a team, the FBI and the Department of Justice's National Cryptocurrency Enforcement Team have combined to investigate the Harmony heist, as well as several United States attorneys' offices. Earlier this week, the FBI announced that the Lazarus Group had been responsible for the attack and used its malware tool TraderTraitor as part of its operation. This malware was one of the components of the attack. 

"During the June 2022 heist, North Korean cyber actors, who used an encryption protocol known as Railgun, a privacy protocol, gained access to over $60 million worth of Ethereum (ETH) that had been stolen. It is believed that a portion of the stolen Ethereum from this theft was sent to several virtual asset services for conversion into bitcoin (BTC)," the FBI said in a statement released by the bureau. 

Lazarus Group is a North Korean security firm that has been active for several years. It is closely associated with the North Korean government and typically pursues the interests of the government. A successful attack by this group on the Bank of Bangladesh in 2016 netted it $81 million. Since then, Lazarus has continued to operate against banks and crypto exchanges to fund its operations. 

Lazarus Group is a group of companies that specialize in penetrating cryptocurrency firms and exchanges, as well as other targets. This is done with the use of their tools that are integrated into TraderTraitor. Oftentimes, these tactics begin when hackers send phishing emails to employees at a target company. They entice them to download malicious files in the hopes that they will be able to decipher what they are downloading. 

Many of these messages are disguised as recruitment efforts and offer high-paying jobs to entice recipients to download cryptocurrency applications laced with malware, also known as TraderTraitor by the U.S. government, according to a CISA advisory released in April. 

TraderTraitor is the term used to describe a series of malicious applications that are written using cross-platform JavaScript and run on the Node.js runtime running on Electron using the Node.js runtime environment. Several malicious open-source applications have been downloaded into the system, posing as tools that can help traders or price forecasters trade cryptocurrencies. TraderTraitor campaigns promote the alleged features of the applications on websites with modern designs. 

Several intrusions carried out by the Lazarus Group have used TraderTraitor as part of their investigations, and they have been quite successful in doing so. There was also another tool they used, a macOS backdoor called AppleJeus, which they implemented along with more advanced ways. 

In addition to spreading cryptocurrency trading applications modified to contain malware that facilitates cryptocurrency theft, the Lazarus Group also distributed AppleJeus trojanized cryptocurrency applications targeting individuals and companies, including cryptocurrency exchanges and financial services firms. 

According to the advisory, the North Korean regime will likely continue to exploit the vulnerabilities of cryptocurrency technology companies, gaming companies, and exchanges. This will enable it to generate and launder funds to support its regime. 

During the Harmony intrusion, the Lazarus Group moved bitcoin to several exchanges, which the FBI worked with to freeze those assets.

A Credential Stuffing Attack Breaches PayPal Accounts

 


In December last year, hackers accessed the PayPal accounts of more than 1.6 million users of the online payment service. As a result, PayPal is now sending out data breach notifications to affected users. 

A large number of customer accounts of the company were compromised in this attack. With the help of credential stuffing, the hackers behind this attack were able to gain access to almost 35,000 accounts of this company. 

PayPal sent out a Warning of Security Incidents to affected customers on December 6th and 8th of last year. This warning stated that the attack took place from December 6th to 8th. When the attack took place, the company was able to detect its occurrence as well as implement the necessary steps to mitigate it. PayPal has also launched an internal investigation, there is a search underway for how the hackers responsible were able to gain access to PayPal customers' accounts in the first place. 

Despite the company's claim that the hackers were unable to carry out any transactions through the breached accounts, a lot of sensitive information about affected customers was stolen, such as their full names, dates of birth, physical addresses, Social Security numbers, and tax identification numbers, along with their full names and dates of birth. 

Based on PayPal's investigation, the hackers behind this attack used credential stuffing to access the accounts of PayPal's customers by gaining access to the credentials of PayPal's employees. A popular method of attacking data can be found on the dark web, but unlike a data breach, it uses accounts already in circulation. 

It is often the case that credential-stuffing attacks are orchestrated by using bots that have been programmed to enter passwords and usernames from data breaches. This is required to crack a user's account. There are several bots that attempt to use the same credentials for multiple online services with the hope that the passwords have not changed recently. 

Using the same password across multiple accounts can be dangerous for a user's security. A hacker can access your password by infiltrating a website or service. This is done by establishing a connection with their servers. This allows them to access the rest of the accounts using that password. 

When your PayPal account is hacked, what should you do next? 

If PayPal has notified you that your account was breached by hackers and you received a message that you must reset your password, the company has already done so. Thus, it is recommended that you create a strong, complex, and distinct password for your account the next time you log in so that your account remains safe. A password manager, such as KeePass, will be able to generate strong passwords for you, which can be incorporated into one of the most trustworthy password managers. In addition, many of these sites also allow their users to generate passwords online for free. 

To protect you from identity theft, PayPal is offering two years of free identity monitoring from Equifax. This is done using your name, birth date, address, and social security number. If, however, you wish to extend your protection even further, you may want to sign up for an identity theft protection service. 

It is also recommended that you enable two-factor authentication for your PayPal account, which will help prevent a hacker from gaining access to your account even if they obtain your login credentials, which can be crucial to the safety and security of your account. 

Despite the many risks involved, password reuse is still one of the biggest problems in the online world but hopefully, this unfortunate incident will get people to use strong, complex, and unique passwords - especially when it comes to their financial accounts. 

Hackers Designs Malware for Recently Patched Fortinet Zero-Day Vulnerability


Researchers who recently disclosed and patched the zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a new backdoor, specifically created in order to run on Fortinet’s FortiGate firewalls. 

Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa. 

According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government. 

It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing. 

BoldMove Backdoor 

The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls. 

The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests. 

Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands. 

Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added. 

The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format. 

Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021. 

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted. 

Schooled in FortiOS 

Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine. 

According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes. 

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet. 

Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.  

Synthetic Identity Fraud: What Is It?

Frankenstein ID, the use of fake identities by scammers, has become prevalent over the last 12 to 18 months, with US financial institutions (FIs) reporting losses of $20 billion in 2021 as compared to $6 billion in 2016.

Synthetic Identity Fraud: What Is It? 

When a Social Security number is stolen, synthetic identity fraud occurs. Hackers then use it in conjunction with bits of accurate personal data obtained from various sources or entirely false information to build an identity in order to commit theft.

Synthetic identity theft is unknown, thus allowing fraudsters to carry out their crimes undetected. Researchers discovered that two out of every three American adults were extremely unaware of fake identity theft.

What is the Frequency of Child Identity Theft and Fraud?

In contrast to adults, stealing the identities of minors gives hackers a wider window to utilize the credentials since the majority of victims who had their identities taken as children do not become aware of the fraud until they are adults. Social media, personal health information, and school forms pose the greatest threats to data theft involving minors, which is a concern for nearly two-thirds of adults. 

SSNs can be found by hackers in different spots, like your email account or the database of your chosen merchant. Even student data is stolen and published on the dark web by ransomware groups. Hackers take SSNs to commit synthetic ID theft. As they are more likely to belong to minors, they favor numbers that were granted within the last 18 years. Children generally wait until they are 18 to apply for loans or credit, giving criminals ten or even fifteen years to cause havoc before anyone takes notice.

A hacker will start seeking credit online if they have a social security number. Users, then, simply build a credit history just by seeking credit. A creditor will eventually grant them a $500 or perhaps $1,000 credit line. A breakout occurs once hackers have access to $10,000 to $15,000 in credit. After a final flurry of charges, the attackers fade. 

86 % of parents do not check their kids' credit, so hackers can ruin it for years. Due to this, synthetic identity has severe repercussions that frequently prevent its young victims from beginning their adult lives. The fact that children lack control over their credit or financial information makes them vulnerable as well.


Hackers Target Chick-fil-A Customers Credentials

Chick-fil-A- is investigating concerns of suspicious transactions on its mobile app after multiple users claimed that hackers gained their personal data, including bank account details.

Customers at Chick-fil-A, a well-known chicken restaurant business, may be the latest targets of hackers. According to a recent article in Nation's Restaurant News, the fast food chain is investigating potential hacks of mobile apps that have exposed customers' sensitive information.

According to Krebs on Security, one bank claimed it had nearly 9,000 customer card details listed in an alert sent to various financial institutions regarding a breach at an anonymous retailer that occurred between December 2, 2013, and September 30, 2014, and that Chick-fil-A locations were the only common point-of-purchase. As per Krebs, "the majority of the fraud, according to a financial source, appeared to be centered at sites in Georgia, Maryland, Pennsylvania, Texas, and Virginia."

Customers are recommended to promptly change their passwords to new ones that are distinct, complex, and therefore not used for other online platforms or accounts if they detect anything unusual.

In regard to the reports, Chick-fil-A posted a statement on social media stating that the company is aware of the matter and is working quickly to resolve it. The business does point out that it has not discovered proof that its internal security has been infiltrated by hackers or otherwise compromised.

Customers who are impacted can find information on what to do if they see any suspicious activity on their accounts, can see mobile orders placed without their consent, or discover that their loyalty points were fraudulently redeemed or used to purchase gifts on a support page on Chick-fil-One A's Membership Program customer service website.

How Hackers Can Exploit ChatGPT, a Viral AI Chatbot


Cybernews researchers have discovered ChatGPT, a platform that provides hackers step-by-step instructions on hacking a website. An AI-based chatbot, ChatGPT was launched recently and has caught the attention of the online community. 

The team at Cybernews has warned that AI chatbots may be fun to play with, but they are also dangerous as it is able to give detailed info on how to exploit any vulnerability. 

What is ChatGPT?

AI has created a stir in the imaginations of leaders in the tech industry and pop culture for decades. Machine learning tech allows you to automatically create text, photos, videos, and other media. They are all flourishing in the tech sphere as investors put billions of dollars into this field. 

While AI has enabled endless opportunities to help humans, the experts warn about the potential dangers of making an algorithm that will outperform human capabilities and can get out of control. 

Apocalypse situations due to AI taking over the planet are not something we are talking about. However, in today's scenario, AI has already started helping threat actors in malicious activities.

ChatGPT is the latest innovation in AI, made by research company OpenAI which was led by Sam Altman, and also backed by Microsoft, LinkedIn Co-founder Reid Hoffman, Elon Musk, and Khosla Ventures. 

The AI chatbot can make conversations with people imitating various writing styles. The text made by ChatGPT is way more imaginative and complex when compared to earlier chatbots built by Silicon Valley. ChatGPT is trained using large amounts of text data from web, Wikipedia, and archived books. 

Popularity of ChatGPT

After five days after the ChatGPT launch, over one million people had signed up for testing the tech. Social media was invaded with users' queries and the AI's answers- writing poems, copywriting, plotting movies, giving important tips for weight loss or healthy relationships, creative brainstorming, studying, and even programming. 

According to OpenAI, ChatGPT models can answer follow-up questions, argue incorrect premises, reject inappropriate queries, and admit their personal mistakes. 

ChatGPT for hacking

According to cybernews, the research team tried "using ChatGPT to help them find a website's vulnerabilities. Researchers asked questions and followed the guidance of AI, trying to check if the chatbot could provide a step-by-step guide on exploiting."

"The researchers used the 'Hack the Box' cybersecurity training platform for their experiment. The platform provides a virtual training environment and is widely used by cybersecurity specialists, students, and companies to improve hacking skills."

"The team approached ChatGPT by explaining that they were doing a penetration testing challenge. Penetration testing (pen test) is a method used to replicate a hack by deploying different tools and strategies. The discovered vulnerabilities can help organizations strengthen the security of their systems."

Potential threats of ChatGPT and AI

Experts believe that AI-based vulnerability scanners used by cybercriminals can wreak havoc on internet security. However, cybernews team also sees the potential of AI in cybersecurity. 

Researchers can use insights from AI to prevent data leaks. AI can also help developers in monitoring and testing implementation more efficiently.

AI keeps on learning, it has a mind of its own. It learns newer ways of advanced tech and exploitation, and it works as a handbook to penetration testers, offering sample payloads fulfilling their needs. 

“Even though we tried ChatGPT against a relatively uncomplicated penetration testing task, it does show the potential for guiding more people on how to discover vulnerabilities that could, later on, be exploited by more individuals, and that widens the threat landscape considerably. The rules of the game have changed, so businesses and governments must adapt to it," said Mantas Sasnauskas, head of the research team. 





Threats of Discord Virus: Ways to Eliminate it

Discord has gained popularity as a tool for creating communities of interest since the launch of its chat and VoIP services, notably among gamers. Discord can be exploited, though, similar to any other platform that contains user-generated material. 

It was discovered in 2021 that hackers carried out a number of malware attacks targeting Discord. Cybercriminals use various techniques to spread more than 20 different varieties that have been found. Due to Discord's broad customizability possibilities, common users are vulnerable to attacks inside and outside the chat server. Recent security analysis on Discord has uncovered a number of cyberattack scenarios connected to its chat service, which can be quite risky for users.

How does the Discord virus infiltrate the system?

The common phrase used to describe malware programs exchanged using the official Discord app is 'Discord Virus.' To get Discord users to run malicious software, cybercriminals use a variety of tactics, the pirated version of Discord Nitro is also frequently offered by attackers. 

The Discord software has a premium edition called Discord Nitro that is packed with more sophisticated capabilities. It is important to understand that the Discord Nitro app cannot be cracked because the premium features are delivered over the servers and not embedded into the app.

The system does display a few typical signs that point to the existence of Trojan infection:
  • The CPU is abruptly utilized more than normal
  • The system regularly glitches
  • Malicious pop-ups are constantly flooding browser
  • The user is not asked to initiate the opening of a window
  • Redirection to suspicious or unreliable websites
How to Update and Fix Discord

1. Operate discord as an administrator

Running the application with administrative rights may be a simple way to fix the Discord Update Failure problem. You can download and run the most recent Discord update due to this enabling the updater to change your device.

2. Give the update.Exe file a new name

A bug with the application's update.exe file was discovered by Discord's troubleshooters. For the best chance of successfully updating Discord to the most recent version, try renaming this file.

Copy "C: Users Username AppData" without the quotations and put it into the Windows + R keyboard shortcut. The username should be changed to the username for your local account.

3. Avoid using windows defender

The Discord Update occasionally crashes due to conflicts with Windows 10's default antivirus protections. Disabling Windows Defender will allow you to try updating Discord.

4. Disable your antivirus temporarily

Antivirus programs have a reputation for causing problems on computers by obstructing your internet service or preventing services and apps from operating as intended.

Discord can give rise to predatory behaviors like cyberbullying. Additionally, extreme organizations utilize Discord to recruit new members and keep in touch with them. You should take precautions against malicious users on Discord and never give out your personal information to anyone.

While utilizing the service, Discord provides a list of precautions to take in order to avoid spam and hacking. One recommendation is to create secure passwords that are less likely to be hacked. Additionally, individuals can defend themselves by scanning for suspected phishing attempts. 


How Can Schools Minimize Cybersecurity Risks?

 

Cyberattacks are now a daily threat to K-12 schools, and the problem may worsen as educators rely more on technology for teaching and learning, and as hackers become more sophisticated. As per the K12 Security Information Exchange, a nonprofit dedicated to assisting schools in preventing cyberattacks, there have been over 1,330 publicly disclosed attacks since 2016, when the organization began tracking these incidents. Hackers have targeted municipalities of all sizes. 

Most notably, two central districts—Los Angeles Unified and New York City—will face cybersecurity challenges in 2022. Experts say that if the largest districts can be affected, anyone can. Smaller districts are especially vulnerable because they frequently lack the cybersecurity resources required to protect themselves.

Cyberattacks are costly to school districts. According to a recent GAO report, districts lose three to three weeks of instructional time on average after an attack, and recovery time can range from two to nine months. To prevent unnecessary costs, districts should ensure that their networks are secure.

Education Week has extensive coverage on what to do if your school or district is the victim of a cyberattack, as well as how to prevent attacks. Here is an accumulation of articles and videos on this topic published by Education Week that you can use to tackle this challenge.

Guidance from the FBI and the Cybersecurity and Infrastructure Security Agency discourages paying the ransom because it doesn't guarantee that the data hackers are holding ransom will be decrypted or that the systems will no longer be compromised. Despite this advice, the decision of whether or not to pay a ransom can be complicated.

Two district leaders also spoke with Education Week about how they handled the aftermath of a ransomware attack that shut down schools for two days. There is no magic formula that will entirely protect districts from cyberattacks, but there are steps that can be taken to mitigate the risks. In this special report, K-12 technology leaders and experts offer recommendations on how to prevent these incidents, particularly with the emergence of school-issued devices, as well as what districts' top cybersecurity priorities should be.  

Student data privacy concerns a wide range of issues, from students' smartphones to classroom applications discovered and adopted by teachers, to district-level data systems, to state testing programmes. Experts offer their perspectives on why schools struggle to protect student data.

An Active Typosquat Attack in PyPI and NPM Discovered

The typosquatting-based software supply chain threat, which targets explicitly Python and JavaScript programmers, is being warned off by Phylum security researchers.

What is Typosquatting?

Cybercriminals that practice typosquatting register domains with purposeful misspellings of the names of popular websites. Typically for malevolent intentions, hackers use this tactic to entice unwary users to other websites. These fake websites could deceive users into inputting private information. These sites can seriously harm an organization's reputation if attacked by these perpetrators. 

PYPI &NPM

Researchers alerted developers to malicious dependencies that contained code to download Golang payloads on Friday, saying a threat actor was typosquatting well-known PyPI packages. 

The Python Software Foundation is responsible for maintaining PyPI, the largest code repository for the Python programming language. Over 350,000 software programs are stored there. Meanwhile, NPM, which hosts over a million packages, serves as the primary repository for javascript programming. 

About the hack

The aim of the hack is to infect users with a ransomware variant. A number of files with nearly identical names, like Python Requests, are being used by hackers to mimic the Python Requests package on PyPI.

After being downloaded, the malware encrypts files in the background while changing the victim's desktop wallpaper to a picture controlled by the hacker, and looks like it came from the CIA.

When a Readme file created by malware is opened, a message from the attacker requesting $100, usually in a cryptocurrency, for the decryption key is displayed. 

The malware used is referred to as W4SP Stealer. It is able to access a variety of private information, including Telegram data, crypto wallets, Discord tokens, cookies, and saved passwords. 

One of the binaries is ransomware, which encrypts specific files and changes the victim's desktop wallpaper when executed. However, soon the malicious actors published numerous npm packages with identical behaviors. For the decryption key, they demand $100 in Bitcoin, XMR, Ethereum, or Litecoin.

Each of the malicious npm packages, such as discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr, contains JavaScript code that acts identical to the code embedded in the Python packages. 

Louis Lang, chief technology officer at Phylum, predicts a rise in harmful package numbers. These packages drop binaries, and the antivirus engines in VirusTotal identify these binaries as malicious. It is advised that Python and JavaScript developers adhere to the necessary cybersecurity maintenance and stay secure. 



Cyberattack on the City of Antwerp's Servers Triggered via PLAY Ransomware

The PLAY group has warned that on December 19, it will start disclosing data that was stolen from Antwerp. The information that was stolen remains unknown.

The IT, email, and phone services in Antwerp were interrupted last week as a result of a ransomware attack on Digipolis, the IT firm in charge of overseeing the city's IT infrastructure.

According to VRT News, a cyberattack on Monday also affected the city of Diest, which has around 20,000 citizens. The portal is used by the ransomware gang to showcase victims. 

According to VRT News, a cyberattack on Monday also affected Diest, a city of around 20,000 people. The page is used by the ransomware organization to highlight victims. 

According to journalist Tim Verheyden of VRT News, Play is well-known in the hacker community. The United States, Canada, Bulgaria, and Switzerland have all experienced significant cyberattacks from them, and now they claim the attack on the City of Antwerp.

Brett Callow, an Emsisoft security analyst, saw that the Play ransomware campaign began mentioning Antwerp as one of its victims over the weekend. According to this Antwerp item on the data leak website, the incident resulted in the theft of 557 GB of data, including personal data, passports, IDs, and financial papers.

Data from the city has not yet been disclosed, despite the threat actors' assurances that they will start doing so in a week if a ransom is not paid.

Johan de Muynck, general manager of Zorgbedrijf Antwerpen an Antwerp Healthcare, issued a warning that the system the business relied on to keep track of who ought to receive which medicines was not functioning at the moment. Instead of conventional computerized prescriptions, patients currently receive paper prescriptions that have been signed by doctors.

Despite the fact that the server issues had not been fixed, Zorgbedrijf Antwerpen announced in a statement posted to its website on Monday that limited telephone access to customer service was now available as a result of an emergency fix.

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


Users' Data Exposed Due to Twitter API Security Flaw

Cybercriminals started selling the user details of more than 5.4 million Twitter users on a hacking website in July this year after taking advantage of an API flaw that was made public in December 2021. Just as other researchers discovered a compromise affecting millions of accounts throughout the EU and US, a hacker just made this information available for free.

While the majority of the data was made up of publicly available details like Twitter IDs, names, login names, localities, and verified status, it also contained private details like phone numbers and email addresses. 

Security specialist Chad Loder was the first to reveal the story, but he was shortly suspended from the microblogging service. According to Loder, they contacted a sample of the impacted accounts and came to the conclusion that the information was accurate and the breach happened in 2021.

The information was first stolen from Twitter exploiting a vulnerability in the application programming interface API of the service, but it is now freely available online. Twitter was open about the initial user ID leak and API attack that affected millions of users. The platform claimed at the time that it was alerting users who they could verify had been affected by the data leak.

The data of 5,485,635 active Twitter users was exchanged freely on a hacking site on November 24. The initial 5.4 million data points were distributed for free in a thread that appeared on BreachForums last week, and as of the time of reporting, the forum thread was still active. Although the forum thread highlighted the other 1.4 million from restricted accounts may still be spreading exclusively in private circles, Gizmodo was unable to confirm the veracity of the information.

A breach of 17 million users would be one of the larger user data breaches, though by no means the largest given that Twitter has more than 200 million active daily users.



Report: Tax Preparation Software Returned Personal Consumer Data to Meta and Google

 

As per The Markup, popular tax preparation software such as TaxAct, TaxSlayer, and H&R Block sent sensitive financial information to Facebook's parent company Meta via its widely used code known as a pixel, which helps developers track user activity on their sites. 

In accordance with a report published on Tuesday by The Verge, Meta pixel trackers in the software sent information such as names, email addresses, income information, and refund amounts to Meta, violating its policies. The Markup also discovered that TaxAct sent similar financial data to Google via its analytics tool, though the data did not include names.

According to CNBC, Meta employs tiny pixels that publishers and businesses embed on their websites. When you visit, the dots send a message back to Facebook. It also enables businesses to target advertisements to people based on previous websites they have visited.

Based on the report, Facebook could use data from tax websites to power its advertising algorithms even if the person using the tax service does not have a Facebook account. It's yet another example of how Facebook's tools can be utilized to track people across the internet, even if users are unaware of it. According to some statements provided to The Markup, it could have been a mistake.

Ramsey Solutions, a financial advice and software company that uses TaxSlayer, told The Markup that it "NOT KNEW and was never alerted that personal tax information was being gathered by Facebook from the Pixel," and that the company informed TaxSlayer to deactivate the Pixel tracking from SmartTax.

An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.” 

H&R Block further stated in a statement on Wednesday that it had "removed the pixels from its DIY online product to stop any client tax information from being collected."

The Markup discovered the data trail earlier this year while working with Mozilla Rally on a project called "Pixel Hunt," in which participants installed a browser extension that sent the group a copy of data shared with Meta via its pixel.

“Advertisers should not send sensitive information about people through our Business Tools,” a Meta spokesperson told CNBC in a statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Meta considers potentially sensitive data to contain information about income, loan amounts, and debt status.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” a Google spokesperson told CNBC. “Additionally, Google has strict policies against advertising to people based on sensitive information.”

A TaxAct spokesperson said in a statement, “The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

A TaxSlayer representative did not immediately respond to CNBC's request for comment.

Data Exposed at County of Tehama, Here's All You Need to Know

As per the announcement made by the County of Tehama in California, a data security breach that allowed unauthorized access to files on its systems was handled. 

The County of Tehama started mailing to individuals whose data may have been linked to the event on November 17, 2022. The County of Tehama is giving free credit monitoring and identity theft prevention services to anybody whose Social Security numbers or driver's licence numbers were involved.

In addition, the organisation opened an investigation and alerted law authorities. After conducting an investigation, the County of Tehama came to the conclusion that between November 18, 2021, and April 9, 2022, an unauthorised person had gained access to its IT network.

Further findings from the inquiry revealed that the unauthorised user had accessed files on the County of Tehama Department of Social Services' computer systems.

A special, toll-free incident response line has also been set up by the County of Tehama to address any queries people may have. Call 855-926-1376 between 6:00 a.m. and 3:30 p.m., Pacific Time, Monday through Friday if anyone has any questions about this incident or thinks their information may have been compromised.

The County of Tehama advises those whose information may have been compromised to stay alert to the danger of fraud by examining their financial account statements and promptly informing their financial institution of any suspicious activity.
 
 

Hackers Use These Five Common Ways to Hack Websites

 

Cybercriminals frequently target all websites. Data theft, remote access, and malware distribution can all occur through social media platforms, online retailers, file-sharing services, and other types of online services. Hackers employ a variety of techniques to infiltrate websites, the top 5 types of attacks are discussed in this article. 

1. Brute force attacks 

Brute force attacks employ a trial-and-error method of cryptography to allow hackers to force their way into a website. Cryptography allows data to be stored safely, but it also involves the process of code-solving, which is what cybercriminals are interested in. A hacker can use cryptography to guess passwords, login credentials, and decryption keys. This technique can even be used to locate hidden web pages.

2. Keyloggers and Spyware

An attacker can use a keylogger to record all keystrokes made on an infected device or server. It is a type of monitoring software program that is widely used in data theft. For example, if someone enters their payment card information while a keylogger is active, the malicious operator will be able to spend money without the card owner's knowledge. In the case of websites, the attacker may be able to conceal the credentials required to log in and gain access by monitoring a website administrator with a keylogger. Keyloggers are a type of spyware, and spyware can take many forms, such as adware and Trojans.

3.Man-in-the-Middle Attacks

A malicious actor eavesdrops on private sessions in a Man-in-the-Middle (MitM) attack. The attacker will place themselves between a user and an application in order to gain access to valuable data that they can exploit. Instead of simply eavesdropping, the attacker could pretend to be a legitimate party.


Because much of the intercepted data may be encrypted via an SSL or TLS connection, the attacker must find a way to break this connection in order for the data to be interpreted. If the malicious actor is successful in making this data readable, such as through SSL stripping, they can use it to hack websites, accounts, and applications, among other things.

4. Remote Code Execution 

Remote Code Execution (RCE) is a fairly self-explanatory term. It entails the execution of malicious computer code from a remote location through a security flaw. Remote code execution can take place over a local network or the internet. This enables the attacker to gain physical access to the targeted device and infiltrate it.

An attacker can steal sensitive data and perform unauthorized functions on a victim's computer by exploiting an RCE vulnerability. Because this type of attack can have serious consequences, RCE vulnerabilities are (or should be) taken very seriously.

5. Third-Party Exploits

Thousands of businesses around the world rely on third-party vendors, particularly in the digital realm. Many applications act as third-party service providers for online businesses, whether they process payments, authenticate logins, or provide security tools. However, third-party vendors can be used to gain access to their client's websites.

Attackers can take advantage of a security vulnerability, such as a bug, in a third-party vendor. Some third-party applications and services have lax security measures, making them vulnerable to hackers. This exposes sensitive data from a website to the attacker for retrieval. Even if the website has advanced security features, the use of third-party vendors can be a weakness.

Unfortunately, even when we use the proper security measures, websites and accounts are still vulnerable to attacks. As cybercriminals improve their methods, it becomes more difficult to detect red flags and stop an attack in its tracks. However, it is critical to be aware of the tactics used by cybercriminals and to employ the proper security practices to protect yourself as much as possible.


FBI Nearly Adopted NSO's Spyware

According to a report published by the New York Times on Saturday, several agents from the US Federal Bureau of Investigation worked to enhance the rollout of Pegasus, the notorious phone-hacking program created by Israel's NSO Group. 

What is Pegasus?

Once installed, Pegasus spyware enables the user to fully manage a target's phone, allowing them to see messages, listen in on calls, and access the phone as a remote listening device.

Significant numbers of human rights activists, journalists, politicians, and corporate executives were reportedly designated as potential targets of NSO's Pegasus program, which has caused criticism for the Israeli company responsible for its development. 

When smartphones are infected with Pegasus, they effectively become portable surveillance tools that can be used to read the target's messages, browse through the images, or even switch on the user's camera and microphone secretly.

FBI Purchased Pegasus 

The highly classified files, which were provided to the Times in response to a FOIA request, reveal that agency officials had developed guidelines for federal prosecutors concerning how to disclose Pegasus usage in court proceedings and were progressed in organizing to brief FBI heads on the malware.

Additionally, the FBI asserted that Pegasus had never been used to assist an FBI investigation. The FBI only obtained a restricted license for product testing and evaluation, the statement read "There was no functional use in support of any investigation."

The announcement represents a clear admission by the FBI that it purchased Pegasus, one of the most advanced hacking tools in existence.

The FBI examined NSO's Phantom software, which has the ability to hack US phones, earlier this year, the press reported. After learning that NSO's hackers were linked to violations of human rights all around the world and as negative press about the technology spread, the FBI eventually opted against utilizing it.

The New York Times broke the news of the FBI's acquisition of Pegasus in 2019 while the Trump administration was in control. However, the bureau has still not ruled out the potential of using comparable technology in the future, the report said, citing recent court records.

A legal brief submitted on the bureau's behalf last month stated that "just because the FBI eventually decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate, and potentially deploy other similar tools for gaining access to encrypted communications used by criminals."



Medibank's Hackers will be Hacked in Australia

 


Threat actors behind the Medibank hack that compromised nearly 10 million customers' private information are being hunted by the Australian government, cyber security minister Clare O'Neil said. 
A hack on Medibank's computer, which was attributed to Russian cybercriminals, was announced by the Australian Federal Police on Friday afternoon. 

AFP identified Russian criminals as the culprits without contacting Russian officials before the public announcement, as the embassy in Australia has expressed disappointment that the AFP has identified Russian-based criminals as the culprits without contacting Russian officials. 

In the statement released by the Consulate on Friday evening, the consulate mentioned that it encouraged the AFP to promptly contact the respective Russian law enforcement agencies to seek assistance. 

Combating cybercrime that adversely affects the lives of citizens and damages businesses is a complex task that demands a cooperative, non-political and responsible approach from all members of the international community. 

It was announced on Saturday that the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) have signed an agreement on the creation of a comprehensive policing model which will take into account both the Optus and Medicare data breaches and effectively deal with the criminals behind them. 

"Around 100 officers from these two organizations will be a part of this joint standing operation, and many of these officers will be physically co-located with the Australian Signals Directorate," she said.

As Ms. O'Neil pointed out, officers report to work every day of the week. The goal is to deal with these gangs and thugs in the most effective manner possible. 

Ms. Saunders explained, With this partnership, the Australian Government has formalized a standing body which will be responsible for the day-to-day pursuit and prosecution of the con men responsible for these malicious crimes against innocent people and who will, day in and day out, hunt them down. 

A group of the smartest and most determined people in Australia will be collaborating to track down the hackers. 

A New Permanent Policing Model 

In a statement, Attorney General Mark Dreyfus described the situation as "extremely distressing."

In response to the attack, the government released a statement stating that it would do everything it could to limit the impact of this horrible crime. It would also provide support and comfort to the families and friends of those who are affected. 

Dreyfus said in his remarks that the updated partnership between the AFP and the ASD aimed at fighting cyber criminals will be a permanent and formal agreement. 

The AFP, he explained, works full-time on this issue, and they are working with international partners, such as the FBI, which has done great work on this problem, with the assistance of their international partners, including the United Nations. 

As part of the investigation, AFP Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the perpetrators of the crime. 

"We know who you are," he said. In the area of bringing overseas offenders back to Australia to face the justice system, it has been noted that the AFP has been doing a good job on the scoreboard. 

A Review of Australia's Diplomatic Relations With Russia is Currently Taking Place

There will be no slowdown in the work of the national security agencies because diplomatic channels with Russia will remain open concerning extradition, according to Mr. Dreyfus. 

According to the president of the Russian Federation, Russia should do all that it can to protect its citizens from engaging in these kinds of crimes, while within its borders. 

In a statement, Mr. Dreyfus said that his government is taking a close look at the options available to it. This is because it wants to maintain Russia's diplomatic profile in Australia. 

In regards to our diplomatic channels, we would like to maintain them as long as they are appropriate for our national interests. However, diplomatic profiles must always be consistent with that. 

A spokesman for the opposition's cyber security wing, James Paterson, said that the disclosure could have broad implications for Australia's Magnitsky regime. Those who violate the law are subject to this.

With the passage of the regime with bipartisan support, which was passed with the support of the Republican and Democratic Parties, it becomes possible to impose targeted financial sanctions and travel bans in response to serious corruption and significant cyberattacks. 

At a press conference earlier today, Prime Minister Albanese told reporters he was dismayed and disgusted by the actions of those who committed this crime. He authorized AFP officials to release the details as a matter of public interest. 

In the recent past, hackers have released more information about some of the medical records of their customers on the dark web, including information about abortions and alcoholism. 

A ransomware attack was carried out by a criminal group targeting Medibank's data, which resulted in close to 500,000 health claims, along with personal information, being stolen. 

There are several mental health and other support services available through Medibank's Resources Page, which is available to affected customers.

Medibank: Hacker Gained Access to 9.7M Customers' Data and Refuses to Pay a Ransom

 

On Monday, Medibank Private Ltd (MPL.AX), Australia's largest health insurer, stated that no ransom payment will be made to the criminal responsible for a recent data theft in which the data of approximately 9.7 million current and former customers was compromised. 

Highlighting the findings of the firm's investigation thus far, Medibank confirmed that the data theft accessed the name, date of birth, address, phone number, and email addresses of approximately 9.7 million current and former customers. Cyber security issues in Australia have skyrocketed in recent years, according to a government report, with one attack occurring every seven minutes.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," Medibank CEO David Koczkar said.

Paying a ransom could encourage the hacker to directly extort customers, causing more people to suffer, according to Koczkar. The insurer reiterated that business operations remained normal during the cyberattack, with customers continuing to have access to health care.

Medibank has warned its customers to be cautious because the criminal may leak the data online or attempt to contact them directly.

In the last few weeks, Singapore Telecommunications' (STEL.SI) unit Optus disclosed a breach of up to 10 million customer accounts, and Woolworths (WOW.AX) revealed that the data of millions of customers using its bargain shopping website had been compromised.  

Medibank has announced that it will commission an external review in order to learn from the cyberattack, as well as expand its Cyber Response Support Program. 

Cyberattacks Spam Child Abuse on Facebook

When a reputable martial arts instructor posts child exploitation content on his Facebook page and spends a lot of money on Vietnamese ads for angler rods, something is obviously wrong. However, according to Jihad Bekai, head of the G-Force martial arts school in Melbourne, it has been utterly hard to persuade Facebook's owner Meta of that. 

Bekai was a victim of Facebook hackers last month. They employed a well-known and popular ruse that involves uploading images of child sexual assault on a user's personal Facebook page. 

As a result, Facebook automatically responds by banning the user for breaking its 'community standards.' While the user is occupied with the aftermath and attempting to regain access to Facebook, the hackers pursue their true objective, which is typically a credit card connected to a business page the user manages.

In addition, Bekai claimed he had been caught in a frustrating feedback loop with Facebook, whose online customer service forms fail to recognize the absurdity of his situation. Over the course of a month, the hackers ran up more than 50 charges totaling more than $1000 on Bekai's credit card for Facebook ads. 

Bekai asked, "If their artificial intelligence is so good that it can detect child pornography, why can't it put two and two together and realize it would be unusual for me to be doing 10 years of martial arts videos and suddenly decide child pornography is my thing, so much so that I want to display it online for everyone to see in a public post."

The martial arts school of Bekai only uses social media for advertising. One of the main ways potential consumers learn about his company is through his Facebook profile. Bekai lost access to the Facebook and Instagram accounts for his martial arts school. He also oversees a Melbourne martial arts competition and a cafe. He is no longer able to access such social media profiles.

Hackers gained access

Bekai claimed that the thing that aggravates him the most about being a target of Facebook hackers is that he appeared to take all the necessary precautions to protect his accounts. He claimed that the hackers seem to have gained access to his accounts by somehow designating themselves as an admin on his Facebook Commerce account, which brings together personal and business sites as well as credit cards in one location.

The email, which Bekai initially dismissed as spam, was then followed by another informing her that a second person had been added to the account. He claimed that out of desperation, he had turned to a lawyer to draft a legal notice to Meta on his behalf. He had also reported the incident to the Australian Cyber Security Centre (ACSC) but has not yet heard back.

In Australia, the ACSC is receiving reports of cybercrime once every seven minutes as the number of incidents rises, according to a report released on Friday. It is important to note that major social media companies have faced criticism in the past for fake news, hate speech, and misinformation that spread on their platforms. There have also been repeated calls to hold these companies more accountable.