Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hijacking attacks. Show all posts
Messaging App Security
Account Hacking Cyber Attacks Data Breaches Data Safety User Data data security French Government Hijacking attacks Messaging App Security

French Government Messaging Platform Tchap Breached After Hijacked User Account Attack

 

A surprise alert came from Paris when officials revealed a security flaw in Tchap, the nation’s encrypted chat system. Through a hijacked login, intruders slipped inside without immediate detection. Only later did analysts at the country's cyber defense unit spot unusual activity. Their probe began quietly, tracing paths taken and files touched during the unauthorized visit. Questions now linger about what data could have been seen or copied in the gap before discovery. 

Starting in 2018, France's DINUM introduced Tchap alongside the country’s cybersecurity body, ANSSI. Built using the Matrix framework, this tool serves only state workers and official institutions through secure chats and teamwork functions. Since launch, usage expanded - now counting above 300,000 people logging in each month, with half a million installs just on Android. Growth picked up speed when Prime Minister François Bayrou advised staff to switch work conversations to Tchap rather than rely on non-European apps. 

Later that week, signs of intrusion appeared on the interface - ANSSI spotted irregular behavior tied to one logged-in profile. That channel got shut down fast, stopping extra breaches. From there, scrutiny turned to stored records, checking what exchanges or documents might have leaked. Though control slipped briefly, response narrowed the risk without delay. Even though no breach occurred, France's digital agency reached out to CNIL due to possible exposure of personal details via the app. 

While public discussions remain accessible to verified participants, those conversations lack encryption safeguards. Because privacy risks exist, officials emphasize handling delicate data strictly within protected one-on-one exchanges. Only secured channels offer the level of protection needed for such content. Over the weekend, someone took credit for the incident, saying they got in by manipulating people rather than exploiting code. 

Though officials haven’t shared specifics about how it happened, the claim points to deception as the entry method. Access reportedly began with an account tied to Tchap’s school-focused systems. From there, information visible within that account was gathered without permission. Among the claims made was access to fixed LDAP login details, left visible inside a PowerShell file circulated by someone working for the state. 

It followed that large volumes of data - over 13 gigabytes - were reportedly copied, spanning both documents and multimedia content. From those materials emerged close to 650,000 individual messages. Account-related records tied to over seventy-three thousand users were pulled apart, revealing emails, affiliations, scheduled call URLs, plus background system logs. 

A separate assertion pointed to how easily such scripts could expose sensitive internal structures. Still examining the reports, investigators work to measure how far the effects reach. When hackers trick users or steal logins, even coded messaging apps can fail - this case shows it once again.
Read more »
Hijacking attacks
Account Hijacking Risks Account security account takeover scams Cyber Attacks Cyber Hackers Cyber Phishing Hacker attack Hijacking attacks

Signal Plans New Security Measures After Russian Hackers Hijack Hundreds of Accounts

 

Following revelations that hackers tied to the Russian government breached numerous German users' accounts via focused phishing schemes, Signal, a secure messaging service, moves to strengthen its defenses. Though the core encryption stays intact, manipulation tactics targeting people - not systems - spark renewed alarm among experts. Some reports suggest around 300 people in 

Germany faced incidents, such as prominent politicians. 
The head of the German parliament ranked among them, showing a shift toward targeting authorities, campaigners, and well-known personalities. Though less common before, such actions now point to more deliberate choices by offenders. What happened did not involve any break-in at Signal’s core security setup. Their encryption methods stayed intact throughout the incidents. Hackers found another path - using deceptive messages aimed directly at people. 

These tricks led some users to hand over private login details without realizing it. The app itself remained untouched, including its built-in privacy safeguards. Reportedly, fake messages came from someone pretending to be "Signal Support," arriving straight in user inboxes. Instead of ignoring them, some people gave up their single-use login codes, personal Signal PINs, along with backup account information. 

With that data in hand, intruders then activated the targeted accounts on separate devices. Private conversations became reachable - all because stolen details allowed full transfer control. Earlier warnings came from security experts across Europe, along with U.S. agencies like the FBI, flagging such tactics recently. Phishing efforts resembling these have drawn attention due to their repeated appearance. 

Targets included individuals speaking out against China’s policies, according to reports. These patterns hint at coordinated monitoring backed by governmental support. Observers note the consistency in techniques points beyond random attacks. Human behavior plays a central role in these breaches, differing from conventional hacks targeting code flaws. 

Instead of cracking software defenses, intruders gain access by persuading individuals to disclose credentials. Once granted entry through trust rather than force, encrypted environments offer little resistance. Security analysts observe a shift: tricking people now works better than overcoming digital barriers. What used to require complex tools now succeeds with conversation. Now working on new protections, Signal aims to make scam detection easier for its users. 

Without revealing exact details, the team mentioned updates targeting phishing-driven breaches. These adjustments will start appearing within weeks. Changes are expected to limit how often accounts get compromised through deceptive messages. Although the group operating Signal emphasizes strong privacy safeguards, these very protections reduce how much information they can gather. 

Because messages are secured with end-to-end coding, personal chats remain hidden even from the service itself. Limited access to usage details means deeper inspection of scam attempts becomes difficult. Only minimal traces of activity stay visible, due to built-in system constraints. Later updates show Signal warning people: real support teams won’t message inside the app, on social platforms, by text, or call asking for logins, access codes, or personal IDs. 

Messages from the team arrive strictly via confirmed accounts ending in @signal.org, according to their statement. Communication like this stays limited - no exceptions appear. Despite strong encryption, hacking through stolen credentials shows weaknesses still exist at the human level. With scams now harder to spot, specialists stress vigilance alongside tools like two-step checks - protection depends on behavior, not code alone.
Read more »
Routers Threat
Cloud Credentials Cyber Security data security Data Theft Hijacking attacks Router vulnerability Routers Routers Threat

New Cuttlefish Malware Hijacks Router Connections, Cloud Data Stolen

 

In the ever-evolving landscape of cybersecurity threats, a new menace has emerged: Cuttlefish. This sophisticated malware targets enterprise-grade and small office/home office (SOHO) routers, posing a significant risk to both businesses and individual users alike. 

Discovered by Lumen Technologies' Black Lotus Labs, Cuttlefish operates by infecting routers and creating a proxy or VPN tunnel to stealthily exfiltrate data. By doing so, it bypasses security measures designed to detect unusual sign-ins, making it particularly insidious. One of the most concerning aspects of Cuttlefish is its ability to perform DNS and HTTP hijacking within private IP spaces. 

This interference with internal communications can disrupt organizational workflows and potentially introduce additional payloads, compounding the damage caused by the initial infection. While Cuttlefish shares some code similarities with HiatusRat, a malware previously associated with Chinese state interests, there is no definitive link between the two. Attribution remains challenging, further complicating efforts to combat this threat effectively. 

According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, primarily targeting users in Turkey. However, infections have been reported elsewhere, impacting services such as satellite phones and data centres. The exact method of initial infection remains unclear, but it likely involves exploiting known vulnerabilities or brute-forcing credentials. Once inside a router, Cuttlefish deploys a bash script to collect host-based data and download its primary payload. 

What sets Cuttlefish apart is its adaptability to various router architectures, making it a versatile threat capable of targeting a wide range of devices. Once executed, the malware monitors all connections passing through the router, searching for specific data such as usernames, passwords, and tokens associated with cloud services like AWS and Digital Ocean. Once this data is captured, Cuttlefish exfiltrates it to the attacker's command and control (C2) server using a peer-to-peer VPN or proxy tunnel.

Additionally, the malware can redirect DNS and HTTP requests to actor-controlled infrastructure, enabling further data interception and manipulation. Cuttlefish severely threatens organizations worldwide, allowing attackers to bypass traditional security measures and dwell undetected within cloud environments. Network administrators should take proactive steps to strengthen their defences to mitigate the risk posed by Cuttlefish and similar threats. 

This includes eliminating weak credentials, monitoring for unusual logins, securing traffic with TLS/SSL encryption, and inspecting devices for signs of compromise. Additionally, regular router reboots, firmware updates, and password changes are recommended for SOHO router users to prevent exploitation.  

Cuttlefish represents a significant escalation in cyber threats, underscoring the importance of robust cybersecurity practices and constant vigilance in today's digital landscape. Organizations can better protect themselves against emerging threats like Cuttlefish by staying informed and implementing proactive security measures.
Read more »
Windows 7
Hijacking attacks Microsoft Vulnerabilities and Exploits Windows 7

Windows 7 Remain Vulnerable to Blind TCP/IP Hijacking Attacks

 

Adam Zabrocki, a security researcher warned window operating system users regarding the susceptibilities of Windows 7 to blind TCP/IP hijacking attacks. Adam Zabrocki reported the vulnerability to Microsoft reported eight years ago.

Windows 7 was launched in the year 2009 and reached its end of life a year ago – which can be seen in users no longer receiving security updates. In 2008, Adam Zabrocki created a proof of concept of this venerable attack methodology with Windows XP as the target point. In 2012, a security researcher notified Microsoft regarding the same TCP/IP vulnerabilities that made the attack feasible in Windows 7 and all the subsequent versions. 

Microsoft only patched the bug in Windows 8 and considered the bug “very difficult” to be exploited. Nearly one in four PCs is still running on the old operating system and are potentially susceptible to form of cyber-attack. In 1994, Kevin Mitnick orchestrated the most infamous blind TCP/IP hijacking strike against the computer systems of Tsutomu Shimomura at the San Diego Supercomputer Centre on Christmas day. 

The impact of TCP/IP hijacking attacks is not as fatal as it was some years ago. If the threat actor can hijack any TCP/IP session which is established but the upper-layer structure properly executes encryption then the options of a threat actor are limited in terms of what they can do with it; with the assumption that the cyber attacker does not have the capability of generating encrypted messages.

However, one thing that persists is “widely deployed protocols which do not encrypt the traffic, e.g, FTP, SMTP, HTTP, DNS, IMAP, and more” that would allow a threat actor to “send any commands on behalf of the original client”, Zabrocki explained.

Packets containing IP header were sent to the victim’s user by Zabrocki to discover how many packets were sent to link each probe. This laid the path to a ‘covert channel’ via which Zabrocki could uncover the user IP and port, and sequence numbers for both users and server. 
Read more »
Subscribe to: Posts (Atom)