Search This Blog

Showing posts with label Malicious actor. Show all posts

Google Play Protect Shields Users From Cyberattacks


The leading Android devices all use Google Play Services as a key component. It serves as a link between the Android OS and programs, mostly Google programs and programs from other developers that make use of Google authentication, cloud services, and Game Dashboard.

You could use an Android app that protects users from severe cyberattacks and operates through the official Google Play store called Google Play Protect.

According to a security notice from Google, "Google Play Protect removes apps that have been marked as potentially hazardous because the app actually contains malicious behavior, not only because we are unsure if the app is harmful or not."

Before allowing you to download an app, the feature verifies its security. To deceive users into manually installing the infected files, some of these malicious sites invite victims to download phoney security tools or upgrades.

Four malicious apps were detected by research:
  • Bluetooth App Sender
  • Bluetooth Auto Connect
  • Driver: Bluetooth, USB, Wi-Fi
  • Mobile Transfer: smart switch
More than a million people have downloaded all of the applications together, and they invite a significant danger of identity theft and scams.

"These apps offer capabilities that consumers desire, such as device rooting and other developer features. Users knowingly install these potentially hazardous apps," as per Google.

Essentially Google Play Protect will initially issue a warning about the app's possible dangers when a user starts to install an app that Google has categorized as 'user-wanted.'  Google will not send any more warnings if the user decides to install the program anyhow.

Main functions of Google Play Protect:
  • Verifies the security of downloaded programs from the Google Play store.
  • Detects potentially hazardous programs outside the Google Play store.
  • Warns you about hazardous applications.
  • Removes or disables unwanted applications.
  • Alerts you to apps that break the rules by hiding or making false representations of themselves.
  • Sends you privacy alerts about applications that may request access to your personal information.
  • To protect your privacy, reset your app's permissions.
Google stated in its security note that "after installation, the user-wanted classifications restrict Google Play Protect from delivering additional warnings, so there is no disturbance to the user experience."

The Google Play Services platform also enables Google to push Project Mainline modules, allowing your device to receive security upgrades without having to wait for the producer to release them.

Deutsche Bank Denied Despite Data Sold on Telegram

The hacking gang that breached Medibank's systems may also be the hackers who are providing access info to Deutsche Bank's systems on the darknet. As a result, there has been a significant attack on Deutsche Bank. 

Malicious actors (0x dump) are allegedly selling internet access to the network of the large international investment bank Deutsche Bank after claiming to have hacked it. The bank's internal networks appeared to be available for sale on Telegram by an initial access broker, but Deutsche Bank has denied that its systems have been compromised (IAB). 


Data Breach Incident

Hackers said, "We are offering further network access of a specific bank, We have DA (direct access), the domain contains about 21 k workstations set primarily with Windows."

The notice was placed next to an image of the Frankfurt headquarters of Deutsche Bank with the Deutsche Bank emblem overlaid on it. 

One of several experts to disclose the revelation made by the initial access broker on Telegram was the security researcher Dominic Alvieri. 

The IAB asserts access to some 21000 Windows-based machines on the bank's network. It further states that a Symantec EDR solution with 16 terabytes of data was used to defend the hacked devices.

Access to 7.5 Bitcoin from the Deutsche Bank, valued at about $156,274, is being made available by the IAB. 

According to ransomware researcher Dominic Alvieri, Ox dump is the same broker who provided access to Medibank's systems, the Australian health insurance company that had 9.7 million client and employee details stolen last month.

Personal information exposed in the data breach includes names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for clients, and occasionally passport numbers for our overseas students. It also includes some information about health benefits.

According to Lawrence Abrams of Bleeping Computer, it is not the same hackers who took the data from Medibank, rather, it is a suspected initial access broker. However, it might be the same individual who provided the ransomware gang with access to the network.

Mewat: The New Cybercrime Hub in India

 

The Mewat region, situated between the Rajasthan and Haryana states of India is emerging as the new cyber fraud hub in India. 
 
After Jamtara, the infamous hotspot for cyber fraud cases where the young fraudsters involved in the racket would acquire SIM cards, open bank accounts, and dupe victims by posing as bank officials or representatives of telecom service providers, Mewat fraudsters have turned up with more malicious ways to dupe the online victims. 
 
Apparently, the Mewat fraudsters leverage sextortion, a blackmail category of cybercrime, as a weapon in order to deceive victims. 
 
The scammers target online victims while posing as young women, engaging them in conversations, and enticing the targets into sharing sexually explicit images. The scam is then followed by victims being threatened to leak the shared images unless paid.  
 
On being asked about the case's method of operation, Yusuf, one of the suspects held for the charges of sextortion revealed his gang's modus operandi. 
 
“It starts by writing a ‘hi’. He (the target) would usually ask about a video call. I’d do the video call. He’d be lured into going explicit. The woman on the phone does the same,” Yusuf says. 
 
On being asked about the ‘woman', Yusuf tells the investigating officer “It’s (actually the video) on the other phone. That device is placed right under the back camera of my phone, with a video of a woman playing over. It’s like a web call.” 
 
Reportedly, a phone on the other side uses screen recording software in order to capture the events. The victims are then threatened, and if they comply, the money is typically credited into a third party's account. 

In another cyber fraud case, a suspect was held for duping online victims via digital marketplaces.  
 
The scammer, Rahul Khan explains his fraud tactics as: Advertising expensive products for sale at deep discounts on online marketplaces such as OLX, claiming to be certain defence personnel, and fabricating a plausible story about distress. 
 
With the stats going higher in recent years, India recorded a total of 52,974 cases of cybercrime in 2021, up from 50,035 in 2020, 44,735 in 2019, and 27,248 in 2018.  
 
As per a report by the National Crime Records Bureau, nearly 60 percent of similar cybercrime cases were witnessed, pertaining to fraud followed by sexual exploitation (8.6 percent) and extortion (5.4 percent) in 2021.

OnionPoison: Malicious Tor Browser Installer Distributed through YouTube Video

 

Researchers at Kaspersky have detected a trojanized version of the Window installer for the Tor Browser, that is being distributed through a popular Chinese YouTube channel. 
 
The malware campaign, dubbed OnionPoison allegedly reaches internet users through the Chinese-language YouTube video. The video is providing users with information on ‘staying anonymous online.’ 
 
The threat actors attach a malicious URL link to the official Tor website, below the YouTube video. Additionally, adding another link to a cloud-sharing service hosting an installer for Tor was modified to include malicious code.  
 
The YouTube Channel has more than 180,000 subscribers, with the video being on top result for the YouTube query ‘Tor浏览器’ translating to “Tor Browser.” The video, posted on January 2022 had more than 64,000 views at the time of discovery (March 2022), reported Kaspersky. The malware installs a malicious Tor Browser that is structured to expose user data that involves a list of installed software, browsing history, and data the users may have entered in a website form. The researchers also found that the library bundled with Tor Browser is infected with spyware. 
 
“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it [...] We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.” reads the analysis conducted by Kaspersky. 
 
It is worth mentioning that the Tor browser is banned in China on account of China's extensive internet censorship. As a result, users often access the browser through third-party websites for downloading it. Hence, the users are most likely to be exposed to scams and be deceived into downloading the malicious installer.  
 
It is believed that the intention of the OnionPoison campaign may not be financially motivated as the threat actors did not recover any credentials or wallets.  
 
In regard to this, the researchers are warning China-based users and companies to avoid using third-party websites for downloading software to prevent becoming targets of threat actors.  
 

Cobalt Strike Beacon Using Job Lures to Deploy Malware

Cisco Talos researchers have detected a new malware campaign that is using job lures to deploy malware. The threat actors are weaponizing a year-old remote code execution flaw in Microsoft Office, infecting victims with leaked versions of Cobalt Strike beacons. 

According to the researchers, the attacks were discovered in August 2022. It begins with phishing emails regarding the U.S. Government's job details or a New Zealand trade union. The emails comprise of a multistage and modular infection chain with fileless, malicious scripts. 

On opening the attached malicious Word file, the victim was infected with an exploit for CVE-2017-0199, a remote code execution vulnerability in MS Office, that allows the threat actor to control the infected systems. As a result, the attacker deploys a chain of attack scripts that leads up to the Cobalt Strike beacon installation. 

"The payload discovered is a leaked version of a Cobalt Strike beacon[...]The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic" states Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer in a new analysis published on Wednesday. 

In addition to discovering the Cobalt Strike beacon as the payload in this campaign, the researchers have also observed the usage of the Redline information-stealer and Amadey botnet executables as the payloads. 

The Modus Operandi has been called “highly modularized” by the experts, the attack stands out for it leverages Bitbucket repositories to deploy malicious content that serves as a kickoff for downloading a Window executable, responsible for the installation of Cobalt Strike DLL beacon, says the Cybersecurity researchers. 

"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory[...]Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain." states the researchers. 

Considering the growing phishing and malware attacks, the Cisco Talos team suggested users protect themselves with measures, such as updating their software and not opening any attachments in unsolicited messages. Besides, the team also suggests that administrators monitor their network security. 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

Businesses Hit By The Ransomware 0mega

 

Launched in May 2022, this new ransomware operation known as 0mega uses a double-extortion method to target corporations all over the world and seeks millions of dollars in ransom. 

Since a ransomware sample for the 0mega operation is not yet detected, not much is known about the encryption method used. However, what's known is that the malware adds the .0mega extension to the encrypted file names and produces ransom letters with the filename extension DECRYPT-FILES.txt, according to BleepingComputer. 

Such ransom notes are made specifically for each victim, and they typically include the name of the business and a list of the various kinds of data that were stolen. Additionally, some notes contain threats that, in the scenario that a ransom is not paid, the 0mega gang will reveal the information to commercial partners and trade associations. 

The victims can contact the ransomware group using the "help" chat feature of the Tor payment negotiation site included in ransom notes. It includes a special code to get in touch with the operators via the negotiating site. 

Like practically all ransomware operations that target businesses, 0mega has a specific site for data leaks where malicious actors disseminate stolen information if a ransom is not paid. 152 GB of data that was stolen from an electronics repair business in a May incident is now hosted on 0mega's leak site. 

Last week, though, there was a second victim who has since been eliminated, suggesting that the business has perhaps paid a ransom. In a published blog post The digest 'Crypto ransomware', researchers Lawrence Abrams and Andrew Ivanov discusss the malware in detail.

QNAP NAS servers attacked by Checkmate ransomware

 

A new ransomware strain known as Checkmate has recently come to the attention of Taiwanese vendor QNAP, and early research suggests that it is targeting NAS machines with SMB services that are accessible via the internet. SMB is a communication protocol that allows nodes on a network of devices to exchange access to files. 

Objectives: 

The ransomware adds the .checkmate extension to the filenames of encryption keys and leaves an extortion letter with the name !CHECKMATE DECRYPTION README on the compromised devices. 

According to a report by BleepingComputer, some forum users claimed to have contracted the Checkmate ransomware in June. For a decryptor and a decryption key, the hackers want payment from the victims in bitcoins worth $15,000 each. 

The malicious actors behind this campaign, according to QNAP, will use accounts compromised by dictionary assaults to remotely log in to devices that are vulnerable to remote access. After getting access, they begin encrypting files in shared folders, although according to victim claims, all the data is encrypted.

Resist ransomware threats 

The company advised users to utilize VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access. 

Additionally, QNAP users were instructed to evaluate all of their NAS accounts right away, double-check that they're using strong passwords, back up their files, and often create backup snapshots in case their data needs to be restored.

Taking away SMB 1 
  • Visit QTS, QuTS hero, or QuTScloud and log in. 
  • Go to Win/Mac/NFS/WebDAV > Microsoft Networking under Control Panel > Network & File.
  • Then select Advanced Options. 
  • The window for Advanced Options appears. 
  • Select SMB 2 or higher next to the Lowest SMB version. 

QTS, QuTS hero, or QuTScloud updates 
  • Register as an administrator on QTS, QuTS Hero, or QuTScloud.
  • Go to System > Firmware Update in the Control Panel. 
  • Click Check for Update under Live Update. 

The most recent update is downloaded and installed by QTS, QuTS hero, or QuTScloud. Additionally, QNAP stated last month that it is "thoroughly researching" a recent round of attacks that began in early June and are aimed at spreading the DeadBolt ransomware.

In the past two years, a wave of ransomware assaults has targeted QNAP NAS users, leading the vendor to publish several alerts and urgent updates, and even encourage for end-of-life hardware.

Malicious Actor Claims Targeting IBM & Stanford University

 

Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 

Google Blocks Malicious Domains Used by Hack-for-hire Groups

About hack-for-hire

Threat Analyst Group (TAG) of Google last week revealed that it blocked around 36 malicious domains used by Hacking groups in Russia, UAE, and India. 

In a technique similar to surveillance ecosystems, hack-for-hire groups give their clients the leverage to launch targeted cyberattacks on corporate organizations, politicians, activists, journalists, and other users that are at high-risk. 


What is Google saying?

Google in its Blog says "as part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm."  

The only difference in the manners of the two is that while users buy the spyware from commercial vendors and later use it themselves, the actors behind hack-for-hire cyberattacks deploy the hacking attempts on the clients' behalf so that the buyers remain anonymous. 


How does hack-for-hire operate?

The hack-for-hire ecosystem is flexible in two ways, first in how the actors deploy the attacks themselves, and second, in the large range of targets, they seek in a single campaign on their clients' behalf. 

Some hacking groups publicly market their products and services to any user that is willing to pay, however, few operate in a hidden manner and sell their services to a limited public. 

"We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement," says Google. 


Other Details


A recent campaign launched by an Indian hacking group attacked an IT company in Cyprus, a fintech organization in the Balkans, an educational institute in Nigeria, and a shopping company in Israel, hinting the wide range of victims. 

According to Google Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox. 

One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain with credential phishing campaigns, Google adds. 

Facebook Users Phished by a Chatbot Campaign


You might be surprised to learn that more users check their chat apps than their social profiles. With more than 1.3 billion users, Facebook Messenger is the most popular mobile messaging service in the world and thus presents enormous commercial opportunities to marketers.

Cybersecurity company SpiderLabs has discovered a fresh phishing campaign using Messenger's chatbot software

How do you make it all work? 

Karl Sigler, senior security research manager at Trustwave SpiderLabs, explains: "You don't just click on a link and then be offered to download an app - most people are going to grasp that's an attack and not click on it. In this attack, there's a link that takes you to a channel that looks like tech help, asking for information you'd expect tech support to seek for, and that escalating of the social-engineering part is unique with these types of operations."

First, a fake email from Facebook is sent to the victim – warning that their page has violated the site's community standards and would be deleted within 48 hours. The email also includes a "Appeal Now" link that the victim might use to challenge the dismissal.

The Facebook support team poses an "Appeal Now" link users can click directly from the email, asserting to be providing them a chance to appeal. The chatbot offers victims another "Appeal Now" button while posing as a member of the Facebook support staff. Users who click the actual link are directed to a Google Firebase-hosted website in a new tab.

According to Trustwave's analysis, "Firebase is a software development platform that offers developers with several tools to help construct, improve, and expand the app easier to set up and deploy sites." Because of this opportunity, spammers created a website impersonating a Facebook "Support Inbox" where users can chiefly dispute the reported deletion of their page. 

Increasing Authenticity in Cybercrime 

The notion that chatbots are a frequent factor in modern marketing and live assistance these days and that people are not prone to be cautious of their contents, especially if they come from a fairly reliable source, is one of the factors that contribute to this campaign's effectiveness. 

According to Sigler, "the advertising employs the genuine Facebook chat function. Whenever it reads 'Page Support,' My case number has been provided by them. And it's likely enough to get past the obstacles that many individuals set when trying to spot the phishing red flags."

Attacks like this, Sigler warns, can be highly risky for proprietors of business pages. He notes that "this may be very effectively utilized in a targeted-type of attack." With Facebook login information and phone numbers, hackers can do a lot of harm to business users, Sigler adds.

As per Sigler, "If the person in charge of your social media falls for this type of scam, suddenly, your entire business page may be vandalized, or they might exploit entry to that business page to acquire access to your clients directly utilizing the credibility of that Facebook profile." They will undoubtedly pursue more network access and data as well. 

Red flags to look out for 

Fortunately, the email's content contains a few warning signs that should enable recipients to recognize the letter as spoofed. For instance, the message's text contains a few grammatical and spelling errors, and the recipient's name appears as "Policy Issues," which is not how Facebook resolves such cases.

More red flags were detected by the experts: the chatbot's page had the handle @case932571902, which is clearly not a Facebook handle. Additionally, it's barren, with neither followers nor posts. The 'Very Responsive' badge on this page, which Facebook defines as having a response rate of 90% and replying within 15 minutes, was present although it seemed to be inactive. To make it look real, it even used the Messenger logo as its profile image. 

Researchers claim that the attackers are requesting passwords, email addresses, cell phone numbers, first and last names, and page names. 

This effort is a skillful example of social engineering since malicious actors are taking advantage of the platform they are spoofing. Nevertheless, researchers urge everyone to exercise caution when using the internet and to avoid responding to fake messages. Employing the finest encryption keys available will protect your credentials.

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

Microsoft Launches New Privacy Features for Windows 11

 

Microsoft is developing a new privacy dashboard to patch its vulnerabilities for Windows 11 that will allow users to view which apps and tools have access to sensitive hardware components such as the camera, microphone, location, phone calls, messages, and screenshots. It's included in one of June Windows 11 Preview Builds and now is ready for testing in the Dev Channel for Windows Insiders.

Users will be able to view the newly implemented tool in the Privacy & Security > App Permissions section, where a "Recent activity" option will be available, as per Microsoft. Users will be able to locate the monitored category of information in this section. "Once clicked, it will show every instance of one of the programs installed on a user's machine that has recently accessed sensitive devices and information," says the next step. Even though the list contains information about the most recent time the program accessed the service, clicking on any of the entries yields no additional information.

Several users would be able to proactively protect themselves from ransomware and phishing attacks that are unwittingly deployed by malicious actors due to this additional layer of privacy. Malware or malicious software may obtain access to a user's privacy in some cases via spying on its camera or microphone, or by reading file paths, process IDs, or process names.

If Windows Hello is turned off, your PC will be unable to access your camera. Some apps use the Camera app to capture pictures, by the Camera app's camera access setting. No images will be taken and sent to the app that accessed them unless you manually select the capture button in the Camera app.

Desktop apps can be downloaded from the internet, stored on a USB drive, or installed by your IT administrator. Microsoft has not yet officially launched this new privacy option, according to its Windows Insider Blog. This information comes from Microsoft's Vice President of Enterprise and OS Security, David Weston, in a tweet on Thursday. 

Windows has never had a privacy feature as useful as this, but it appears that Microsoft is working to strengthen the operating system's privacy controls. With Android version 12, Google provided a similar capability, although its execution is far from satisfactory.

Facebook :"Is that you?" 500,000 People Were Victims of this Phishing Scam

 

Facebook has often been a favorite hunting ground for cybercriminals who delight in preying on the naive members of the internet community. While addressing a very prevalent fraud known as "Is that you?" cybernews has conducted research. It's a type of video phishing scam in which the attacker delivers a link to a fictitious video in which the victim appears. When you click, the trouble begins as soon as you enter some personal information and log in. 

Researchers were recently rewarded for such diligence when they received a warning from fellow cyber investigator Aidan Raney – who originally contacted them after the original results were released – that malicious links were being sent to users. Upon further investigation, it was discovered that thousands of these phishing links had been circulated via a devious network spanning the social media platform's back channels. If left unchecked, hundreds of thousands of naive social network users might fall prey to the shady connections - the "Is That You?" scam was said to have ensnared half a million victims before researchers discovered it. 

Raney explained, "I worked out what servers did what, where code was hosted, and how I might identify additional servers." "I then used this information, as well as urlscan.io, to seek for more phishing sites with similar features to this one." 

A thorough examination of the servers linked to the phishing links revealed a page that was transmitting credentials to devsbrp. app. A banner believed to be attached to a control panel was discovered with the wording "panelfps by braunnypr" printed on it. A second search using keywords led the study team right to the panel and banner designer, whose email address and password variations were also identified  neatly turning the tables on fraudsters who prey on unwary web users' credentials. 

Cybernews accessed a website which proved to be the command and control hub for most of the phishing assaults linked to the gang, known to include at least 5 threat actors but could have plenty more, using the threat actor's personal details. This gave our brave investigators a wealth of information about the culprits of the Facebook phishing scam, including the likely country of residence  the Dominican Republic.

"We were able to distribute the user list for everyone who has signed up for this panel," the Cybernews researcher explained. "We started unearthing the identities with as many people on the list as we could using the usernames on the list, but there is still more work to be done." Researchers provided the appropriate information to the Dominican Republic's Cyber Emergency Response Team (CERT) at the time, as evidence suggested that the campaign had started there as well.

Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.

A New Regulation Seeks to Secure Non-HIPAA Digital Health Apps

 

A guideline designed and distributed by several healthcare stakeholder groups strives to secure digital health technologies and mobile health apps, the overwhelming majority of which fall outside of HIPAA regulation. 

The Digital Health Assessment Framework was launched on May 2 by the American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications. The methodology intends to examine the use of digital health technologies while assisting healthcare leaders and patients in assessing the factors about which online health tools to employ. Covered entities must also adopt necessary administrative, physical, and technical protections to preserve the confidentiality, integrity, and availability of electronically protected health information, according to the Health Insurance Portability and Accountability Act Rules. 

Healthcare data security was never more critical, with cyberattacks on healthcare businesses on the rise and hackers creating extremely complex tools and tactics to attack healthcare firms. Before HIPAA, the healthcare field lacked a universally agreed set of security standards or broad obligations for protecting patient information. At the same time, new technologies were advancing, and the healthcare industry began to rely more heavily on electronic information systems to pay claims, answer eligibility issues, give health information, and perform a variety of other administrative and clinical duties. 

Furthermore, the Office for Civil Rights at the Department of Health and Human Services has enhanced HIPAA Rule enforcement, and settlements with covered businesses for HIPAA Rule violations are being reached at a faster rate than ever before. 

"Digital health technologies can provide safe, effective, and interacting access to personalized health and assistance, as well as more convenient care, improve patient-staff satisfaction and achieve better clinical outcomes," said Ann Mond Johnson, ATA CEO, in a statement. "Our goal is to provide faith that the health and wellness devices reviewed in this framework meet quality, privacy, and clinical assurance criteria in the United States," she added. 

Several health apps share personal information with third parties, leaving them prone to hacks. Over 86 million people in the US use a health or fitness app, which is praised for assisting patients in managing health outside of the doctor's office. HIPAA does not apply to any health app which is not advised for use by a healthcare provider. 

The problem is that the evidence strongly suggests the app developers engage in some less-than-transparent methods to compromise patient privacy. Focusing on a cross-sectional assessment of the top tier apps for depression and smoking cessation in the US and Australia, a study published in JAMA in April 2019 found that the majority of health apps share data to third parties, but only a couple disclosed the practice to consumers in one‘s privacy policies. 

Only 16 of the evaluated applications mentioned the additional uses for data sharing, despite the fact that the majority of the apps were forthright about the primary use of its data. 

According to the aforementioned study, nearly half of the apps sent data to a third party yet didn't have a privacy policy. But in more than 80% of cases, data was shared with Google and Facebook for marketing purposes. 

Another study published in the British Medical Journal in March 2019 discovered that the majority of the top 24 health education Android applications in the USA linked user data without explicitly informing users. In 2021, a study conducted by Knight Ink and Approov found that the 30 most popular mHealth apps are highly vulnerable to API hacks, which might result in the exploitation of health data. Only a few app developers were found in violation of the Federal Trade Commission's health breach rule. 

The guideline from ACP, ATA, and ORCHA aims to help the healthcare industry better comprehend product safety. "There has been no clear means to establish if a product is safe to use in a field of 365,000 goods, where the great majority fall outside of existing standards, such as medical device regulations, federal laws, and government counsel," as per the announcement. 

The implementation of digital health, covering condition management, clinical risk assessment, and decision assistance, is hampered by a lack of direction. The guide is a crucial step in identifying and developing digital health technologies which deliver benefits while protecting patient safety, according to ACP President Ryan D. Mire, MD. The guidelines were developed using the clinical expertise of ACP and ATA members, along with ORCHA's app assessment experience.

ACP also launched a pilot test of digital health solutions that were evaluated against the new framework in conjunction with the new framework. Mire hopes that the trial will assist providers to identify the most effective features for recommending high-value digital health technologies to patients and identify potential impediments to extensive digital health adoption.

 Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid

 

Officials have warned of a possible cyber-attack on Bangladesh's financial and other key institutions' computer systems during the Eid vacations. According to a statement issued by the Digital Security Agency, the affected authorities must install or update anti-DDOS hardware and software. 

Officials believe the warning was sent by the government's specialized cyber-threat agency as a global cyberwar erupts in the Russia-Ukraine conflict, with NATO assisting the latter with arms support. 

The Bangladesh Computer Council's e-Government Computer Incident Response Team (BGD e-GOV CIRT) also recommends all key information facilities' internal systems be checked and monitored.

Following the current conflict between Ukraine and Russia, Tarique M Barkatullah, director (operations) of the Digital Security Agency and project director of the BGD e-GOV CIRT, stated “hackers from both sides are using important information infrastructures of different countries to spread botnets and malware and attack each other.” 

Botnets are computer networks infected with malware (such as computer viruses, key loggers, and other malicious code or malware) and remotely controlled by criminals, either for monetary gain or to launch assaults on websites or networks. 

BGD e-Gov CIRT discovered over 1400 IP numbers used in Russia after analyzing the warning message issued by the Russian Computer Security Incident Response Team. According to the CIA, hackers are using these IPs to spread propaganda and launch distributed denial of service (DDoS) operations. 

Tareq M Barkatullah, project director of BGD e-Gov CIRT, remarked in this reference: “The country's afflicted financial institutions and public service suppliers are being hampered in providing its usual services due to the exploitation of these IP-enabled Bangladeshi servers."

According to the Financial Express, Prof Dr. Md Salim Uddin, chairman of the executive committee of Islami Bank Bangladesh Limited (IBBL), several financial institutions have been targeted by cyber-attacks as a result of the current crisis between Ukraine and Russia.

IBBL is well-prepared to thwart any cyber-attack because it is always adopting new technological solutions. Among the internal systems, he emphasized strengthening cyber-security with new tech solutions and monitoring systems. To prevent all types of cyber threats, financial institutions should join an organization or platform to improve cooperation and integration. He further urges the government to expand collaboration and support in this area in order to combat rising cyber-threats in the future.

According to Europol, Deepfakes are Used Frequently in Organized Crime

 

The Europol Innovation Lab recently released its inaugural report, titled "Facing reality? Law enforcement and the challenge of deepfakes", as part of its Observatory function. The paper presents a full overview of the illegal use of deepfake technology, as well as the obstacles faced by law enforcement in identifying and preventing the malicious use of deepfakes, based on significant desk research and in-depth interaction with law enforcement specialists. 

Deepfakes are audio and audio-visual consents that "convincingly show individuals expressing or doing activities they never did, or build personalities which never existed in the first place" using artificial intelligence. Deepfakes are being utilized for malevolent purposes in three important areas, according to the study: disinformation, non-consensual obscenity, and document fraud. As technology further advances in the near future, it is predicted such attacks would become more realistic and dangerous.

  1. Disinformation: Europol provided several examples of how deepfakes could be used to distribute false information, with potentially disastrous results. In the geopolitical domain, for example, producing a phony emergency warning that warns of an oncoming attack. The US charged the Kremlin with a disinformation scheme to use as a pretext for an invasion of Ukraine in February, just before the crisis between Russia and Ukraine erupted.  The technique may also be used to attack corporations, for example, by constructing a video or audio deepfake which makes it appear as if a company's leader committed contentious or unlawful conduct. Criminals imitating the voice of the top executive of an energy firm robbed the company of $243,000. 
  2. Non-consensual obscenity: According to the analysis, Sensity found non-consensual obscenity was present in 96 percent of phony videos. This usually entails superimposing a victim's face onto the body of a philanderer, giving the impression of the victim is performing the act.
  3. Document fraud: While current fraud protection techniques are making it more difficult to fake passports, the survey stated that "synthetic media and digitally modified facial photos present a new way for document fraud." These technologies, for example, can mix or morph the faces of the person who owns the passport and the person who wants to obtain one illegally, boosting the likelihood the photo will pass screening, including automatic ones. 

Deepfakes might also harm the court system, according to the paper, by artificially manipulating or producing media to show or deny someone's guilt. In a recent child custody dispute, a mother of a kid edited an audiotape of her husband to persuade the court he was abusive to her. 

Europol stated all law enforcement organizations must acquire new skills and tools to properly deal with these types of threats. Manual detection strategies, such as looking for discrepancies, and automatic detection techniques, such as deepfake detection software uses artificial intelligence and is being developed by companies like Facebook and McAfee, are among them. 

It is quite conceivable that malicious threat actors would employ deepfake technology to assist various criminal crimes and undertake misinformation campaigns to influence or corrupt public opinion in the months and years ahead. Machine learning and artificial intelligence advancements will continue to improve the software used to make deepfakes.

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Misconfigured Keys are Tackled in ServiceNow's Guidelines

 

ServiceNow, a $4.5 billion software company assisting businesses with its digital workflows, has released recommendations for its clients regarding Access Control List (ACL) misconfiguration. 

In one of its reports, AppOmni said that the usual misconfigurations are caused by a "combination of customer-managed ServiceNow ACL setups and overprovisioning of access to guest users". 

The general public is a factor in RBAC for public-facing businesses. The capacity to provide public access to the information within your 'database,' which may be a forum, online shop, customer service site, or knowledge base, is one crucial feature of RBAC, according to the paper. When firms upgrade or alter SaaS services or onboard new users, the difficulty is guaranteeing the appropriate level of access.

The researchers found roughly 70% of the ServiceNow instances examined by AppOmni were misconfigured, posing the risk of unauthorized users stealing critical data from businesses who are not even aware of them being at risk. 

Securing SaaS, according to AppOmni CEO Brendan O'Connor, is much more involved in simply checking a few options or enabling strong authentication for users."Because of its flexibility and power, SaaS platforms have evolved into company operating systems. There are numerous good reasons for workloads and applications running on a SaaS platform to interface with the outside world, such as integrating with emails and text messages or hosting a customer care portal" O'Connor further added. 

As per AppOmni Offensive Security Researcher Aaron Costello, ServiceNow external interfaces exposed to the public could allow a hostile actor to take data from records. Meanwhile, Brian Soby, CTO of AppOmni, said "the enormous degree of flexibility in modern SaaS systems has made misconfiguration one of the largest security concerns enterprises face. Our goal is to shine a light on frequent SaaS platform misconfigurations and other potential hazards so customers can guarantee the system posture and configuration matches its business intent."