Search This Blog

Showing posts with label IP Address. Show all posts

VPN Split Tunneling: A Better VPN Option?


As long as your VPN connection is encrypted, you can protect your privacy and security because you cannot see your IP address. A VPN is an application that offers users a secure tunnel through which they can send and receive data securely from and to their devices. 

A cybercriminal (crime ring, invasive advertiser, etc.) attempting to spy on your online activities so as to discover your VPN's IP address, instead of your own, which sabotages your privacy will be met with 'built-in encryption' which will prevent him from intercepting your traffic. 

Using a virtual private network can also be a great way to circumvent geographic restrictions on online content, allowing you to watch content that isn't available in your region or country.  

It would be extremely useful to have this feature while connected to a local area network (LAN), to be able to access foreign networks and at the same time protect bandwidth by accessing foreign networks. There is no need to worry about security threats when you are accessing a network printer or downloading sensitive files, for example.   

Due to the encryption applied to all data traveling through it, you may experience slower network speeds and bandwidth issues when using a VPN.

Split Tunneling - What Does it Mean? 

The splitting of tunnels is a feature that many VPN software providers offer so that you can choose which apps, services, and games connect to your VPN and which are connected to your standard Internet connection. An encryption-based VPN setup is different from regular VPN setups, which send all traffic on your system, regardless of its origins or destinations, through an encrypted tunnel on your system. Using split tunneling will allow you to use your standard connection when you wish to use your VPN and disable it when you desire additional security as you would need to do otherwise.  

Newer split tunneling techniques usually allow you to choose which apps you want to secure and which apps you want to leave open. It is possible to send some of the internet traffic through an encrypted VPN tunnel and allow the rest of it to travel through another tunnel that is available on the open internet through a VPN split tunnel connection. There is a default option in the settings of a VPN which routes 100% of the internet traffic through the VPN, but if you require higher speeds while encrypting certain data and being able to access the local devices, then splitting tunneling might be an option for you. 

You might find this to be a helpful feature if you are trying to keep some of your traffic private, yet at the same time want to maintain access to some device on your local network. Thus, you can have access to both local networks as well as foreign networks at the same time. Additionally, you can save some bandwidth in the process by using this method. 

The VPN Split Tunneling Process: How Does it Work?

Having the ability to split the tunnel through a VPN is a very useful feature because it allows you to select what data you wish to encrypt via a VPN and what data you wish to leave open for other users to see. Traditionally, a VPN is used to route your traffic over a private network through a tunnel that is encrypted to ensure integrity. 

Using VPN split tunneling, you can route some traffic from your applications or devices through a VPN. You can also point other applications or devices to the internet directly, while others are routed through an encrypted VPN.

If you want to enjoy the benefits of services that perform best when your location is recognized while enjoying the security of accessing potentially sensitive communications and data through this method, it may be particularly useful to you.  While considering this option, it is essential to keep in mind that there can be some security risks involved. 

Split tunneling is a technique that encrypts your traffic like a VPN and it comes with two main benefits: speed and security. The full tunnel option is the most secure because all traffic is routed through your VPN connection, making it the safest option; however, since there is so much traffic to be encrypted, it will also result in slower speeds. This is because when all traffic passes through headquarters, the infrastructure gets overloaded as well. 

Split tunneling allows you to only send a small amount of your traffic through a VPN, which means that things like video streaming and video calls will have better performance, and this will mean that the infrastructure in HQ will be under less strain because only part of your traffic goes through a VPN. 

Split tunneling is beneficial in terms of conserving bandwidth since it allows you to use less of it. You will be able to enjoy faster internet access by choosing certain applications to send traffic through the VPN server, which will not clog up your bandwidth as it will filter applications through the VPN server. 

It is planned to offer a complete split tunneling solution within the next few months as NordLayer works on this area. NordLayer is currently only able to assist us partially in resolving the use cases related to split tunneling. 

Split Tunneling is Advantageous for VPNs 

There may be a situation where VPN split tunneling is not a suitable choice for all organizations, but it is an option you can set up when setting up your VPN service. VPNs are often a problem for organizations with restricted bandwidth, primarily because the VPN is responsible for encrypting the data and sending it to a server located in another location at the same time. Without split tunneling, performance issues can result in the implementation of a virtual private network. 

Ensure Bandwidth Conservation

Split tunneling is a method that allows traffic that would have been encrypted on one tunnel to be sent through the other tunnel that is likely to transmit more slowly, as opposed to being encrypted by the VPN. In the case of routing traffic through a public network, there is no need to encrypt the traffic, which leads to improved performance. 

Connect Remote Workers Securely

Through a VPN, remote employees can have access to sensitive files and email that they would normally be unable to get to without a secure network connection. Additionally, their internet service provider (ISP) can also offer them access to other internet resources at a faster speed, allowing access to a wider variety of resources.

Developing a Network For the Local Area Network (LAN)

A VPN may prevent you from accessing your LAN when connected to it through encryption. Split tunneling allows you to use LAN resources like printers, while still utilizing VPN security and also having access to local resources like printers through your local network. 

Without the use of foreign IP addresses, stream content 

The ability to stream YouTube videos while traveling abroad is a very convenient way to get access to web services that rely on an IP address local to that area of the globe. When the split tunneling feature is enabled on the VPN, you will be able to use websites and search engines that work better when they know your location in your home country, and you will be able to access content in your home country by connecting to your VPN.

Microsoft Issues Alert Over Rise in Advanced Phishing Scams

Microsoft has issued a warning regarding a surge in sophisticated phishing scams targeting individuals and organizations. These scams employ advanced tactics to deceive users and steal sensitive information. With an increasing number of people falling victim to such attacks, it is crucial to stay vigilant and implement necessary precautions.

Phishing scams involve cybercriminals impersonating trusted entities to trick individuals into revealing personal information, such as passwords, credit card details, or social security numbers. The scams typically rely on social engineering techniques and fraudulent emails or messages designed to appear legitimate.

According to Microsoft, the new wave of phishing scams has become more sophisticated and harder to detect. Attackers are utilizing residential internet protocol (IP) addresses instead of traditional data center IPs to evade detection by security systems. By operating through residential IPs, scammers can bypass security filters that typically flag suspicious activity from data center IPs.

These phishing campaigns often target high-value individuals, such as company executives or employees with access to sensitive data. Scammers employ persuasive language, urgency, and personalized information to deceive their targets and convince them to take action, such as clicking on malicious links or providing confidential information.

To protect against these sophisticated phishing attacks, Microsoft advises individuals and organizations to implement multi-factor authentication (MFA). By enabling MFA, users must provide additional verification, such as a unique code sent to their mobile device, in addition to their password. This adds an extra layer of security and makes it significantly harder for attackers to gain unauthorized access.

Furthermore, individuals should remain cautious when interacting with emails or messages, especially those that request sensitive information or seem suspicious. It is essential to scrutinize sender addresses, look for signs of grammatical errors or inconsistencies, and avoid clicking on links or downloading attachments from unknown sources.

Organizations must prioritize cybersecurity awareness training for employees to educate them about the latest phishing techniques and the potential risks they pose. Regular training sessions and simulated phishing exercises can help individuals develop a strong sense of skepticism and recognize the warning signs of a phishing attempt.

Malicious Attacks Use Log4j Bugs


An increasingly popular form of fraud that utilizes legitimate proxyware services to hijack legitimate ones has been identified by threat actors. Some services allow people to sell Internet bandwidth to third parties to make extra money. According to researchers from Sysdig Threat Research Team (TRT), large-scale attacks exploiting cloud-based systems can bring cybercriminals hundreds of thousands of dollars of passive income per month by exploiting this vector - dubbed "proxy jacking" - that is used by attackers to obtain access to the server. 

Many companies now charge customers a fee for using a different Internet Protocol (IP) address when watching YouTube videos that aren’t available in their region, scraping and surfing the web without attribution, or browsing dubious websites without attribution of their IP address. This kind of service can be found in dozens of companies now. 

As part of the proxyware ecosystem, you can find legitimate businesses overseas selling it as proxyware. These businesses include IPRoyal, Honeygain, and Peer2Profit. The concept has, as expected, also attracted the attention of cybercriminals, and its potential can also be exploited. 

As proxyware services have grown and become popular in recent years, proxy jacking has become an increasingly prevalent phenomenon brought about by this growing use. Proxyware services offer legitimate and non-malicious applications or software that can be installed on any internet-connected device as long as it is not connected to malicious websites or programs. 

When you run this program, you share your internet bandwidth with others when the program is asked to share an IP address with you. 

Sysdig says proxy hacking could even be as lucrative and easier to commit as it is less computationally demanding and energy-consuming than actual hacking because it uses less energy. 

This report claims that an attacker sold the victim's IP addresses to proxyware services for profit to profit from the attack. There is a method known as proxy jacking. This is where a threat actor installs proxyware on an unsuspecting victim's computer to segment their network. The goal here is to resell bandwidth to compromised devices for a price of $10 per month, allowing the operation to be profitable. Victims are consequently exposed to higher costs and risks than they would otherwise be. 

IP addresses can also be abused to commit crimes in a variety of ways, including as a means to steal personal information. The Cisco Talos Intelligence Group and AhnLab Security researchers have identified that in recent years attacks have been perpetrated where, without a person's knowledge, the IP address of their device has been permanently changed and infected adware has been used to secretly take over the device. Neither company isolated the practice from crypto mining, which involves hacking into compromised systems and mining cryptocurrency. 

Log4j vulnerability was discovered by Chinese researchers in December 2021, and reported by many news outlets. In response to the issue, governments and businesses around the globe launched a global initiative designed to address it. Cybercriminals still exploit this bug to gain access to sensitive information. It has been reported that millions of computers still run vulnerable versions of Log4j based on data from the security company Censys. Various data can be recorded and stored with this software, depending on the service and device being used. 

Even though other attacks have been seen in proxy jacking incidents, researchers believe that the Log4j vulnerability appears to be the most popular method of attack. 

Mike Parkin, director of Vulcan Cyber's security operations, said in an interview that if Log4j's "long tail" is anything to go by, then it will take a while before the number of vulnerable systems will just disappear altogether. 

As per Sysdig's identification of the case, hackers exploited the Kubernetes infrastructure by exploiting the services it offers. Kubernetes container orchestration system is an open-source system for orchestrating software container deployment. Specifically, the hackers exploited a vulnerability in Apache Solr. This vulnerability, if not patched, makes it possible for them to take control of the container and execute a proxy jacking attack on the container. 

It is estimated that the amount of money an attacker can net from crypto-jacking and proxy jacking will be about the same each month - proxy jacking is even likely to be more lucrative today given the current crypto-exchange rates and proxyware payment schedules. 

There is, however, no doubt that most monitoring software will use CPU usage (and it's for very good reason) as one of their first (and most important) metrics. Proxy jacking has minimal system impact. A single gigabyte of traffic spread across a month would be the equivalent of tens of megabytes a day - very unlikely to make a noticeable impact. 

You should remember that the IP address market can often lead to other problems. Several researchers have suggested that it is still possible for your internet bandwidth to be misused or stolen if you sell it knowingly to a proxyware service, according to Sysdig's and other researchers' findings. 

As easy as purchasing and using your shared internet, an attacker can do the same to launch an attack against you. Researchers from Sysdig explained how malicious attackers employ proxy servers to conceal command, control activities, and identify information.

 Crucial US military Emails was Publicly Available

A US Department of Defense exposed a server that was leaking private internal military emails online Security researcher Anurag Sen discovered the unprotected server, which was "hosted on Microsoft's Azure federal cloud for Department of Defense customers," according to a TechCrunch report.

The vulnerable server was housed on Microsoft's Azure federal cloud, which is available to Department of Defense clients. Azure uses servers that are physically isolated from other commercial customers so they can be utilized to share private but sensitive government information. The exposed server was a component of an internal mailbox system that included around three terabytes of internal military emails, a lot of them regarding the USSOCOM, the US military organization responsible for carrying out special military operations.

Nevertheless, due to a misconfiguration, the server was left without a password, making it possible for anyone with access to the internet to access the server's IP address and view the server's important mailbox data.

The server was filled with old internal military emails, a few of which contained private information about soldiers. A completed SF-86 questionnaire, which is filled out by government employees seeking a security clearance and contains extremely sensitive personal and health information for screening people prior to being cleared to handle classified information, was included in one of the disclosed files.

As classified networks are unreachable from the internet, TechCrunch's scant data did not appear to be any of it, which would be consistent with USSOCOM's civilian network. In addition to details regarding the applicant's employment history and prior living arrangements, the 136-page SF-86 form frequently includes details about family members, contacts abroad, and psychiatric data.

A government cloud email server which was accessible through the web without a password was made public and the US government was notified about it. Using just a web browser, anyone could access the private email data there.

 Massive DDoS Attack was Thwarted by Cloudflare


Prioritized firms like gaming providers, hosting providers, cloud computing platforms, and cryptocurrency enterprises, according to Cloudflare, emanated from more than 30,000 IP addresses.
The greatest volumetric distributed denial-of-service (DDoS) attack that Cloudflare has seen to date was stopped.

The greatest attack, which is the largest documented HTTP DDoS attack, topped 71 million rps, per Cloudlare's analysis. The volume is 35% greater than the previous record, 45 million rps from June 2022, which had been recorded.

The FBI accused six suspects of their involvement in running 'Booter' or 'Stresser' platforms, which anybody can use to execute DDoS attacks, in response to this stream of continuously escalating attacks, and seized dozens of Internet domains. Operation PowerOFF, a larger, more coordinated worldwide law enforcement operation against DDoS-for-hire services, included the action.

Cloudflare has been collaborating with the victims to strike down the botnet and is providing service providers with a free botnet threat feed that will transmit threat intelligence from their IP and any ongoing attacks coming from their hosted autonomous system.

Researchers cautioned entities to take action immediately before the next campaign: protecting against DDoS attacks is crucial for organizations of all sizes, even while DDoS attacks on non-critical websites might not result in permanent harm or safety hazards. DDoS attacks against internet-facing equipment and patient-connect technology in the healthcare industry put patients' safety at risk.

Following a Hack, CircleCI Advises Customers to Rotate all Secrets


Following a breach of the company's systems, CircleCI, whose development products are popular with software engineers, has advised customers to rotate their secrets. This is to prevent a repetition of this incident. 

There are more than one million engineers who use the CI/CD platform as they expect to achieve the "speed and reliability" of their builds by relying on the service. An alert is sent to users about the incident by CircleCI. Currently, CircleCI is investigating a security incident, as indicated by emails that users have received from CircleCI regarding this incident. 
To be on the safe side, users are advised to rotate all secrets stored in CircleCI until the company concludes its investigation. The CircleCI CTO, Rob Zuber, wrote in a succinct advisory published on Wednesday that they will provide you with updates as soon as they become available about this incident. 

It was found that CircleCI believes that there are no unauthorized actors active in their system at this point; however, in the spirit of being extra cautious, they would encourage all customers to take the necessary precautions to ensure that their data is protected. It is recommended that customers should rotate both the secrets that are stored in project environment variables and within context variables.
CircleCI has invalidated API tokens used in projects, and users will be required to replace these tokens before they can start using CircleCI. During the investigation, Daniel Hückmann, who is an experienced security engineer, reported the presence of one of the IP addresses associated with the attack ( 

As a result of this information, incident responders may be able to increase their ability to investigate their environment in the future. Besides, the DevOps company recommends that users audit their logs for any signs of unauthorized access occurring between December 21st, 2022, and January 4th, 2023. The purpose of this is to prevent the same event from happening again. 
The wording of CircleCI's 'reliability update' seems to suggest that CircleCI was compromised on December 21st - the same day it published the "reliability update" underlining its commitment to improving its services and reaffirming its commitment to enhancing security. 
A series of similar updates, beginning with a reliability update released in April of 2022, preceded its said reliability update, with CircleCI admitting that its reliability was not up to the standards of its users. Zuber wrote in a report that CircleCI is an organization dedicated to managing change to enable software teams to innovate faster. But lately, they have learned that our reliability has not met our customers' expectations. 
Following another unavailability in September 2022 as a result of a "significant portion of a day," CircleCI issued another such update to address the issue. This was causing many teams to struggle with managing their workload as a result of the problem. 

In recent years, CircleCI has faced a series of security issues that threaten its operations. A data breach occurred in mid-2019 at CircleCI due to the compromise of a third-party vendor which resulted in the loss of confidential information. 

In response, the data of some GitHub and Bitbucket users which includes their login credentials and email addresses including their GitHub and Bitbucket accounts were compromised. Further, it gives access to their IP addresses, company names, repositories' URLs, etc. 

An investigation was conducted in 2022 in which threat actors were caught using fake CircleCI email notifications to steal GitHub accounts from users, as a result of these phishing attempts, CircleCI was reassured at the time of their being secure since the fraudulent attempts did not necessarily come from latest compromise. Despite this, threat actors have been known to target customers of affected companies with phishing scams by using email addresses obtained from an earlier breach (such as the one found in 2019). 
In regards to the security incident that CircleCI announced on Wednesday, the company sincerely apologizes to all those who may have faced inconvenience following this announcement. When the investigation is concluded, the company intends to share additional information about the incident in the upcoming days.   

When Using Open Wi-Fi, Users Don't Employ a VPN

A VPN is a software program that masks the actual IP address and encrypts all data leaving any device. 
Using a VPN, enables users to connect to a secure network via a public network and transport all of the data into an encrypted channel, safeguarding their online activity. 

The user's authentic IP address is concealed and next-generation encryption is used to mask user activities when the web server is redirected via another private internet server.

The likelihood of connecting to free public Wi-Fi to stream a network, watch YouTube videos, or browse through social media feeds increases as a result. This is where one of the finest VPN services is useful and essential throughout the holiday season. 

A recent poll reveals that when connecting to a risky Wi-Fi, the majority of users continue to refrain from using such protection software. 

Business VPNs were not required in the past when cybersecurity experts were in high demand. To safeguard online activity in the present digital environment, each user must use a secure VPN. However, for individuals who frequently connect to open internet hotspots, it is all the more important. It appears that a majority of us still do not adhere to this crucial privacy-friendly habit, which is a concern.

More than 56% of participants in a recent survey of 1,000 American users aged 18 and older who use public Wi-Fi claimed they were not using a VPN. And to make matters harder, 41% do not use any encryption software at all.

The top travel hazards to be aware of this festive season have been compiled by cybersecurity company Lookout, which also makes antivirus software like Lookout Security and other security, privacy, and identity theft detection solutions.

Some of the key guidelines are as followed:
  • Stay aware of insecure Wi-Fi networks because hackers may conceal themselves behind a similar deceptive network to deceive careless passengers and steal their login information. 
  • Using USB charging outlets in public places can be risky.
  • Do not fall for travel-related phishing schemes, hackers may also attempt to con users using these scams.

Reliable VPN services are of utmost importance for browsing the web securely in any situation and avoiding prying governments and nefarious individuals from getting access to user data. 

Android Spills Wi-Fi Traffic When VPNs Are Enabled

Regardless of whether the Block connections without VPN or Always-on VPN options are turned on, Mullvad VPN has found that Android leaks traffic each time the device links to a WiFi network. 

Source IP addresses, DNS lookups, HTTPS traffic, and most likely NTP traffic are among the items that are being leaked outside VPN tunnels. With the help of a VPN, encrypted data can flow anonymously and be untraceable between two sites on the internet. Consider passing a ping pong ball to someone else across a table as an example. The ball is freely available for third parties to take, manipulate, and return to their intended location. It would be far more difficult to intercept the ball if it were to roll through a tube. 

Information is difficult to obtain because data goes through VPNs similarly. The source and destination of the data packet are likewise obscured because it is encrypted. The Android platform was intentionally designed with this behavior. However, due to the erroneous description of the VPN Lockdown functionality in Android's documentation, users were probably unaware of this until now.

The finding was made by Mullvad VPN while conducting an unpublished security check. The supplier has submitted a feature request to Google's Issue Tracker to fix the problem. A Google developer, however, stated that the functionality was working as intended and that Google has no plans to change it.

"We have investigated the feature request you have raised, and we are pleased to inform you that everything is operating as intended. We don't believe there is a compelling reason to offer this because we don't believe most consumers would grasp it," the Google engineer added.

Unfortunately, Always-on VPN is not totally functioning as intended and contains a glaring weakness, according to a Swedish VPN company by the name of Mullvad. The issue is that Android will send a connectivity check, every now and then to see whether any nearby servers are offering a connection. Device information essential to connectivity checks includes IP addresses, HTTPS traffic, and DNS lookups. Even with Always-on VPN turned on, anyone monitoring a connectivity check could view bits of information about the device because none of this is encrypted since it doesn't travel over the VPN tunnel.

The traffic that escapes the VPN connection contains metadata from which critical de-anonymization information, such as the locations of WiFi access points, may be derived.

The blog post by Mullvad explains that "the connection check traffic could be observed and evaluated by the party controlling the interconnect check server and any entity noticing the network traffic. Even if the message only indicates that an Android device is connected, the metadata, which includes the source IP, can be used to derive additional information, especially when combined with information like WiFi access point locations."

People who use VPNs to shield themselves from persistent attacks would still perceive the risk to be high, even though this is difficult for inexperienced threat actors. Mullvad adds that even if the leaks are not rectified, Google has to at least update the documentation to accurately state that the Block connections without VPN function would not safeguard Connectivity Checks. 

Mullvad is still discussing the data leak's relevance with Google and has requested that they make it possible to turn off connectivity checks and reduce liability points. Notably, this option has the intended capability thanks to GrapheneOS, Android-based anonymity and safety os version that can only be utilized with a select few smartphone models.

Akamai Sighted an Evolving DDoS attack in EU


The most recent DDoS attack record was set by Akamai in July, but it was surpassed on Monday, September 12, by a fresh attack. 

In a DDoS attack, cybercriminals flood servers with fictitious requests and traffic to block legitimate users from using their services.

According to the cybersecurity and cloud services provider Akamai, the recent attack looks to be the work of the same threat actor, indicating that the operators are now strengthening their swarm.

European businesses were the main targets of the current attack, according to Akamai. It peaked at 704.8 million packets per second, making it the second attack of this size against the same client in as few as three months and around 7% more powerful than the attack in July.

Prior to June 2022, this user primarily experienced attack traffic against the principal data center, as per Craig Sparling of Akamai. Six data center locations were hit by the threat actors' firepower in Europe and North America.

The day after it was discovered, the attack was stopped. This DDoS attack, while not the biggest ever, was notable because it was the biggest one on European organizations. The DDoS attack vector utilized by the attackers included UDP, along with ICMP, SYN, RESET floods, TCP anomaly, and PUSH flood.

The multidestination attack was immediately launched by the attackers' command and control system, increasing the number of active IPs per minute from 100 to 1,813 in just 60 seconds.

This expansion of the targeting area attempts to attack resources that aren't deemed essential and aren't effectively safeguarded, but whose absence will still be problematic for the company.

Published in July, the company saw 74 DDoS attacks, and 200 or more were added later. The business claimed that this campaign shows how hackers are always enhancing their attack methods to avoid detection. 

However, because the particular organization had safeguarded all 12 of its data centers in response to the July incident, 99.8% of the malicious traffic was already pre-mitigated.

The security company Akamai concluded, that having a solid DDoS mitigation platform and plan in place is essential for protecting your company from disruption and downtime.

Darknet Market ‘Versus’ Shutting Down After Critical Exploit Leak


The Versus Market, one of the most prominent English-speaking criminal darknet marketplaces, is shutting down after a severe vulnerability was discovered that might have given access to its database and disclosed the IP addresses of its servers. 

Dark web markets must keep their physical assets secret when performing illicit operations online; otherwise, their operators risk being identified and arrested. The same is true for users and vendors who must stay anonymous while utilising these unlawful sites. Anything that undermines their faith in the platform to secure their information makes it exceedingly dangerous. Apparently, after discovering these flaws, the Versus operators opted to pull the plug themselves, considering it too unsafe to continue. Versus debuted three years ago and quickly gained traction in the hacking world, offering drugs, coin mixing, hacking services, stolen payment cards, and exfiltrated databases. 

Versus went offline to undertake a security assessment, as the website claims it has done twice previously, in response to concerns of serious problems or possibly real hacking. Users were concerned that the Versus was executing an exit scam, that the FBI had taken over the site and other common assumptions that follow these sudden moves. However, the platform's operators soon reappeared, announcing the closure of the marketplace. 

The following PGP-signed message was uploaded by a Versus staff member who is one of the major operators: "There is no doubt that there has been a lot of concern and uncertainty regarding Versus in the last few days. Most of you that have come to know us have rightfully assumed that our silence has been spent working behind the scenes to evaluate the reality of the proposed vulnerability. After an in-depth assessment, we did identify a vulnerability which allowed read-only access to a 6+-month-old copy of the database as well as a potential IP leak of a single server we used for less than 30 days. We take any and every vulnerability extremely seriously but we do think that it's important to contend with a number of the claims that were made about us."

"Specifically of importance: there was no server pwn and users/vendors have nothing to worry about as long as standard and basic opsec practices have been utilized (for example, PGP encryption) Once we identified the vulnerability, we were posed with a fork in the road, to rebuild and come back stronger (as we had done before) or to gracefully retire. After much consideration, we have decided on the latter. We built Versus from scratch and ran for 3 years." 

The letter concludes with a note to platform providers, pledging to post a link allowing them to make transactions without time constraints, permitting the return of escrow amounts. 

Versus was revealed for IP breaches in March 2020, and then in July 2020, a large Bitcoin theft from user wallets occurred. In all situations, the platform accepted responsibility for the errors and was extremely open about what occurred. Versus was able to grow and become a significant marketplace in terms of user numbers and transaction volumes as a result of this. 

However, the operators most likely recognised that the risk of exposure was too considerable to continue. It remains to be known if or not personnel of law enforcement has already exploited the current vulnerability in the next weeks/months.

Millions of Loan Applicant's Data is Leaked via an Anonymous Server

The security team at SafetyDetectives, led by Anurag Sen, revealed the specifics of a misconfigured Elasticsearch server that exposed the personal information of millions of loan applicants. The information primarily came from individuals who applied for microloans in Ukraine, Kazakhstan, and Russia. 

The server was identified randomly on December 5th, 2021, while monitoring specific IP addresses. Since the anonymous server lacked authentication mechanisms, it was left vulnerable and unprotected, resulting in the loss of over 870 million records and 147GB of data. 

SafetyDetectives couldn't identify the server's host. Customers' logs from a variety of microloans providers' websites were stored on a server, however, the majority weren't financial services like lenders or banks, but rather third-party intermediates who operate as a link between the loan firm and the applicant. The majority of the data in the server's logs were in Russian which led experts to conclude that the server is owned by a Russian corporation. 

Different types of personal information (PII) and sensitive user data were revealed in this leak, according to SafetyDetectives researchers, including details of users' "internal passports" and other types of data. Internal passports are used to substitute for national IDs in Russia and Ukraine. They are only valid within the country's borders. 

The internal passport details revealed in the exposed data include Marital status Gender, Birthdate, location, physical address, full name, including first, middle, and patronymic names. Number of passports, issue/expiration dates, and serial number. Some of the disclosed information, including cities, names, addresses, and issued by places, was written in Cyrillic script, which is generally utilized in Asia and Europe.

This vulnerability is estimated to affect around 10 million users. Most INNs belonged to Ukrainians, but several server logs and passport numbers belonged to Russians. The server was based in the Dutch city of Amsterdam. 

On December 14th, 2021, SafetyDetectives contacted the Russian CERT, and the Dutch CERT on December 30th, 2021. Both, though, declined to assist. On January 13th, 2022, the server's hosting company was informed, and the server was secured the same day. Given the scope and type of the data exposed, the event might have far-reaching consequences.

Will VPN Providers and the Indian Government Clash Over New Rules on User Data Collection?

The Ministry of Electronics and Information Technology, which administers CERT-in, has mandated all VPN providers and cryptocurrency exchanges save user records for five years. Some of the most well-known VPN providers, such as NordVPN and ExpressVPN, claim to collect only the most basic information about their customers and to provide ways for them to stay relatively anonymous by accepting Bitcoin payments. 

VPNs reroute users' internet connections through a separate network; this can be done for a variety of reasons, such as connecting to a workplace network that is not available from the general internet or accessing prohibited websites by using servers in other nations. 

Another characteristic of VPNs several VPN companies like Nord promote as a selling factor is privacy. They frequently claim to keep no logs; Nord's no-logs policy has been examined by PriceWaterhouseCoopers regularly. However, the IT Ministry's ruling would force the corporation to deviate from such a guideline for servers in India.

What sort of data does the government expect firms to preserve? 
  • Names of subscribers/customers who have hired the services have been verified.
  • Hire period, including dates.
  • IP addresses assigned to/used by members.
  • At the moment of registration/onboarding, the email address, IP address, and time stamp were utilized. 
  • Why are users hiring services? 
  • Validated contact information and addresses.
  • Subscriber/customer ownership patterns when hiring services.

Official orders from CERT-In, the government agency in charge of investigating and archiving national cybersecurity incidents, have generated controversy. It was announced in a press release for all "Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers" would be bound to maintain a variety of user data for at least five years after the service was canceled or discontinued. 

VPN industry's comment on user data?

ExpressVPN stated, that their apps and VPN servers have been meticulously designed to completely erase sensitive data. As a result, ExpressVPN will never be forced to give non-existent client data.

"Our team is currently analyzing the latest Indian government decree to determine the best course of action. Because the law will not take effect for at least two months, we are continuing to work as usual. We are committed to protecting our clients' privacy, thus if no other options exist, we may withdraw our servers from India," Patricija Cerniauskaite, a spokesman for NordVPN stated.

If NordVPN leaves India, would you still be able to use it?

Users will most likely be able to connect to NordVPN's servers in other countries even if the company decides to leave India. According to reports, NordVPN has 28 servers in India which users in India and other countries can connect to. Surprisingly, NordVPN's Indian servers provide access to websites that are normally restricted in India.

India enters an unfortunate list of other large countries where Nord and other VPN providers have either pulled servers or never had a presence: Russia, where Nord and other VPN providers pulled servers just after the country ordered VPN firms to provide backdoor access to government on demand in 2019; and China, where VPN providers are subject to stringent controls. 

The Internet Freedom Foundation, a New Delhi-based digital rights advocacy group, claimed in a comprehensive statement released Thursday afternoon, the requirements were "extreme" and would impair VPN users' "individual liberty and privacy."

Cybercriminals Impersonate Government Employees to Spread IRS Tax Frauds


At end of the 2021 IRS income tax return deadline in the United States, cybercriminals were leveraging advanced tactics in their phishing kits, which in turn granted them a high delivery success rate of spoofed e-mails with malicious attachments. 

On April 18th, 2022, a notable campaign was detected which invested phishing e-mails imitating the IRS, and in particular one of the industry vendors who provide services to government agencies which include e-mailing, Cybercriminals chose specific seasons when taxpayers are all busy with taxes and holiday preparations, which is why one should be extra cautious at these times.

The impersonated IT services vendor is widely employed by key federal agencies, including the Department of Homeland Security, as well as various state and local government websites in the United States. The detected phishing e-mail alerted victims about outstanding IRS payments, which should be paid via PayPal, and included an HTML attachment which looked like an electronic invoice. Notably, the e-mail has no URLs and was delivered to the victim's mailbox without being tagged as spam. The e-mail was delivered through many "hops" based on the inspected headers, predominantly using network hosts and domains registered in the United States.

It is worth mentioning that none of the affected hosts had previously been 'blacklisted,' nor had any evidence of bad IP or anomalous domain reputation at the time of identification. The bogus IRS invoice's HTML attachment contains JS-based obfuscation code. Further investigation revealed embedded scenarios which detected the victim's IP (using the GEO2IP module, which was placed on a third-party WEB-site), most likely to choose targets or filter by region. 

After the user views the HTML link, the phishing script shall prompt the user to enter personal credentials, impersonating the Office 365 authentication process with an interactive form.

The phishing-kit checks access to the victim's e-mail account through IMAP protocol once the user enters personal credentials. The actors were utilizing the "supportmicrohere[.]com" domain relying on the de-obfuscated JS content. 

Threat actors most likely tried to imitate Microsoft Technical Support and deceive users by utilizing a domain with similar spelling. The script intercepts the user's credentials and sends them to the server using a POST request. Login and password are sent to the jbdelmarket[.]com script through HTTP POST. A series of scripts to examine the IP address of the victim is hosted on the domain jbdelmarket[.]com. The phishing e-header emails include multiple domain names with SPF and DKIM records. 

A Return-Path field in the phishing e-mail was set as another e-mail controlled by the attackers which gather data about e-mails that were not sent properly. The Return-Path specifies how and where rejected emails will be processed, and it is used to process bounces from emails.

The Fodcha DDoS Botnet Hits Over 100 Victims


Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 

Hackers in Dprk use Trojanized DeFi Wallet App to Steal Bitcoin


North Korean government-linked hackers have now been circulating a trojanized version of a DeFi Wallet for holding bitcoin assets to obtain access to cryptocurrency users' and investors' systems.

Securing economic benefits is one of the primary motives for the Lazarus threat actor, with a focus on the cryptocurrency industry. The Lazarus group's targeting of the financial industry is increasing as the price of cryptocurrencies rises and the appeal of the non-fungible asset (NFT) and decentralized finance (DeFi) enterprises grows.

In this attack, the threat actor used web servers in South Korea to distribute malware and communicate with the implants that had been placed. Kaspersky Lab researchers recently identified a malicious version of the DeFi Wallet software that installed both the legal app and a backdoor disguised as a Google Chrome web browser executable. When the trojanized DeFi application was launched on the machine, it introduced a full-featured backdoor with a compilation date of November 2021. It's unknown how the hackers spread the word, but phishing emails or contacting victims through social media are both possibilities. 

Although it's not clear how the threat actor persuaded the victim to run the Trojanized program (0b9f4612cdfe763b3d8c8a956157474a), it is believed they used a spear-phishing email or social media to contact the victim. The Trojanized application initiates the previously unknown infection technique. This installation package masquerades as DeFi Wallet software, but it actually contains a legal binary that has been packed with the installer. 

The virus installed in this manner, as per the researchers, has "sufficient capabilities to manage" the target host by issuing Windows commands, uninstalling, starting or killing processes, enumerating files and related information, or connecting the computer to a particular IP address. 

The malware operator can also collect relevant data (IP, name, OS, CPU architecture) and the discs (kind, free space available), files from the command and control server (C2), and retrieve a list of files stored in a specified area using additional functionalities. According to Japan CERT, the CookieTime malware group known as LCPDot has been linked to the DPRK operation Dream Job, which enticed victims with phony job offers from well-known firms. 

Google's Threat Analysis Group (TAG) revealed recent activity related to Dream Job earlier this month, finding North Korean threat actors used a loophole for a zero-day, remote code execution bug in Chrome to aim at people working for media, IT companies, cryptocurrency, and fintech companies. "The CookieTime cluster has linkages with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the Lazarus organization," Kaspersky adds. 

The links between the current trojanized DeFiWallet software and other malware attributed to North Korean hackers go beyond the virus code to the C2 scripts, which overlap many functions and variable names. It's worth mentioning that Lazarus is the umbrella name for all state-sponsored North Korean threat operations. Within the DPRK, however, several threat groups are operating under different institutions/departments of the country's intelligence establishment. 

Mandiant analysts prepared an evaluation of the DPRK's cyber program structure using data collected over 16 months from its digital activity tracking for the entire country, OSINT monitoring, defector reporting, and imaging analysis. Targeting bitcoin heists is certainly within the scope of financially motivated units inside the country's Reconnaissance General Bureau's 3rd Bureau (Foreign Intelligence), according to their map (RGB).   

Hive Ransomware Employs New 'IPfuscation' Tactic to Conceal Payload


Threat researchers have found a new obfuscation strategy employed by the Hive ransomware gang, which utilises IPv4 addresses and a series of conversions that leads to the download of a Cobalt Strike beacon. Threat actors use code obfuscation to conceal the malicious nature of their code from human reviewers or security software to avoid discovery. 

There are a variety of techniques to create obfuscation, each with its own set of benefits and drawbacks, but a new one identified during an incident response involving Hive ransomware reveals that adversaries are coming up with new, subtler ways to accomplish their objective. 

Analysts at Sentinel Labs describe a new obfuscation technique called "IPfuscation," which is another example of how effective basic but sophisticated tactics can be in real-world malware deployment. The new approach was discovered while examining 64-bit Windows executables, each of which contained a payload that delivered Cobalt Strike. 

The payload is disguised as an array of ASCII IPv4 addresses, giving it the appearance of a harmless list of IP addresses. The list could potentially be misconstrued for hard-coded C2 communication information in malware research. A blob of shellcode arises when the file is handed to a converting function (ip2string.h) that converts the string to binary.

Following this step, the virus executes the shellcode either directly through SYSCALLs or through a callback on the user interface language enumerator (winnls.h), resulting in a normal Cobalt Strike stager. 

The following is an example from the Sentinel Labs report: The first hardcoded IP-formatted string is the ASCII string “”, which has a binary representation of 0xE48348FC (big-endian), and the next “IP” to be translated is “”, which has a binary representation of 0xC8E8F0. 

Disassembling these “binary representations” indicates the start of shellcode generated by common penetration testing frameworks. The analysts have uncovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC addresses, all operating in an almost identical manner as was described above.

The conclusion here is that relying simply on static signatures to detect malicious payloads is no longer sufficient. According to the researchers, behavioural detection, AI-assisted analysis, and holistic endpoint security that combines suspicious elements from various locations have a better probability of removing IPfuscation.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars


Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

The Emotet Malware is Alive and Using TrickBot to Rebuild its Botnet


The malicious Emotet botnet, which made a comeback in November 2021 after a 10-month break, is showing indications of steady expansion once again, collecting a colony of over 100,000 infected hosts to carry out its destructive actions. 

In a new round of attacks, Emotet, a Banking Trojan which has evolved into a formidable modular threat, has reappeared with improved features. It has infected devices to carry out additional spam campaigns and install various payloads like the QakBot (Qbot) and Trickbot malware. These payloads would subsequently be utilized to give threat actors, such as Ryuk, Conti, ProLock, Egregor, and others, early access to deploy ransomware. 

"While Emotet has not yet reached the same magnitude as before, the botnet is displaying a strong resurrection with a total of around 130,000 unique bots scattered over 179 countries since November 2021," Lumen's Black Lotus Labs researchers wrote in a report. On April 25th, 2021, German law enforcement used the network to send an Emotet module that removed the malware from afflicted devices. 

The TrickBot malware has begun to dump an Emotet loader on affected devices, according to Emotet research group Cryptolaemus, GData, and Advanced Intel. While Emotet used to deploy TrickBot, the threat actors now use a mechanism called "Operation Reacharound" by the Cryptolaemus group, which rebuilds the botnet utilizing TrickBot's current infrastructure. 

Apart from command-and-control (C2) lists and RSA keys, which change from version to version, Emotet's main payload hasn't changed much, but the list of phrases used to establish a process name for its bot has been renewed. Along with new binaries, words like engine, finish, magnify, resapi, query, skip, and many more are utilized and modified. Researchers may be able to construct signatures to detect Emotet infections on machines once these lists have been secured, but signature-based detection is more challenging if the list changes. has published a list of the new Emotet botnet's command and control servers and strongly advises network administrators to ban the linked IP addresses. Another new feature is the ability to collect extra system information from compromised workstations in addition to a list of running processes. The number of bots and associated dispersion are crucial indicators of Emotet's success in reconstructing its once-vast infrastructure.

Decade-Old Critical Vulnerabilities Might Affect Infusion Pumps


According to scans of over 200,000 infusion pumps located on the networking of healthcare providers and hospitals, increasing numbers of gadgets are vulnerable to six critical-severity issues (9.8 out of 10) reported in 2019 and 2020.

According to Palo Alto Networks experts, 52% of scanned devices are vulnerable to two significant security issues discovered in 2019: CVE-2019-12255 (CVSS score of 9.8) and CVE-2019-12264 (CVSS score of 9.8). (CVSS score of 7.1) In a research report, the business stated over 100,000 infusion pumps were vulnerable to older, medium-severity issues (CVE-2016-9355 and CVE-2016-8375). 

"While some of these vulnerabilities and alerts may be difficult for attackers to exploit unless it is physically present in an organization," the researchers added, "all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations where threat actors may be motivated to devote additional resources to attacking a target." 

Wind River, the company which supports VxWorks RTOS, has patched all URGENT/11 concerns since July 19, 2019. However, in the embedded device world, large delays in applying patches or not applying them at all are well-known issues. The last five critical-severity bugs that were discovered in June 2020, affect items made by the American healthcare corporation Baxter International. 

Malicious misuse of software security flaws might put human lives in danger, according to the firm. Infusion pumps are used to give medications and fluids to patients, and the company cautioned how malicious exploitation of software security flaws could put human lives at risk. The majority of the discovered flaws can be used to leak sensitive information and gain unauthorized access. Bugs that lead to the release of sensitive information harm not only infusion pumps, but also other medical devices, and may affect credentials, operational information, and patient-specific data.

Another area of concern is the use of third-party modules which may have security flaws. CVE-2019-12255 and CVE-2019-12264, for example, are significant vulnerabilities in the IPNet TCP/IP stack utilized by the ENEA OS of Alaris Infusion Pumps, according to the researchers. 

"Overall, most of the typical security alerts triggered on infusion systems imply avenues of attack which the device owner should be aware of," the security experts told. "For example, via internet access or default login and password usage."Given some infusion pumps are utilized for up to ten years, healthcare practitioners seeking to protect the security of devices, data, and patient information should consider the following.

Users at Citibank Attacked by a Massive Phishing Scam


Scammers impersonating Citibank are now targeting customers in an online phishing campaign. Thousands of bogus email messages were sent to bank customers, according to Bitdefender's Antispam Lab, with the intent of collecting sensitive personal information and internet passwords. 

Responding to unusual activities or an unauthorized login attempt, the accounts have been placed on hold. As a result, the attackers claim all users should authenticate existing accounts as soon as possible to avoid a permanent ban.

According to Bitdefender's internal telemetry, these campaigns are focused primarily on the United States, with 81 percent of the phishing emails sent ending up in the mailboxes of American Citibank customers. However, it has also reached the United Kingdom (7 percent), South Korea (4 percent), and a small number have indeed made it to Canada, Ireland, India, and Germany. When it comes to the origins of these phishing attacks, 40% of the phoney emails appear to have come from the United States, while 13% came via IP addresses in Mexico. 

The cybercriminals behind the effort utilize email subject lines like "Account Confirm Confirmation Required," "Second Reminder: Your Account Is On Hold," and "Account Confirm Confirmation Required" to deceive Citibank clients into opening the emails. Other subject lines were, "Urgent: Account Confirmation Required," "Security Alert: Your Account Is On Hold," and "Urgent: Your Citi Account Is On Hold." 

Since some of the phishing emails in the campaign use the official Citibank logo to make them appear more real, the scammers who sent them did not take the time to correctly fake the sender's email address or repair any punctuation issues in the email body.

Citing phoney transactions or payments, and also questionable login attempts is another strategy used to create these phishing emails which appear to be from Citibank itself, to fool potential victims into authenticating actual accounts. When victims click the verify button, users are taken to a cloned version of the legitimate Citibank homepage. However, if a Citibank customer goes this far, fraudsters will steal the credentials and utilize them in future assaults. 

Bitdefender has discovered another large-scale phishing campaign that went live between February 11 and 15, 2022, offering victims the opportunity to seek cash compensation from the United Nations. The challenge in this situation is to identify the beneficiary as a scam victim, one of the 150 people who were declared eligible for a $5 million payout from Citibank. 

Banks rarely send SMS or email alerts to customers about critical account changes, thereby users can contact the bank and ask to speak to an agent if they receive a message which makes strong claims. Instead of calling the phone numbers included in the email, users should go to the bank's official website and look up the information on the contact page.