Search This Blog

Showing posts with label Malicious actor. Show all posts

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

Microsoft Launches New Privacy Features for Windows 11

 

Microsoft is developing a new privacy dashboard to patch its vulnerabilities for Windows 11 that will allow users to view which apps and tools have access to sensitive hardware components such as the camera, microphone, location, phone calls, messages, and screenshots. It's included in one of June Windows 11 Preview Builds and now is ready for testing in the Dev Channel for Windows Insiders.

Users will be able to view the newly implemented tool in the Privacy & Security > App Permissions section, where a "Recent activity" option will be available, as per Microsoft. Users will be able to locate the monitored category of information in this section. "Once clicked, it will show every instance of one of the programs installed on a user's machine that has recently accessed sensitive devices and information," says the next step. Even though the list contains information about the most recent time the program accessed the service, clicking on any of the entries yields no additional information.

Several users would be able to proactively protect themselves from ransomware and phishing attacks that are unwittingly deployed by malicious actors due to this additional layer of privacy. Malware or malicious software may obtain access to a user's privacy in some cases via spying on its camera or microphone, or by reading file paths, process IDs, or process names.

If Windows Hello is turned off, your PC will be unable to access your camera. Some apps use the Camera app to capture pictures, by the Camera app's camera access setting. No images will be taken and sent to the app that accessed them unless you manually select the capture button in the Camera app.

Desktop apps can be downloaded from the internet, stored on a USB drive, or installed by your IT administrator. Microsoft has not yet officially launched this new privacy option, according to its Windows Insider Blog. This information comes from Microsoft's Vice President of Enterprise and OS Security, David Weston, in a tweet on Thursday. 

Windows has never had a privacy feature as useful as this, but it appears that Microsoft is working to strengthen the operating system's privacy controls. With Android version 12, Google provided a similar capability, although its execution is far from satisfactory.

Facebook :"Is that you?" 500,000 People Were Victims of this Phishing Scam

 

Facebook has often been a favorite hunting ground for cybercriminals who delight in preying on the naive members of the internet community. While addressing a very prevalent fraud known as "Is that you?" cybernews has conducted research. It's a type of video phishing scam in which the attacker delivers a link to a fictitious video in which the victim appears. When you click, the trouble begins as soon as you enter some personal information and log in. 

Researchers were recently rewarded for such diligence when they received a warning from fellow cyber investigator Aidan Raney – who originally contacted them after the original results were released – that malicious links were being sent to users. Upon further investigation, it was discovered that thousands of these phishing links had been circulated via a devious network spanning the social media platform's back channels. If left unchecked, hundreds of thousands of naive social network users might fall prey to the shady connections - the "Is That You?" scam was said to have ensnared half a million victims before researchers discovered it. 

Raney explained, "I worked out what servers did what, where code was hosted, and how I might identify additional servers." "I then used this information, as well as urlscan.io, to seek for more phishing sites with similar features to this one." 

A thorough examination of the servers linked to the phishing links revealed a page that was transmitting credentials to devsbrp. app. A banner believed to be attached to a control panel was discovered with the wording "panelfps by braunnypr" printed on it. A second search using keywords led the study team right to the panel and banner designer, whose email address and password variations were also identified  neatly turning the tables on fraudsters who prey on unwary web users' credentials. 

Cybernews accessed a website which proved to be the command and control hub for most of the phishing assaults linked to the gang, known to include at least 5 threat actors but could have plenty more, using the threat actor's personal details. This gave our brave investigators a wealth of information about the culprits of the Facebook phishing scam, including the likely country of residence  the Dominican Republic.

"We were able to distribute the user list for everyone who has signed up for this panel," the Cybernews researcher explained. "We started unearthing the identities with as many people on the list as we could using the usernames on the list, but there is still more work to be done." Researchers provided the appropriate information to the Dominican Republic's Cyber Emergency Response Team (CERT) at the time, as evidence suggested that the campaign had started there as well.

Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.

A New Regulation Seeks to Secure Non-HIPAA Digital Health Apps

 

A guideline designed and distributed by several healthcare stakeholder groups strives to secure digital health technologies and mobile health apps, the overwhelming majority of which fall outside of HIPAA regulation. 

The Digital Health Assessment Framework was launched on May 2 by the American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications. The methodology intends to examine the use of digital health technologies while assisting healthcare leaders and patients in assessing the factors about which online health tools to employ. Covered entities must also adopt necessary administrative, physical, and technical protections to preserve the confidentiality, integrity, and availability of electronically protected health information, according to the Health Insurance Portability and Accountability Act Rules. 

Healthcare data security was never more critical, with cyberattacks on healthcare businesses on the rise and hackers creating extremely complex tools and tactics to attack healthcare firms. Before HIPAA, the healthcare field lacked a universally agreed set of security standards or broad obligations for protecting patient information. At the same time, new technologies were advancing, and the healthcare industry began to rely more heavily on electronic information systems to pay claims, answer eligibility issues, give health information, and perform a variety of other administrative and clinical duties. 

Furthermore, the Office for Civil Rights at the Department of Health and Human Services has enhanced HIPAA Rule enforcement, and settlements with covered businesses for HIPAA Rule violations are being reached at a faster rate than ever before. 

"Digital health technologies can provide safe, effective, and interacting access to personalized health and assistance, as well as more convenient care, improve patient-staff satisfaction and achieve better clinical outcomes," said Ann Mond Johnson, ATA CEO, in a statement. "Our goal is to provide faith that the health and wellness devices reviewed in this framework meet quality, privacy, and clinical assurance criteria in the United States," she added. 

Several health apps share personal information with third parties, leaving them prone to hacks. Over 86 million people in the US use a health or fitness app, which is praised for assisting patients in managing health outside of the doctor's office. HIPAA does not apply to any health app which is not advised for use by a healthcare provider. 

The problem is that the evidence strongly suggests the app developers engage in some less-than-transparent methods to compromise patient privacy. Focusing on a cross-sectional assessment of the top tier apps for depression and smoking cessation in the US and Australia, a study published in JAMA in April 2019 found that the majority of health apps share data to third parties, but only a couple disclosed the practice to consumers in one‘s privacy policies. 

Only 16 of the evaluated applications mentioned the additional uses for data sharing, despite the fact that the majority of the apps were forthright about the primary use of its data. 

According to the aforementioned study, nearly half of the apps sent data to a third party yet didn't have a privacy policy. But in more than 80% of cases, data was shared with Google and Facebook for marketing purposes. 

Another study published in the British Medical Journal in March 2019 discovered that the majority of the top 24 health education Android applications in the USA linked user data without explicitly informing users. In 2021, a study conducted by Knight Ink and Approov found that the 30 most popular mHealth apps are highly vulnerable to API hacks, which might result in the exploitation of health data. Only a few app developers were found in violation of the Federal Trade Commission's health breach rule. 

The guideline from ACP, ATA, and ORCHA aims to help the healthcare industry better comprehend product safety. "There has been no clear means to establish if a product is safe to use in a field of 365,000 goods, where the great majority fall outside of existing standards, such as medical device regulations, federal laws, and government counsel," as per the announcement. 

The implementation of digital health, covering condition management, clinical risk assessment, and decision assistance, is hampered by a lack of direction. The guide is a crucial step in identifying and developing digital health technologies which deliver benefits while protecting patient safety, according to ACP President Ryan D. Mire, MD. The guidelines were developed using the clinical expertise of ACP and ATA members, along with ORCHA's app assessment experience.

ACP also launched a pilot test of digital health solutions that were evaluated against the new framework in conjunction with the new framework. Mire hopes that the trial will assist providers to identify the most effective features for recommending high-value digital health technologies to patients and identify potential impediments to extensive digital health adoption.

 Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid

 

Officials have warned of a possible cyber-attack on Bangladesh's financial and other key institutions' computer systems during the Eid vacations. According to a statement issued by the Digital Security Agency, the affected authorities must install or update anti-DDOS hardware and software. 

Officials believe the warning was sent by the government's specialized cyber-threat agency as a global cyberwar erupts in the Russia-Ukraine conflict, with NATO assisting the latter with arms support. 

The Bangladesh Computer Council's e-Government Computer Incident Response Team (BGD e-GOV CIRT) also recommends all key information facilities' internal systems be checked and monitored.

Following the current conflict between Ukraine and Russia, Tarique M Barkatullah, director (operations) of the Digital Security Agency and project director of the BGD e-GOV CIRT, stated “hackers from both sides are using important information infrastructures of different countries to spread botnets and malware and attack each other.” 

Botnets are computer networks infected with malware (such as computer viruses, key loggers, and other malicious code or malware) and remotely controlled by criminals, either for monetary gain or to launch assaults on websites or networks. 

BGD e-Gov CIRT discovered over 1400 IP numbers used in Russia after analyzing the warning message issued by the Russian Computer Security Incident Response Team. According to the CIA, hackers are using these IPs to spread propaganda and launch distributed denial of service (DDoS) operations. 

Tareq M Barkatullah, project director of BGD e-Gov CIRT, remarked in this reference: “The country's afflicted financial institutions and public service suppliers are being hampered in providing its usual services due to the exploitation of these IP-enabled Bangladeshi servers."

According to the Financial Express, Prof Dr. Md Salim Uddin, chairman of the executive committee of Islami Bank Bangladesh Limited (IBBL), several financial institutions have been targeted by cyber-attacks as a result of the current crisis between Ukraine and Russia.

IBBL is well-prepared to thwart any cyber-attack because it is always adopting new technological solutions. Among the internal systems, he emphasized strengthening cyber-security with new tech solutions and monitoring systems. To prevent all types of cyber threats, financial institutions should join an organization or platform to improve cooperation and integration. He further urges the government to expand collaboration and support in this area in order to combat rising cyber-threats in the future.

According to Europol, Deepfakes are Used Frequently in Organized Crime

 

The Europol Innovation Lab recently released its inaugural report, titled "Facing reality? Law enforcement and the challenge of deepfakes", as part of its Observatory function. The paper presents a full overview of the illegal use of deepfake technology, as well as the obstacles faced by law enforcement in identifying and preventing the malicious use of deepfakes, based on significant desk research and in-depth interaction with law enforcement specialists. 

Deepfakes are audio and audio-visual consents that "convincingly show individuals expressing or doing activities they never did, or build personalities which never existed in the first place" using artificial intelligence. Deepfakes are being utilized for malevolent purposes in three important areas, according to the study: disinformation, non-consensual obscenity, and document fraud. As technology further advances in the near future, it is predicted such attacks would become more realistic and dangerous.

  1. Disinformation: Europol provided several examples of how deepfakes could be used to distribute false information, with potentially disastrous results. In the geopolitical domain, for example, producing a phony emergency warning that warns of an oncoming attack. The US charged the Kremlin with a disinformation scheme to use as a pretext for an invasion of Ukraine in February, just before the crisis between Russia and Ukraine erupted.  The technique may also be used to attack corporations, for example, by constructing a video or audio deepfake which makes it appear as if a company's leader committed contentious or unlawful conduct. Criminals imitating the voice of the top executive of an energy firm robbed the company of $243,000. 
  2. Non-consensual obscenity: According to the analysis, Sensity found non-consensual obscenity was present in 96 percent of phony videos. This usually entails superimposing a victim's face onto the body of a philanderer, giving the impression of the victim is performing the act.
  3. Document fraud: While current fraud protection techniques are making it more difficult to fake passports, the survey stated that "synthetic media and digitally modified facial photos present a new way for document fraud." These technologies, for example, can mix or morph the faces of the person who owns the passport and the person who wants to obtain one illegally, boosting the likelihood the photo will pass screening, including automatic ones. 

Deepfakes might also harm the court system, according to the paper, by artificially manipulating or producing media to show or deny someone's guilt. In a recent child custody dispute, a mother of a kid edited an audiotape of her husband to persuade the court he was abusive to her. 

Europol stated all law enforcement organizations must acquire new skills and tools to properly deal with these types of threats. Manual detection strategies, such as looking for discrepancies, and automatic detection techniques, such as deepfake detection software uses artificial intelligence and is being developed by companies like Facebook and McAfee, are among them. 

It is quite conceivable that malicious threat actors would employ deepfake technology to assist various criminal crimes and undertake misinformation campaigns to influence or corrupt public opinion in the months and years ahead. Machine learning and artificial intelligence advancements will continue to improve the software used to make deepfakes.

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Misconfigured Keys are Tackled in ServiceNow's Guidelines

 

ServiceNow, a $4.5 billion software company assisting businesses with its digital workflows, has released recommendations for its clients regarding Access Control List (ACL) misconfiguration. 

In one of its reports, AppOmni said that the usual misconfigurations are caused by a "combination of customer-managed ServiceNow ACL setups and overprovisioning of access to guest users". 

The general public is a factor in RBAC for public-facing businesses. The capacity to provide public access to the information within your 'database,' which may be a forum, online shop, customer service site, or knowledge base, is one crucial feature of RBAC, according to the paper. When firms upgrade or alter SaaS services or onboard new users, the difficulty is guaranteeing the appropriate level of access.

The researchers found roughly 70% of the ServiceNow instances examined by AppOmni were misconfigured, posing the risk of unauthorized users stealing critical data from businesses who are not even aware of them being at risk. 

Securing SaaS, according to AppOmni CEO Brendan O'Connor, is much more involved in simply checking a few options or enabling strong authentication for users."Because of its flexibility and power, SaaS platforms have evolved into company operating systems. There are numerous good reasons for workloads and applications running on a SaaS platform to interface with the outside world, such as integrating with emails and text messages or hosting a customer care portal" O'Connor further added. 

As per AppOmni Offensive Security Researcher Aaron Costello, ServiceNow external interfaces exposed to the public could allow a hostile actor to take data from records. Meanwhile, Brian Soby, CTO of AppOmni, said "the enormous degree of flexibility in modern SaaS systems has made misconfiguration one of the largest security concerns enterprises face. Our goal is to shine a light on frequent SaaS platform misconfigurations and other potential hazards so customers can guarantee the system posture and configuration matches its business intent."

Horde Webmail Software has a 9-year-old Unsecure Email Theft Risk

 

A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment. Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively. 

According to Simon Scannell, a vulnerability researcher at SonarSource, "it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization's internal services." 

SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw. 
"An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview." the report continues "When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated." according to SonarSource experts.

Worse, if an executive account with a personalized, phishing email is successfully hacked, the attacker might use this unprecedented access to take control of the entire webmail service. Despite the vendor's confirmation of the problem, no fixes have been given to the project managers as of August 26, 2021. Horde was contacted for more comments, but none were made to address the situation.

Meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the 'disable' => true configuration option to the OpenOffice mime handler in the config/mime drivers.php file.

Credit Cards Were Forged from a Prominent e-Cigarette Store

 

Since being breached, Element Vape, a famous online retailer of e-cigarettes including vaping kits, is harboring a credit card skimmer on its website. In both retail and online storefronts in the United States and Canada, this retailer provides e-cigarettes, vaping equipment, e-liquids, and Synthetic drugs.
 
Its website Element Vape is uploading a potentially Malicious file from either a third-party website that appears to be a credit card stealer. Magecart refers to threat actors who use credit card cybercriminals on eCommerce sites by infiltrating scripts. 

On numerous shop webpages, beginning with the homepage, a mystery base64-encoded script may be seen on pages 45-50 of the HTML source code. For an unknown period of time, the computer worm has so far been present on ElementVape.com. 

This code was gone as of February 5th, 2022, and before, according to a Wayback Machine review of ElementVape.com. As a result, the infection appears to have occurred more recently, probably after the date and before today's detection. When decoded, it simply fetches the appropriate JavaScript file from a third-party site :

/weicowire[.]com/js/jquery/frontend.js

When this script was decoded and examined, it was apparent – the collection of credit card and invoicing information from clients during the checkout. The script looks for email addresses, payment card details, phone numbers, and billing addresses (including street and ZIP codes). 

The attacker acquires these credentials via a predefined Telegram address in the script which is disguised. The code also has anti-reverse-engineering features which check if it's being run in a sandbox or with "devtools" to prevent it from being examined.

It's unclear how the backend code of ElementVape.com was altered in the first place to allow the malicious script to enter. Reportedly, this isn't the first instance Element Vape's security has been breached. Users reported getting letters from Element Vape in 2018 indicating the company had a data breach so the "window of penetration between December 6, 2017, and June 27, 2018, might have revealed users" personal details to threat actors. 

Android Devices being Targeted by Flubot

 

The National Cyber Security Centre of Finland (NCSC-FI) has recently released a "severe alert" over a major campaign targeting the nation's Android users with Flubot banking malware delivered through text messages sent out by hacked devices. 

This is the second greatest Flubot operation to strike Finland this year, with a previous set of cyberattacks SMS spamming thousands of Finns each day from early June to mid-August 2021. The latest spam campaign, like the previous one, has a voicemail theme, encouraging recipients to click a link that will enable them to retrieve a voicemail message or a message from the mobile operator. 

Rather than being made to open a voicemail, SMS recipients are led to malicious websites that push APK installers to install the Flubot banking virus on their Android devices. 

“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," the Finnish National Cyber Security Centre said in the alert issued on Friday. 

"We managed to almost eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one because the previously implemented control measures are not effective," said NCSC-FI information security adviser Aino-Maria Väyrynen. 

Those who have been affected should do a factory reset on their Android device to remove the virus. When iOS users get FluBot messages and click on the associated link, they will be forwarded to fraud and phishing websites rather than being forced to install an app. 

FluBot, once installed on a device, may browse the contacts list, spam texts to other individuals, read messages, steal credit card information and passwords as they are typed into apps, install other apps, and engage in other nefarious activities. Android users who get Flubot spam messages or emails should avoid opening attached links or downloading files shared through the link to their cellphones. 

The virus family has also been discovered on other websites, where anybody can come into contact with the harmful code. Netcraft, a provider of internet services, announced on Monday that it had discovered nearly 10,000 websites that were disseminating FluBot malware.

VIP72: 15-Year-Old Malware Proxy Network Goes 'Dark' Without Notice



A 15-year-old cybercrime anonymity service called VIP72, in the past, allowed a large number of cybercriminals to cover up their actual location by routing traffic via dozens of hacked computers seeded with malware – suddenly went offline for a period of two weeks and has not shown any signs of return. 

Similar to other proxy networks advertised on the darknet and other cybercrime forums, VIP72 also routed its clients' traffic via systems that have been infected by malware. Employing the malicious service, users could choose network nodes in almost any of the countries to relay their traffic as they conceal themselves behind some unsuspecting user's URL. 

Over the past few days, the darknet has been flooded with  "R.I.P" texts for the malware proxy network, VIP72 that went dark without any prior notice. Initially, the authors of VIP62 told their customers that they will be back online shortly, indicating it's a maintenance issue that's restricting their operations. “Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!”, read a notice titled “We'll be back soon!” 

It was updated to read, “Socks client will be unavailable within next 5 (FIVE) days for planned upgrades. We will resume normal work of socks client till the end of this week. All active subscriptions will have +8 days to existed paid period.” 

“—We only work on web vip72.com and sellvip72.com/en. Do not access fraudulent websites on google search e.g: vip72.cx, .us etc...”, the notice further read in 'red' letter font. 

Originally set up in 2006, VIP72, had a long run assisting malicious actors in concealing their real location via a well-founded proxy service. Basically, the proxying service of VIP72 effectively obscured the identity and true location of malware campaigners by routing their traffic via multiple network bounces. In a nutshell, VIP72 essentially offered its customers safety from the security police. 

However, ironically enough, the U.S.-hosted proxy service itself has presumably faced something serious, perhaps, a case of policing. Other experts speculate, that VIP72 might have experienced trouble in competing against newly emerged sophisticated anonymity network services. Although the reason behind VIP72's sudden disappearance remains unclear and the website has gone offline for two weeks now, the proxy service is still accessible to some of the users, which makes sense as the compromised hosts would still be infected with the malware and will indefinitely continue to forward traffic for as long as they remain under the effect of proxy malware.

Malevolent PyPI Packages Detected Filching Developer Data

 

Repositories of software packages have become a frequent target for supply chain attacks. Reports concerning malware attacks on prominent repository systems like npm, PyPI, and RubyGems have been recently surfacing. Programmers completely trust repositories and install packages from such sources, provided that they are trustworthy. 

Malware packages may be posted to the package repository, permitting malicious actors to leverage repository systems to propagate viruses and start successful attacks both on developers and CI/CD machines in the pipeline. 

Eight Python packages that have been installed more than 30,000 times have been deleted from the PyPI portal with malicious code, demonstrating again how software package repositories have developed into a hub for a popular supply chain attack. 

The dearth of moderation and automated security safeguards in public software repositories enables relatively unfamiliar attackers, through typosquatting, dependency misunderstanding, or basic social engineering attempts, to utilize them as a base to disseminate malware. 

PyPI is Python's primary third-party software repository, which has package manager utilities, such as pip, as its default package and dependency source. 

Several of the packages could have been used for more complex threats, allowing the attacker to implement remote code on the target device, collect network data, plunder credit card details, and autosaved passwords in browsers like Chrome and Edge, and sometimes even steal Discord authentication tokens to impersonate the victim. 

PyPI is not alone in software package repositories that appear as a potential attack surface to invasions, with rogue packages identified in npm and RubyGems that might potentially damage a complete system or be a useful jump-off point to deepen the network of a victim. 

"The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks," said JFrog CTO Asaf Karas. "The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers." 

Mostly on the programmers' side, precautionary action must form an important part of any CI/CD pipeline, including the confirmation of the signature in the library and the use of automated security instruments that analyze problematic code suggestions included inside the project. Automated tools like these may warn users about the use of harmful code.

The VMware Carbon Black Cloud Workload Patched a Vulnerability

 

The VMware Carbon Black Cloud Workload device's major security vulnerability will indeed permit root access, and the authority to handle most of the solution administration rights. The lately identified vulnerability, trackable as CVE-2021-21982, with a 9.1 CVSS score, remains in the device's administrative interface and continues to exist because intruders might bypass authentication by manipulating the URL on the interface. VMware Black Cloud Workload is the forum for cybersecurity defense on VMware's vSphere portal for virtual servers and workloads. vSphere is the virtualization platform for VMware cloud computing. 

As per the statement made by VMware last week, the problem is caused by inaccurate URL handling. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” 

In turn, the intruder would be able to obtain the device management API. Once the intruder is logged in as an admin, it may also access and change administrative configuration settings. The opponent might also perform several attacks, which include code execution, de-activation of security monitoring, or the catalog of virtual instances in the private cloud, and even more since it depends on what instruments the institution has implemented in the environment. 

“A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance,” VMware notes in an advisory. 

VMware's Carbon Black Cloud Workload is being used by organizations in virtualized environments for protecting workloads that offer tools for the evaluation of vulnerabilities, antiviruses, and threats. 

Egor Dimitrenko, a positive technologies researcher who has been credited with the discovery of the vulnerability, says that the intruder could definitely use the bug to execute arbitrary code on a server. “Remote Code Execution is a critical vulnerability that gives an attacker unlimited opportunity to perform any attack to company infrastructure,” Dimitrenko underlines. 

The researcher explains that the intruder should not usually be able to access the VMware Carbon Black Cloud workload admin panel from the Internet, but also indicates that misconfigurations can result in improper exposure. He says that organizations can implement tools for remote access inside the internal network. 

In order to deal with this vulnerability and encourage customers to use the update to stay secure, VMware released version 1.0.2 of the VMware Carbon Black Cloud Workload appliance last week. It is also recommended that network checks should be implemented to ensure limited access to the device admin interface. Additionally on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of the vulnerability and raise awareness on the existence of patches for it.