Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware Attack. Show all posts
WhatsApp
Banking Data Cyber Attacks Cyber Scams E-Commerce fake Hacking WhatsApp Malaysia Malware Attack Payment Gateway WhatsApp

The Fake E-Shop Scam Campaign Sweeping Southeast Asia, seizing users banking details

 

In recent years, cybercriminals have been increasingly employing sophisticated tactics to target individuals and organizations across the globe. One such alarming trend is the proliferation of fake e-shop scam campaigns, particularly prevalent in Southeast Asia. 

These campaigns, characterized by their deceptive methods and malicious intent, pose significant threats to cybersecurity and personal privacy. The emergence of the fake e-shop scam campaign targeting Southeast Asia dates back to 2021, with a notable surge in activity observed by cybersecurity researchers in September 2022. 

Initially concentrated in Malaysia, the campaign swiftly expanded its operations to other countries in the region, including Vietnam and Myanmar. This expansion underscores the growing sophistication and reach of cybercriminal networks operating in Southeast Asia. At the heart of these malicious campaigns are phishing websites designed to deceive unsuspecting users. 

These websites often masquerade as legitimate e-commerce platforms or payment gateways, luring victims into providing sensitive information such as login credentials and banking details. Once users are enticed to visit these fraudulent sites, they are exposed to various forms of malware, including malicious Android applications packaged as APK files. 

The modus operandi of the attackers involves social engineering tactics, with cybercriminals leveraging popular communication platforms like WhatsApp to initiate contact with potential victims. By impersonating cleaning services or other seemingly innocuous entities on social media, the perpetrators exploit users' trust and curiosity, leading them to engage in conversations that ultimately result in malware infection. 

The malware deployed in these fake e-shop scam campaigns is multifaceted and constantly evolving to evade detection and maximize its impact. Initially focused on stealing login credentials for Malaysian banks, including prominent institutions like Hong Leong, CIMB, and Maybank, the malware has since incorporated additional functionalities. These include the ability to take screenshots, exploit accessibility services, and even facilitate screen sharing, granting the attackers unprecedented control over infected devices. 

Furthermore, the attackers have demonstrated a keen understanding of the linguistic and cultural nuances of their target regions. In Vietnam, for example, the campaign specifically targeted customers of HD Bank, employing phishing websites tailored to mimic the bank's online portal and language. Similarly, in Myanmar, the attackers utilized Burmese language phishing pages to enhance the credibility of their schemes among local users. 

The implications of these fake e-shop scam campaigns extend beyond financial losses and reputational damage. They represent a direct assault on user privacy and cybersecurity, with far-reaching consequences for individuals and businesses alike. The theft of sensitive personal and financial information can lead to identity theft, unauthorized transactions, and even ransomware attacks, resulting in significant financial and emotional distress for victims. 

In response to these evolving threats, cybersecurity experts emphasize the importance of proactive measures to safeguard against malicious activities. This includes exercising caution when interacting with unfamiliar websites or online advertisements, regularly updating antivirus software, and staying informed about emerging cybersecurity threats. 

Ultimately, combating the scourge of fake e-shop scam campaigns requires collective action and collaboration among stakeholders across the cybersecurity ecosystem. By raising awareness, implementing robust security measures, and fostering a culture of cyber resilience, we can mitigate the risks posed by these insidious threats and protect the integrity of our digital infrastructure.
Read more »
security measures
Cyber Security cybersecurity incidents Malware Attack Malware prevention steps Security Guidelines security measures

Insights into Recent Malware Attacks: Key Learnings and Prevention Strategies

 

In an era where cybersecurity threats loom large, recent malware attacks have underscored the critical need for robust protective measures. Understanding the modus operandi of these attacks and learning from them can empower individuals and organizations to bolster their defenses effectively. 

Let's delve into the biggest takeaways from these incidents and explore preventive strategies to safeguard against future threats. One of the striking revelations from recent malware attacks is the evolving sophistication of malicious actors. Advanced techniques such as polymorphic malware, which can change its code to evade detection, pose significant challenges to traditional security protocols. This highlights the importance of investing in next-generation cybersecurity solutions capable of adaptive threat detection and mitigation. 

Furthermore, the rise of ransomware attacks has been particularly alarming. These attacks encrypt valuable data and demand a ransom for its release, often causing substantial financial losses and operational disruptions. Implementing a multi-layered defense strategy encompassing regular data backups, network segmentation, and employee training on phishing awareness can mitigate the risk of falling victim to ransomware extortion. 

Additionally, the proliferation of supply chain attacks has raised concerns about the interconnected nature of modern digital ecosystems. Attackers target third-party vendors and service providers to infiltrate their primary targets indirectly. Vigilance in vetting and monitoring supply chain partners, along with implementing robust access controls and encryption protocols, is paramount to mitigating this threat. Moreover, the exploitation of software vulnerabilities underscores the importance of timely patch management and software updates. 

Neglecting to patch known vulnerabilities provides attackers with an entry point to exploit systems and compromise sensitive data. Establishing a proactive patch management framework that prioritizes critical vulnerabilities and expedites the deployment of patches can significantly enhance cybersecurity posture. Social engineering tactics remain a prevalent avenue for malware dissemination, emphasizing the crucial role of user education and awareness. Phishing emails, fraudulent websites, and deceptive messages continue to lure unsuspecting individuals into inadvertently downloading malware or divulging sensitive information. 

Educating users on recognizing and reporting suspicious activities, coupled with implementing email filtering and web security solutions, can mitigate the effectiveness of social engineering attacks. Furthermore, the emergence of fileless malware represents a significant paradigm shift in cyber threats. By residing solely in system memory without leaving a footprint on disk, fileless malware evades traditional antivirus detection mechanisms. Deploying endpoint detection and response (EDR) solutions capable of behavior-based anomaly detection and memory analysis can effectively identify and neutralize fileless malware threats. 

In conclusion, recent malware attacks serve as potent reminders of the evolving threat landscape and the imperative of proactive cybersecurity measures. By staying abreast of emerging threats, investing in cutting-edge security technologies, fostering a culture of cybersecurity awareness, and adopting a multi-faceted defense approach, individuals and organizations can fortify their resilience against malicious actors. As the digital landscape continues to evolve, continuous vigilance and adaptation are essential to staying one step ahead of cyber adversaries.
Read more »
Mobile Security
Android Cyber Hacking Cyber Security MaaS Malware Attack Mobile Cyber Attacks Mobile Security

Unveiling the MaaS Campaign: Safeguarding Android Users in India

 

In the vast landscape of cybersecurity threats, a new campaign has emerged, targeting Android users in India. Dubbed as the "MaaS Campaign," this nefarious operation has caught the attention of security experts worldwide due to its sophisticated nature and potential for widespread damage. Let's delve into the intricacies of this campaign, understanding its modus operandi and the measures users can take to protect themselves. 

The MaaS Campaign, short for Malware-as-a-Service, represents a significant evolution in cybercrime tactics. Unlike traditional cyberattacks that require substantial technical expertise, the MaaS Campaign allows even novice hackers to deploy sophisticated malware with minimal effort. This democratization of cybercrime poses a severe threat to users, particularly in regions like India, where Android devices dominate the market. 

At the heart of the MaaS Campaign lies the exploitation of Android's vulnerabilities. Android, being an open-source platform, offers a fertile ground for cybercriminals to exploit security loopholes. Through various means, including malicious apps, phishing emails, and compromised websites, hackers lure unsuspecting users into downloading malware onto their devices. Once the malware infiltrates a device, it operates stealthily, often evading detection by traditional antivirus software. One of the primary objectives of the MaaS Campaign is to steal sensitive information, including personal data, financial credentials, and login credentials for various online accounts. 

This information is then used for a range of malicious activities, including identity theft, financial fraud, and espionage. What makes the MaaS Campaign particularly concerning is its targeted approach towards Android users in India. With India's burgeoning smartphone market and increasing reliance on digital services, the country has become a lucrative target for cybercriminals. 

Moreover, the diversity of Android devices and the prevalence of outdated software versions exacerbate the security risks, leaving millions of users vulnerable to exploitation. To mitigate the risks associated with the MaaS Campaign and similar cyber threats, users must adopt a proactive approach to cybersecurity. Firstly, maintaining vigilance while downloading apps or clicking on links is crucial. Users should only download apps from trusted sources such as the Google Play Store and avoid clicking on suspicious links or email attachments. 

Additionally, keeping software and operating systems up-to-date is paramount. Developers frequently release security patches to address known vulnerabilities, and failing to update exposes devices to exploitation. Users should enable automatic updates wherever possible and regularly check for updates manually. 

Furthermore, investing in robust cybersecurity solutions can provide an added layer of defense against malware and other cyber threats. Antivirus software, firewalls, and anti-malware tools can help detect and neutralize malicious activity, safeguarding users' devices and data. Education also plays a pivotal role in combating cyber threats. Users should familiarize themselves with common phishing tactics, malware warning signs, and best practices for online security. By staying informed and vigilant, users can avoid falling victim to cyberattacks and protect their digital identities. 

In conclusion, the MaaS Campaign represents a significant threat to Android users in India and underscores the importance of robust cybersecurity measures. By understanding the tactics employed by cybercriminals and adopting proactive security practices, users can minimize the risk of falling victim to such campaigns. Ultimately, safeguarding against cyber threats requires a collective effort involving users, cybersecurity professionals, and technology companies to create a safer digital environment for all.
Read more »
PowerShell
Cyber Security FakeBat malware loader Malvertising Campaign Malware Attack PowerShell

The Surge of FakeBat Malware in Search-Based Malvertising Campaigns

 

In recent months, cybersecurity researchers have observed a concerning surge in search-based malvertising campaigns, with documented incidents nearly doubling compared to previous periods. Amidst this uptick in online threats, one particular malware variant has captured the attention of experts: FakeBat. 

This malware employs unique techniques in its distribution, posing significant challenges to cybersecurity efforts worldwide. FakeBat has emerged as a significant player in malvertising campaigns, leveraging sophisticated tactics to deceive unsuspecting victims. Unlike conventional malware strains, FakeBat stands out for its utilization of MSIX installers bundled with heavily obfuscated PowerShell code. 

This innovative approach allows threat actors to orchestrate complex attacks while evading traditional detection methods. However, recent iterations of the malware have demonstrated a shift towards more advanced redirection tactics. Threat actors now leverage a variety of redirectors, including legitimate websites, to evade security measures and increase the effectiveness of their attacks. Traditionally, malvertising campaigns targeted specific software brands. 

However, the latest wave of FakeBat attacks has exhibited a notable shift towards diversification in campaign targets. Threat actors now aim to compromise a wide range of brands, expanding their scope and posing a greater threat to businesses and individuals alike. In addition to traditional URL shorteners, FakeBat malvertising campaigns now employ dual redirection tactics. 

While continuing to abuse URL/analytics shorteners, threat actors also leverage subdomains from compromised legitimate websites. By exploiting the credibility associated with these compromised domains, threat actors can circumvent detection mechanisms and increase the success rate of their attacks. Current FakeBat campaigns frequently impersonate reputable brands such as OneNote, Epic Games, Ginger, and the Braavos smart wallet application. 

These malicious domains are often hosted on Russian-based infrastructure, further complicating detection and mitigation efforts for cybersecurity professionals. Despite ongoing efforts to detect and mitigate FakeBat attacks, threat actors continue to evolve their tactics and payloads. Upon execution, a standardized PowerShell script connects to the attacker's command and control server, allowing threat actors to catalog victims for future exploitation. 

Defending against FakeBat and other search-based malvertising threats requires a multifaceted approach. While blocking malicious payloads is crucial, addressing supporting infrastructure poses significant challenges. Implementing robust ad-blocking policies, such as ThreatDown DNS Filter, can effectively thwart malvertising attacks at their source. 

However, organizations must remain vigilant and adapt their defense strategies to counter evolving threats continually. As search-based malvertising continues to evolve, businesses and individuals must remain proactive in their cybersecurity efforts. Understanding the nuances of emerging malware variants like FakeBat and adapting defense strategies accordingly is paramount to safeguarding digital assets against evolving threats. By leveraging tested mitigation measures and collaborating with industry partners, organizations can effectively mitigate the risks posed by search-based malvertising and protect against future cyberattacks.
Read more »
Vulnerabilities and Exploits
cyber threat Device Security Linux Malware Attack Vulnerabilities and Exploits

Shim Bug Uncovered: A Ten-Year Security Breach in Linux Boot Loaders

 

In the dynamic realm of cybersecurity, discovering a significant flaw in every Linux boot loader signed in the past decade has underscored the pervasive nature of potential threats. This blog explores the intricacies of the Shim bug, its implications for Linux systems, and the urgent response required to mitigate its impact. 

The Shim bug, a critical vulnerability affecting Linux boot loaders, has sent security experts into a heightened state of alert. The flaw lies in the code of the Shim bootloader, a crucial component in the Secure Boot process designed to ensure the integrity of the boot sequence. The bug itself has silently persisted for an astounding ten years, evading detection until now. 

The far-reaching impact of the Shim bug cannot be overstated, as it compromises the security of every Linux boot loader signed over the past decade. Secure Boot, a fundamental security feature, is designed to prevent the loading of unsigned or malicious code during the boot process. However, this vulnerability allows threat actors to bypass these protections, opening the door to unauthorized access, malware injection, and other malicious activities. 

The longevity of the Shim bug's existence without detection raises questions about the efficacy of current security measures and the challenges inherent in identifying hidden vulnerabilities. Its discovery highlights the need for ongoing scrutiny, even of well-established and seemingly secure components within the Linux ecosystem. 

Addressing the Shim bug requires a swift and coordinated response from the Linux community. Developers and maintainers work diligently to release patches and updates addressing the vulnerability. Additionally, Linux users are urged to update their systems promptly, applying the necessary patches to safeguard their devices from potential exploitation. 

The Shim bug emphasizes the collaborative nature of the open-source community, where rapid identification and response to vulnerabilities are paramount. Developers, security experts, and Linux users alike must work in unison to fortify the security infrastructure of the operating system and ensure a resilient defence against emerging threats. 

The discovery of the Shim bug serves as a poignant reminder of the ever-evolving threat landscape and the importance of continuous vigilance in cybersecurity. It prompts a reevaluation of existing security practices, encouraging the adoption of proactive measures to detect and address vulnerabilities before they become decade-long silent menaces. 

As the Linux community grapples with the repercussions of the Shim bug, the broader cybersecurity landscape is reminded of the persistent challenges in securing complex systems. The discovery and swift response to such critical vulnerabilities are integral to maintaining the integrity and trustworthiness of open-source platforms like Linux. The lessons learned from the Shim bug should fuel ongoing efforts to fortify security measures, ensuring a resilient defence against future threats in the ever-changing realm of cybersecurity.
Read more »
RaaS
Cyber Attacks CyberCrime CyberCriminal Malware Attack RaaS

Rise of Cybercrime as a Service Will be Worse

 

The proliferation of cybercrime-as-a-service has created an expansive digital gateway for individuals seeking fast and unlawful gains on the internet. Alongside attacks-as-a-service, malware-as-a-service, and fraud-as-a-service, this phenomenon has granted easy access to various illicit opportunities in the online realm. 
The evolution of cybercrime as a service aligns with the prevalent model of other as-a-service business offerings. Skilled criminals, who have developed effective malicious code, now offer their cybercrime "solutions" for rent to less sophisticated criminals lacking the means or expertise to create and carry out cyberattacks independently. 

In exchange for their services, these criminals receive a percentage of the profits generated from attacks utilizing their code. This share is on the rise, with some criminals earning between 10% and 20% of the ill-gotten gains obtained through the utilization of their malicious software. 

If you're interested in acquiring a DDoS booter rental from Russia, you can obtain one for a daily cost of $60 or lease it for a week at $400. Additionally, orders exceeding $500 are eligible for a 10 percent discount, which increases to 15 percent for orders surpassing $1,000. 

Alternatively, if you're considering a ransomware kit, you have the option of renting it for one month at a price of $1,000. While this may appear expensive to some, it's important to consider the potential return on investment. Moreover, prospective customers have the opportunity to test the product for 48 hours before making a final decision. 

This trend carries significant implications. The accessibility of these cybercrime offerings has eliminated the need for customers to possess advanced technical skills. In fact, even novices can now actively engage in cybercriminal activities and, remarkably, are being actively courted. 

Numerous online marketplaces on the dark web proudly advertise their provision of technical support, catering to individuals who require additional guidance and assistance. The cybercrime-for-hire industry has reached such a level of vitality that hacker groups are reportedly struggling to meet the growing demand. 

The thriving "as-a-service" market in cybercrime has not only captivated the attention of cybercriminals but has also piqued the interest of traditional criminals. These individuals and groups recognize the service-oriented nature of the cybercrime market and are increasingly leveraging it to their advantage. 

According to a study conducted by researchers at Cambridge, over half of the cybercriminals convicted in the UK had prior criminal records related to conventional offenses like burglary. Additionally, hackers are actively exploring avenues to introduce subscription-based offerings on the dark web.
Read more »
technology risks
Computer Hacking data modifications malware Malware Attack technology risks

ChatGPT Hallucinations Open Developers to Supply Chain Malware Attacks

Researchers have discovered a concerning vulnerability in ChatGPT that could potentially be exploited by attackers to propagate harmful code packages. This particular weakness stems from ChatGPT's tendency to provide inaccurate information, which could be leveraged to introduce malicious software and Trojans into trusted applications and code repositories such as npm, PyPI, GitHub, and various others. 

This represents a substantial threat to the software supply chain. In a recent blog post, researchers from Vulcan Cyber's Voyager18 research team have shed light on a concerning method employed by threat actors, known as "AI package hallucinations." This technique exploits ChatGPT's capability to generate recommendations, leading to the creation of seemingly legitimate code packages that contain malicious elements. 

Developers who interact with the chatbot may unknowingly download these packages and integrate them into their software, which can subsequently be widely distributed. This discovery highlights the potential risks associated with the misuse of ChatGPT and its impact on software security. 

What is AI- Hallucination? 

In the realm of artificial intelligence, the term "hallucination" refers to a response generated by AI that appears reasonable but falls short in terms of accuracy, bias, or outright falsehood. This phenomenon arises due to the nature of ChatGPT and similar large language models (LLMs) that form the foundation of generative AI platforms. 

When posed with questions, these models rely on information sourced from the vast expanse of the Internet, which includes various types of data such as sources, links, blogs, and statistics. However, the training data available to these models may not always be reliable or of the highest quality. Consequently, the AI's responses can be influenced by this imperfect training data, leading to hallucinations that do not align with factual information. 

In the blog post authored by Bar Lanyado, the lead researcher at Voyager18, he highlighted that LLMs such as ChatGPT possess extensive training and exposure to vast amounts of textual data. As a consequence, these models have the ability to generate responses that may appear plausible but are actually fictional. 

Furthermore, he said that LLMs have a tendency to extrapolate beyond their training, potentially leading to the production of responses that seem credible but lack accuracy. 

Researchers Conducted an Experiment Of An AI Hallucination 

In their demonstration, the researchers conducted an experiment utilizing ChatGPT 3.5 to validate their concept. They constructed a scenario where an attacker posed a coding problem to the platform, requesting a solution. As a response, ChatGPT generated a set of packages, including some that were non-existent, indicating they were not available within a reputable package repository. 

This practical demonstration served to illustrate how the platform could generate misleading and potentially malicious package recommendations. According to the researchers, the fabricated code packages produced by ChatGPT could serve as a novel avenue for attackers to distribute malicious software, bypassing conventional techniques like typosquatting or masquerading. 

By presenting these fabricated packages as genuine recommendations from ChatGPT, attackers can exploit the trust developers place in the platform's suggestions. Consequently, there is a significant risk of malicious code infiltrating legitimate applications and code repositories, thereby posing a major threat to the software supply chain. 

How To Detect Bad Code Libraries?

According to the researchers, detecting malicious packages can be challenging, especially when threat actors employ obfuscation techniques or create functional Trojan packages. However, developers can take preventive measures by thoroughly validating the libraries they download. It is crucial to ensure that these libraries not only perform their intended functions but also aren't cleverly disguised Trojans posing as legitimate packages, as highlighted by Lanyado. 

Risks Of the AI-Language Model 

Since its release in November, ChatGPT has gained popularity not only among users but also among threat actors who exploit it for cyberattacks. In the first half of 2023, security incidents have included scams targeting user credentials, theft of Chrome cookies through malicious ChatGPT extensions, and phishing campaigns utilizing ChatGPT as bait for malicious websites. 

While some experts argue the security risk may be exaggerated, the researchers emphasized that the rapid adoption of generative AI platforms like ChatGPT has indeed introduced potential security concerns due to their integration into daily professional activities and workload management.
Read more »
Software
C2 Cyber Security Google Google Ads HTTP Attacks ICedID Malware Attack Microsoft SentineLabs Software

Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


Read more »
Spear Phishing Campaign
CrowdStrike Cyber Phishing malware Malware Attack Phishing Campaign RATs Spear Phishing Campaign

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations


About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

Read more »
User Security
Cybersecurity Cybersecurity Incident Infostealer malware Malware Attack User Security

SLTT Organizations Targeted by Jupyter Malware

 

The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Threat Intelligence Team (CTI) have uncovered Jupyter, a highly evasive and adaptive .NET infostealer, targeting state, local, tribal, and territorial (SLTT) organizations. 

To exploit SLTT entities, malicious actors have installed Jupyter widely, leveraging SEO-poisoning to design watering hole sites. Jupyter, also known as SolarMarker installs a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, permissions, and the user identifier. 

According to MS-ISAC, Jupyter targeting SLTTs is a part of a broader opportunistic effort, since the malware is impacting a wide range of sectors, including finance, healthcare, and education. Following a surge in activity during the fall, SLTT-Jupyter infections subsided with no incidents in December and a small resurgence through this past month.

The targeted organizations became aware of infections when their endpoint detection and response services (EDR) warned of unauthorized PowerShell commands attempting to establish links with command and control (C2) traffic. 

The researchers at MS-ISAC continue to investigate why malware authors are exfiltrating victims' private details. Additionally, researchers have noticed that Jupyter operators are altering their techniques, tactics, and procedures (TTPs), causing variation in intrusion details across infections. 

Despite the irregularity in Jupyter TTPs, multiple features are common among public-sourced and MS-ISAC-observed breaches. Prior to infection, the Jupyter operators inject over 2,000 keywords to push malicious Google and WordPress sites up search engine rankings, using a technique known as SEO-poisoning, thereby increasing the likelihood that an unsuspecting user will visit the page. 

Upon examining an SLTT Jupyter incident, researchers noticed that the initial infection occurred after an end-user attempted to install a malicious file embedded with an executable of a compromised website form.
Read more »
WordPress hacks
education sector Financial Data Hotel Malware Attack Ransom SEO Vulnerability and Exploits WordPress hacks

The GootLoader Hackers are After Law Firms and Accounting Firms

 

GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
 
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.
Read more »
Scammers
Cyber Security Malware Attack Scam Scammers

Online Support Agents Being Targeted Through Live Chat Platforms

 

Phishing scammers are pretending to be customers contact live-chat assistance agents with fake issues, making them open infected files, says incident response expert who found a surge in incidents using this trick since the start of this year. This scam is similar to another phishing campaign example which involves leveraging communication channels beyond the outside the emails to target potential victims out of the blue. The technique works off because website operators using chat features do not always check the files for malware while uploading. 

The hackers behind this rising trend are part of a ransomware group and maybe using automated scripts to target 'contact us' or other chat forums on the web which they can exploit, says Devon Ackerman, managing director and head of incident response for North America with Kroll’s Cyber Risk practice. He said "From a coding standpoint, I can build logic that will scan for [these chat forms] across any number of websites,” said Ackerman, placing himself in the shoes of an attacker.

After finding the form itself, “the second thing I’m looking for is… an interactable or selectable box [in the form field] that allows me to do a file upload. I can even anonymize myself through a virtual hosting server for maybe five, 10 bucks a month, and just run my script 24 hours a day and let it scan or crawl websites non-stop like a search engine spider or bot would." 

The attackers then find a target website which are identified by the 'spiders or the bots,' and build a communication platform suited to the particular company they're trying to exploit. This stage requires some human effort, because it is quite complex to automate as there are more variables. Every platform is a bit different from the other and every chat session is distinct too. Therefore, it requires more customisation, which means that we won't be able to see a large scale use of such techniques. But, this makes the scam look more authentic and genuine, as well as effective. 

SC Magazine reports, "an example might be a fake customer pretending to send a picture of a damaged vehicle to an auto insurance representative, or a phony business owner contacting a website with supposed proof of a copyright violation that never actually happened, he told SC Media. When the adversary sends over the malicious file, it may arrive in a password-protected zip format because antivirus software may not be able to detect the malware in compressed files, the blog post explains. The documents within the zip file contain malicious macros, which if enabled infect the customer support agent’s machine with malware."
Read more »
SMS
Android Android Security malware Malware Attack McAfee SMS

Smishing Campaign: Roaming Mantis Attacks OS Android Systems With Malware

A smishing campaign which goes by the name Roaming Mantis is imitating a logistics firm to hack SMS messages and contact list of Android users from Asia since 2018. Last year, Roaming Mantis advanced its campaign impact by sending phishing URL messages and dynamic DNS services that attacked targets with duplicate Chrome extension "MoqHao." From the start of 2021, Mcafee Mobile Research Team has confirmed that the group is attacking users from Japan with the latest malware named SmsSpy. 

The corrupted code infects Android users that use either one of the two versions that depend upon variants of operating systems used by attacked systems. The phishing technique incorporated here shares similarities with earlier campaigns, still, the Roaming Mantis URL has the title "post" in composition. A different phishing message impersonates to be a Bitcoin handler and then takes the target to a malicious site (phishing) where the victim is requested to allow an unauthorized login attempt. 

McAfee reports, "During our investigation, we observed the phishing website hxxps://bitfiye[.]com redirect to hxxps://post.hygvv[.]com. The redirected URL contains the word “post” as well and follows the same format as the first screenshot. In this way, the actors behind the attack attempt to expand the variation of the SMS phishing campaign by redirecting from a domain that resembles a target company and service." Different malware, as a characteristic of the Malware distribution program, is sent which depends upon the Android OS variant that gained login to the phishing site. In Android OS 10 and later variants, malicious Google Play applications will get downloaded. In Android OS 9 and earlier variants, malicious Chrome applications will get downloaded. 

Because the infected code needs to be updated with each Android OS update, the malware actor targets more systems by spreading the malware that finds OS, instead of just trying to gain a small set with a single malware type. "The main purpose of this malware is to steal phone numbers and SMS messages from infected devices. After it runs, the malware pretends to be a Chrome or Google Play app that then requests the default messaging application to read the victim’s contacts and SMS messages," said McAfee.
Read more »
TrickBot
CISA FBI malware Malware Attack Microsoft TrickBot

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 
Read more »
Ransomware
Kaspersky malware Malware Attack Ransomware

Kaspersky detected new ransomware attack on Russian companies

Kaspersky Lab has recorded a series of targeted attacks targeting Russian financial and transport companies. Hackers used a previously unknown ransomware virus

According to a statement from Kaspersky Lab, since December 2020, ten Russian financial and transport companies have been subjected to hacker attacks using the previously unknown Quoter ransomware. Experts believe that the Russian-speaking group RTM is engaged in this.

The hackers sent out phishing emails, choosing topics that they calculated should force the recipient to open the message, for example, "Request for refund", "Copies of documents from the last month" and so on. As soon as the recipient clicked on the link or opened the attachment, the RTM Trojan was downloaded to their device.

Then the attackers tried to transfer money through accounting programs by replacing the details in payment orders or manually using remote access tools. If they failed, they used Quoter, which encrypted the data using the AES cryptographic algorithm and left contacts for communication with hackers. If the recipient did not respond, they threatened to make the stolen personal data publicly available and attached evidence, and demanded about $1 million as a ransom.

Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the attacks pose a serious threat to companies, as hackers use several tools at once: a phishing email with a banking Trojan and an encryption program.

"Among the features of this campaign is that the Russian-speaking RTM attackers changed the tools used for the first time, moreover, now they are attacking Russian companies," said Mr. Golovanov, noting that usually encryption programs are used in attacks on foreign organizations.

Group-IB also warned about hacker attacks from RTM. According to the company, from September to December 2018, they sent more than 11 thousand malicious emails to financial institutions from addresses faked for government agencies. The emails contained a malicious attachment. They had fake PDF icons, and after running the file extracted from the archive, the computer was infected. On average, one successful theft of this type brought the attackers about 1.1 million rubles ($15,000).

Read more »
Ransomware
malware Malware Attack Maze Ransomware Ransomware

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

Read more »
Malware Attack
ESET lazarus malware Malware Attack

ESET has revealed a new series of Lazarus attacks

Experts of the antivirus company ESET have discovered a series of attacks, behind which is one of the most famous North Korean groups, Lazarus. The hackers targeted users of government and banking websites in South Korea. The cybercriminals used an unusual mechanism to deliver the malware, disguising themselves as stolen security software and digital certificates.

The spread of the Lazarus virus was facilitated by the fact that South Korean Internet users are often asked to install additional security programs when visiting government websites or Internet banking websites, explained the head of the investigation, Anton Cherepanov.

"The WIZVERA VeraPort integration installation program is widespread in South Korea. After installation, users can download the necessary software for a specific website. This scheme is usually used by the South Korean government and banking websites. For some of these sites, the presence of WIZVERA VeraPort is mandatory,” said Mr. Cherepanov.

Attackers used illegally obtained code signing certificates to inject malware samples. And one of these certificates was issued to a firm specializing in security - the American branch of a South Korean security company.

"Hackers disguised Lazarus malware samples as legitimate programs. These samples have the same file names, icons and resources as legitimate South Korean software," said Peter Kalnai, who was involved in the investigation of the attack.

ESET's analysis once again demonstrated the non-standard nature of the methods of intrusion, encryption and configuration of the network infrastructure, which has become the business card of Lazarus hackers.

It is worth noting that on November 13, Microsoft representatives reported that, according to their data, in recent months, three APT groups attacked at least seven companies engaged in COVID-19 research and vaccine development. The Russian-speaking group Strontium (Fancy Bear, APT28, and so on), as well as North Korean Zinc (Lazarus) and Cerium, are blamed for these attacks.

Hacker group Zinc (aka Lazarus) mainly relied on targeted phishing campaigns, sending potential victims emails with fictitious job descriptions and posing as recruiters.

Read more »
User Security
malware Malware Attack User Data User Security

Pos Malaysia: Malware Attack Disrupts Internal Systems and Online Services



IT infrastructure of Pos Malaysia, postal delivery service in Malaysia, took a major hit from ransomware which rendered some of its online services inaccessible. After detecting the attack on Sunday, the company took immediate measures to shut down internal systems and parts of its online systems; they also lodged a police report with Royal Malaysia Police for attempted malware attack and reached out to concerned authorities to ensure the safety of their systems and database.

The website of the company was displaying an error message during the downtime, which said, “Sorry, we are under maintenance.” It was discovered during a system update on October 20 and since then, the company released three statements insisting on the safety of customers’ personal data and sensitive information. It assured that no user data was compromised and the issues are being rectified. Gradually, several of Pos Malaysia’s online services have been made accessible while over the counter services remain available at the company’s branches nationwide. However, the officials refrained from providing a specific timeline for the entire restoration of the halted services.

Seemingly, it was a major attempt that caused disruption in the company’s internal systems and online services for the past few days and subsequently affected the overall company’s operations.

In a statement on Facebook, Pos Malaysia told, “Our team has managed to rectify and restore several of the system and online services. We assure our customers that their data and personal information are safe.”

“We extend our apologies for the inconvenience caused and thank our customers for their kind understanding, patience and support during this period. We will provide regular updates from time to time,” it added.

Announcing that the services will be restored and made fully accessible gradually, a spokesperson told The Star, "Customers and business partners may now gradually access our services. Over the counter services at all branches remain available.”

"Currently, proactive steps are being taken by our IT recovery team to ensure minimal impact to our customers and business partners. While contingency plans are being considered to rectify and restore online operations, the majority of our services at all Pos Malaysia branches are still available," he added.

People who have made shipments via Pos Malaysia or have pending shipments and it required them to share any sensitive data with the postal delivery company, odds are it would have been compromised in the attempted malware attack, therefore, they are advised to check their private credentials where necessary.
Read more »
ransomware attacks
Cyber power attack Information Security malware Malware Attack Ransomware ransomware attacks

Ransomware Attack Leaves Johannesburg without Power




A key electricity supplier for the largest South African city, Johannesburg, experienced a massive ransomware attack which led to the shutdown of the city's computer systems on Thursday.

In a series of tweets, City Power announced that the ransomware virus encrypted all their databases, applications and networks; all of which is being reconstructed by their ICT department.

They further told that the customers may not be able to access their website and may not be able to purchase electricity units until the issue has been sorted out by their ICT department.

As the website continued to be offline, the victims resorted to social media in order to report the issues occuring with their electricity supplies.

The type of ransomware employed in the attack is still a matter of question, however, with the magnitude, the power of this cyber power attack can be gauged. Besides, restricting customers from buying pre-paid electricity, it also affected the attempts made by City Power to respond to localized blackouts.

Commenting on the matter, a spokesman for City Power said, for the people affected, "These are the people on the pre-paid system[s] and would at any given day buy electricity,"

"Those people were not able to access the system." he added.




Read more »
Network Security News
Malware Attack Malware Report Network Security News

A new virus attacked computers in Russia


Cases of malicious e-mails to Russian companies have become more frequent. Attackers write on behalf of Banks, large air operators, car dealers and mass media. They offer cooperation to companies and advise to open the file in the attachment, where there are details about a good deal. If the user does this, the computer is infected with the so-called Troldesh virus. This malware encrypts files on the infected device and demands a ransom.

Fraudsters claim that they are employees of companies and attach a password-protected archive to the letter, in which, according to them, the details of the order are indicated. But in fact, a malicious virus is attached to this email. When a victim gains access to the archive, important files are blocked in his operating system that can be opened only by paying a ransom to the fraudsters. Of course, the addresses from which the letters were sent are fake.

Group-IB found out that in June more than a thousand such messages were sent to different Russian companies. The number of attacks using Troldesh only in this quarter increased 2.5 times compared to 2018. Yaroslav Kargalev, the Deputy Head of Information Security Incident Monitoring and Response Division of Group-IB, said that it is almost impossible to destroy the virus.

Experts of Group-IB noted that Troldesh was previously sent out mainly on behalf of Banks, however, at the moment, the attackers stopped doing it, as Banks have strengthened measures to counter phishing.

It is interesting to note that Troldesh can be bought or rented at specialized sites on the Darknet. Judging from the latest attacks, Troldesh not only encrypts files but also mines cryptocurrency and generates traffic to websites, thereby increasing their traffic and revenue from online advertising.

Experts of Group-IB also stressed that a fairly large-scale infrastructure is involved in the virus distribution, which includes servers, infected IoT (Internet of Things) devices, for example, routers. Now the virus distribution campaign is still active.

It is worth noting that Troldesh attacks companies not for the first time. Such attacks were first recorded in 2015, and the largest took place in March 2019. Then messages came from well-known retailers, as well as financial and construction companies.
Read more »
Subscribe to: Posts (Atom)